Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0783
Vulnerability from certfr_avis - Published: 2026-06-19 - Updated: 2026-06-19
De multiples vulnérabilités ont été découvertes dans Microsoft Azure. Elles permettent à un attaquant de provoquer une élévation de privilèges et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | azl3 erlang 26.2.5.20-1 versions antérieures à 26.2.5.21-2 | ||
| Microsoft | N/A | azl3 python-pip 24.2-8 versions antérieures à 24.2-9 | ||
| Microsoft | N/A | azl3 edk2 20240524git3e722403cd16-17 versions antérieures à 20240524git3e722403cd16-18 | ||
| Microsoft | N/A | azl3 qemu 9.1.0-7 versions antérieures à 9.1.0-8 | ||
| Microsoft | N/A | azl3 opensc 0.27.1-1 versions antérieures à 0.27.1-2 | ||
| Microsoft | N/A | azl3 kernel 6.6.139.1-1 versions antérieures à 6.6.141.1-1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 erlang 26.2.5.20-1 versions ant\u00e9rieures \u00e0 26.2.5.21-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python-pip 24.2-8 versions ant\u00e9rieures \u00e0 24.2-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 edk2 20240524git3e722403cd16-17 versions ant\u00e9rieures \u00e0 20240524git3e722403cd16-18",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 qemu 9.1.0-7 versions ant\u00e9rieures \u00e0 9.1.0-8",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 opensc 0.27.1-1 versions ant\u00e9rieures \u00e0 0.27.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.139.1-1 versions ant\u00e9rieures \u00e0 6.6.141.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-46307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46307"
},
{
"name": "CVE-2026-34180",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34180"
},
{
"name": "CVE-2026-42766",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42766"
},
{
"name": "CVE-2026-49760",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49760"
},
{
"name": "CVE-2026-9076",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9076"
},
{
"name": "CVE-2026-46319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46319"
},
{
"name": "CVE-2026-46280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46280"
},
{
"name": "CVE-2026-46287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46287"
},
{
"name": "CVE-2026-46303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46303"
},
{
"name": "CVE-2026-45445",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45445"
},
{
"name": "CVE-2026-10275",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10275"
},
{
"name": "CVE-2026-7383",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7383"
},
{
"name": "CVE-2026-48858",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48858"
},
{
"name": "CVE-2026-49759",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49759"
},
{
"name": "CVE-2026-48855",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48855"
},
{
"name": "CVE-2026-46296",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46296"
},
{
"name": "CVE-2026-46293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46293"
},
{
"name": "CVE-2026-46301",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46301"
},
{
"name": "CVE-2026-46289",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46289"
},
{
"name": "CVE-2026-46285",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46285"
},
{
"name": "CVE-2026-45447",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45447"
},
{
"name": "CVE-2026-48856",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48856"
},
{
"name": "CVE-2026-46291",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46291"
},
{
"name": "CVE-2026-46312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46312"
},
{
"name": "CVE-2026-46274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46274"
},
{
"name": "CVE-2026-46292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46292"
},
{
"name": "CVE-2026-42767",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42767"
},
{
"name": "CVE-2026-48914",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48914"
},
{
"name": "CVE-2026-48860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48860"
},
{
"name": "CVE-2026-8643",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8643"
},
{
"name": "CVE-2026-46306",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46306"
},
{
"name": "CVE-2026-46299",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46299"
},
{
"name": "CVE-2026-46304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46304"
}
],
"initial_release_date": "2026-06-19T00:00:00",
"last_revision_date": "2026-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0783",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure",
"vendor_advisories": [
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42766",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42766"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46280",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46280"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42767",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42767"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-45447",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45447"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-45445",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45445"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-49759",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49759"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46307",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46307"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46291",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46291"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46301",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46301"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46303",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46303"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46306",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46306"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48856",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48856"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46287",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46287"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48860",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48860"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34180",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34180"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46292",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46292"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46285",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46285"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46312",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46312"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-49760",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49760"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46319",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46319"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46293",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46293"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48914",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48914"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-7383",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7383"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46296",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46296"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-9076",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-9076"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46274",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46274"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48855",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48855"
},
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-10275",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10275"
},
{
"published_at": "2026-06-04",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-8643",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8643"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48858",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48858"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46289",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46289"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46299",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46299"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46304",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46304"
}
]
}
CVE-2026-46319 (GCVE-0-2026-46319)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-14 18:08
VLAI?
EPSS
Title
net/sched: act_ct: Only release RCU read lock after ct_ft
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: Only release RCU read lock after ct_ft
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
138470a9b2cc2e26e6018300394afc3858a54e6a , < ece578ca61e572df96cfc80456357ebfae0b4b9e
(git)
Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < a2e0c045c87aa252eb61412e67dd91f2c2b19f81 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 67c9ecc9f2575273ed1323e312881fc98ac83d6d (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f23424a0ddadb494d4bd57056a7ca703312d3a7b (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 17dfb67cb399b660105d9a8c6100851c0d0cdc70 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 4c727c6967a41b37efe0f26332ca9ec5b74785a3 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 3e20e1b3058e0b94638e7b931c138e840e266724 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f462dca0c8415bf0058d0ffa476354c4476d0f09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ece578ca61e572df96cfc80456357ebfae0b4b9e",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "a2e0c045c87aa252eb61412e67dd91f2c2b19f81",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "67c9ecc9f2575273ed1323e312881fc98ac83d6d",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f23424a0ddadb494d4bd57056a7ca703312d3a7b",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "17dfb67cb399b660105d9a8c6100851c0d0cdc70",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "4c727c6967a41b37efe0f26332ca9ec5b74785a3",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "3e20e1b3058e0b94638e7b931c138e840e266724",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f462dca0c8415bf0058d0ffa476354c4476d0f09",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: Only release RCU read lock after ct_ft\n\nWhen looking up a flow table in act_ct in tcf_ct_flow_table_get(),\nrhashtable_lookup_fast() internally opens and closes an RCU read critical\nsection before returning ct_ft.\nThe tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()\nis invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft\nobject. This vulnerability can lead to privilege escalation.\n\nAnalysis from zdi-disclosures@trendmicro.com:\nWhen initializing act_ct, tcf_ct_init() is called, which internally triggers\ntcf_ct_flow_table_get().\n\nstatic int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)\n\n{\n struct zones_ht_key key = { .net = net, .zone = params-\u003ezone };\n struct tcf_ct_flow_table *ct_ft;\n int err = -ENOMEM;\n\n mutex_lock(\u0026zones_mutex);\n ct_ft = rhashtable_lookup_fast(\u0026zones_ht, \u0026key, zones_params); // [1]\n if (ct_ft \u0026\u0026 refcount_inc_not_zero(\u0026ct_ft-\u003eref)) // [2]\n goto out_unlock;\n ...\n}\n\nstatic __always_inline void *rhashtable_lookup_fast(\n struct rhashtable *ht, const void *key,\n const struct rhashtable_params params)\n{\n void *obj;\n\n rcu_read_lock();\n obj = rhashtable_lookup(ht, key, params);\n rcu_read_unlock();\n\n return obj;\n}\n\nAt [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft\nfrom zones_ht . The lookup is performed within an RCU read critical section\nthrough rcu_read_lock() / rcu_read_unlock(), which prevents the object from\nbeing freed. However, at the point of function return, rcu_read_unlock() has\nalready been called, and there is nothing preventing ct_ft from being freed\nbefore reaching refcount_inc_not_zero(\u0026ct_ft-\u003eref) at [2]. This interval becomes\nthe race window, during which ct_ft can be freed.\n\nFree Process:\n\ntcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()\ntcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().\n\nstatic void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)\n{\n if (refcount_dec_and_test(\u0026ct_ft-\u003eref)) {\n rhashtable_remove_fast(\u0026zones_ht, \u0026ct_ft-\u003enode, zones_params);\n INIT_RCU_WORK(\u0026ct_ft-\u003erwork, tcf_ct_flow_table_cleanup_work); // [3]\n queue_rcu_work(act_ct_wq, \u0026ct_ft-\u003erwork);\n }\n}\n\nAt [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work\n\nstatic void tcf_ct_flow_table_cleanup_work(struct work_struct *work)\n\n{\n struct tcf_ct_flow_table *ct_ft;\n struct flow_block *block;\n\n ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,\n rwork);\n nf_flow_table_free(\u0026ct_ft-\u003enf_ft);\n block = \u0026ct_ft-\u003enf_ft.flow_block;\n down_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n WARN_ON(!list_empty(\u0026block-\u003ecb_list));\n up_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n kfree(ct_ft); // [4]\n\n module_put(THIS_MODULE);\n}\n\ntcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes\nbetween [1] and [2], UAF occurs.\n\nThis race condition has a very short race window, making it generally\ndifficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was\ninserted after[1]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:57.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ece578ca61e572df96cfc80456357ebfae0b4b9e"
},
{
"url": "https://git.kernel.org/stable/c/a2e0c045c87aa252eb61412e67dd91f2c2b19f81"
},
{
"url": "https://git.kernel.org/stable/c/67c9ecc9f2575273ed1323e312881fc98ac83d6d"
},
{
"url": "https://git.kernel.org/stable/c/f23424a0ddadb494d4bd57056a7ca703312d3a7b"
},
{
"url": "https://git.kernel.org/stable/c/17dfb67cb399b660105d9a8c6100851c0d0cdc70"
},
{
"url": "https://git.kernel.org/stable/c/4c727c6967a41b37efe0f26332ca9ec5b74785a3"
},
{
"url": "https://git.kernel.org/stable/c/3e20e1b3058e0b94638e7b931c138e840e266724"
},
{
"url": "https://git.kernel.org/stable/c/f462dca0c8415bf0058d0ffa476354c4476d0f09"
}
],
"title": "net/sched: act_ct: Only release RCU read lock after ct_ft",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46319",
"datePublished": "2026-06-09T12:11:12.128Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:08:57.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46301 (GCVE-0-2026-46301)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI?
EPSS
Title
spi: topcliff-pch: fix use-after-free on unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: topcliff-pch: fix use-after-free on unbind
Give the driver a chance to flush its queue before releasing the DMA
buffers on driver unbind
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c37f3c2749b53225d36faa5c583203c5f12ae15b , < 43334836b907adc21eab3079d2e6b26754468786
(git)
Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 36e58c436d2c2a797800427dc04d74ffd8b6ce1c (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 4ca90deeca1c7dd72c1c380ba8143565516def2d (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < d79e92161b65832e0b8cad5f3d84d17e5cd7a970 (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 8822980668c96b5aa251c1e2daec1873262b8f3f (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < d50ef3553acbacce6f2843304d41d06dca358bb6 (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 0e8e57f9737ea257634db1d152fc430a0788a3e1 (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 9d72732fe70c11424bc90ed466c7ccfa58b42a9a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-topcliff-pch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43334836b907adc21eab3079d2e6b26754468786",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "36e58c436d2c2a797800427dc04d74ffd8b6ce1c",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "4ca90deeca1c7dd72c1c380ba8143565516def2d",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "d79e92161b65832e0b8cad5f3d84d17e5cd7a970",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "8822980668c96b5aa251c1e2daec1873262b8f3f",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "d50ef3553acbacce6f2843304d41d06dca358bb6",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "0e8e57f9737ea257634db1d152fc430a0788a3e1",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "9d72732fe70c11424bc90ed466c7ccfa58b42a9a",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-topcliff-pch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: topcliff-pch: fix use-after-free on unbind\n\nGive the driver a chance to flush its queue before releasing the DMA\nbuffers on driver unbind"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:38.861Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43334836b907adc21eab3079d2e6b26754468786"
},
{
"url": "https://git.kernel.org/stable/c/36e58c436d2c2a797800427dc04d74ffd8b6ce1c"
},
{
"url": "https://git.kernel.org/stable/c/4ca90deeca1c7dd72c1c380ba8143565516def2d"
},
{
"url": "https://git.kernel.org/stable/c/d79e92161b65832e0b8cad5f3d84d17e5cd7a970"
},
{
"url": "https://git.kernel.org/stable/c/8822980668c96b5aa251c1e2daec1873262b8f3f"
},
{
"url": "https://git.kernel.org/stable/c/d50ef3553acbacce6f2843304d41d06dca358bb6"
},
{
"url": "https://git.kernel.org/stable/c/0e8e57f9737ea257634db1d152fc430a0788a3e1"
},
{
"url": "https://git.kernel.org/stable/c/9d72732fe70c11424bc90ed466c7ccfa58b42a9a"
}
],
"title": "spi: topcliff-pch: fix use-after-free on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46301",
"datePublished": "2026-06-08T15:46:28.004Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:07:38.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46307 (GCVE-0-2026-46307)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:08
VLAI?
EPSS
Title
wifi: ath5k: do not access array OOB
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath5k: do not access array OOB
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
Severity ?
8.3 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6d7b97b23e114c8fbb825e6721164d228c1af3fc , < ecb1c163166759dec004c1fdb9709b8a5992fc8e
(git)
Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 9dd6aae4bc7bfa11088d928670a3315eae542769 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 744c19e266b0d2628c5951439195dcef27eadacf (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 83226c71af53fb9b3cad40cb9a9a79f36d68c020 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d6869537013b1f21b292342752d97868b79b5934 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < e9f1081bc775146156def0dbc821b92f35d56afb (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 568173ad9bd0b46cc6cd937dea8791e9b5eefa57 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d748603f12baff112caa3ab7d39f50100f010dbd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecb1c163166759dec004c1fdb9709b8a5992fc8e",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "9dd6aae4bc7bfa11088d928670a3315eae542769",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "744c19e266b0d2628c5951439195dcef27eadacf",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "83226c71af53fb9b3cad40cb9a9a79f36d68c020",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d6869537013b1f21b292342752d97868b79b5934",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "e9f1081bc775146156def0dbc821b92f35d56afb",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "568173ad9bd0b46cc6cd937dea8791e9b5eefa57",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d748603f12baff112caa3ab7d39f50100f010dbd",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n\u003e The ath5k driver seems to do an array-index-out-of-bounds access as\n\u003e shown by the UBSAN kernel message:\n\u003e UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n\u003e index 4 is out of range for type \u0027ieee80211_tx_rate [4]\u0027\n\u003e ...\n\u003e Call Trace:\n\u003e \u003cTASK\u003e\n\u003e dump_stack_lvl+0x5d/0x80\n\u003e ubsan_epilogue+0x5/0x2b\n\u003e __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n\u003e ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n\u003e tasklet_action_common+0xb5/0x1c0\n\nIt is real. \u0027ts-\u003ets_final_idx\u0027 can be 3 on 5212, so:\n info-\u003estatus.rates[ts-\u003ets_final_idx + 1].idx = -1;\nwith the array defined as:\n struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n #define IEEE80211_TX_MAX_RATES 4\nis indeed bogus.\n\nSet this \u0027idx = -1\u0027 sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info-\u003estatus, i.e. ack_signal."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:05.377Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e"
},
{
"url": "https://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769"
},
{
"url": "https://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf"
},
{
"url": "https://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020"
},
{
"url": "https://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934"
},
{
"url": "https://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb"
},
{
"url": "https://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57"
},
{
"url": "https://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd"
}
],
"title": "wifi: ath5k: do not access array OOB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46307",
"datePublished": "2026-06-08T15:46:35.059Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:08:05.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49760 (GCVE-0-2026-49760)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
EPSS
Title
Stack Buffer Overflow in ei_s_print_term at Very Large Integer
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.
This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.
The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.
The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
Jonatan Männchen / EEF
Sverker Eriksson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:16:14.697009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:16:28.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"erl_interface"
],
"packageName": "erl_interface",
"packageURL": "pkg:otp/erl_interface?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/misc/ei_printterm.c"
],
"programRoutines": [
{
"name": "ei_s_print_term"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.2.1",
"status": "unaffected"
},
{
"at": "5.7.0.1",
"status": "unaffected"
},
{
"at": "5.8.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.7.16",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"erl_interface"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/erl_interface/src/misc/ei_printterm.c"
],
"programRoutines": [
{
"name": "ei_s_print_term"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "27.3.4.13",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "29.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sverker Eriksson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eStack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/erl_interface/src/misc/ei_printterm.c\u003c/tt\u003e and program routine \u003ctt\u003eei_s_print_term\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe C function \u003ctt\u003eei_s_print_term\u003c/tt\u003e uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of \u003ctt\u003e0\u003c/tt\u003e-\u003ctt\u003e9\u003c/tt\u003e and \u003ctt\u003eA\u003c/tt\u003e-\u003ctt\u003eF\u003c/tt\u003e, which limits exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eThe companion function \u003ctt\u003eei_print_term\u003c/tt\u003e, which prints directly to a \u003ctt\u003eFILE\u003c/tt\u003e instead of a memory buffer, does not contain this bug.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.\u003c/p\u003e"
}
],
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\n\nThis vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.\n\nThe C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.\n\nThe companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1."
}
],
"impacts": [
{
"capecId": "CAPEC-8",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-8 Buffer Overflow in an API Call"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:57.427Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49760.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49760"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stack Buffer Overflow in ei_s_print_term at Very Large Integer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Avoid calling \u003ctt\u003eei_s_print_term\u003c/tt\u003e with untrusted data whose encoded integer representation could exceed 2000 characters."
}
],
"value": "Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49760",
"datePublished": "2026-06-10T14:35:36.804Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-11T04:45:57.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42767 (GCVE-0-2026-42767)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48
VLAI?
EPSS
Title
NULL Pointer Dereference in CRMF EncryptedValue Decryption
Summary
Issue summary: An attacker-controlled CMP (Certificate Management Protocol)
server could trigger a NULL pointer dereference in a CMP client application.
Impact summary: A NULL pointer dereference causes a crash of the
application and a Denial of Service.
An attacker controlling a CMP server (or acting as a man-in-the-middle) could
craft a CMP response containing a CRMF (Certificate Request Message Format)
CertRepMessage with an EncryptedValue structure where the symmAlg field
has an algorithm OID but no parameters field. When the OpenSSL CMP client
processes this response, the NULL dereference occurs, causing a crash of
the CMP client.
Applications that process untrusted CMP/CRMF messages may be affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity ?
No CVSS data available.
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Zhanpeng Liu (Tencent Xuanwu Lab)
Guannan Wang (Tencent Xuanwu Lab)
Guancheng Li (Tencent Xuanwu Lab)
Bhabani Sankar Das
Igor Ustinov
Tomáš Mráz
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:44:35.594012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:45:04.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Zhanpeng Liu (Tencent Xuanwu Lab)"
},
{
"lang": "en",
"type": "reporter",
"value": "Guannan Wang (Tencent Xuanwu Lab)"
},
{
"lang": "en",
"type": "reporter",
"value": "Guancheng Li (Tencent Xuanwu Lab)"
},
{
"lang": "en",
"type": "reporter",
"value": "Bhabani Sankar Das"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Igor Ustinov"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tom\u00e1\u0161 Mr\u00e1z"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\u003cbr\u003eserver could trigger a NULL pointer dereference in a CMP client application.\u003cbr\u003e\u003cbr\u003eImpact summary: A NULL pointer dereference causes a crash of the\u003cbr\u003eapplication and a Denial of Service.\u003cbr\u003e\u003cbr\u003eAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\u003cbr\u003ecraft a CMP response containing a CRMF (Certificate Request Message Format)\u003cbr\u003eCertRepMessage with an EncryptedValue structure where the symmAlg field\u003cbr\u003ehas an algorithm OID but no parameters field. When the OpenSSL CMP client\u003cbr\u003eprocesses this response, the NULL dereference occurs, causing a crash of\u003cbr\u003ethe CMP client.\u003cbr\u003e\u003cbr\u003eApplications that process untrusted CMP/CRMF messages may be affected.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\u003cbr\u003eissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:03.405Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/810b722f772652ad48042bcc7ab07e3414b11d0f"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/665d5254083affde9982efca7c41dd01cacc8774"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NULL Pointer Dereference in CRMF EncryptedValue Decryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-42767",
"datePublished": "2026-06-09T16:03:27.435Z",
"dateReserved": "2026-04-29T09:22:27.968Z",
"dateUpdated": "2026-06-10T07:48:03.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46296 (GCVE-0-2026-46296)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
spi: s3c64xx: fix NULL-deref on driver unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: s3c64xx: fix NULL-deref on driver unbind
A change moving DMA channel allocation from probe() back to
s3c64xx_spi_prepare_transfer() failed to remove the corresponding
deallocation from remove().
Drop the bogus DMA channel release from remove() to avoid triggering a
NULL-pointer dereference on driver unbind.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 29e219a18e21258bdb4ee12cecd0e9ec87d7e6a7
(git)
Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 1108b8722b9ff0cdd3e8aa18d98244fcd93b6760 (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 323a258f4b1916b5a3098618e036e033b2f2317f (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 1b66f16a571a10ba8889ac471755c8af9c5b9266 (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 22788b1a8611380b141e09a8896702e32d164238 (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 45daacbead8a009844bd5dba6cfa731332184d17 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-s3c64xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29e219a18e21258bdb4ee12cecd0e9ec87d7e6a7",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "1108b8722b9ff0cdd3e8aa18d98244fcd93b6760",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "323a258f4b1916b5a3098618e036e033b2f2317f",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "1b66f16a571a10ba8889ac471755c8af9c5b9266",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "22788b1a8611380b141e09a8896702e32d164238",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "45daacbead8a009844bd5dba6cfa731332184d17",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-s3c64xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: s3c64xx: fix NULL-deref on driver unbind\n\nA change moving DMA channel allocation from probe() back to\ns3c64xx_spi_prepare_transfer() failed to remove the corresponding\ndeallocation from remove().\n\nDrop the bogus DMA channel release from remove() to avoid triggering a\nNULL-pointer dereference on driver unbind.\n\nThis issue was flagged by Sashiko when reviewing a controller\nderegistration fix."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:10.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29e219a18e21258bdb4ee12cecd0e9ec87d7e6a7"
},
{
"url": "https://git.kernel.org/stable/c/1108b8722b9ff0cdd3e8aa18d98244fcd93b6760"
},
{
"url": "https://git.kernel.org/stable/c/323a258f4b1916b5a3098618e036e033b2f2317f"
},
{
"url": "https://git.kernel.org/stable/c/1b66f16a571a10ba8889ac471755c8af9c5b9266"
},
{
"url": "https://git.kernel.org/stable/c/22788b1a8611380b141e09a8896702e32d164238"
},
{
"url": "https://git.kernel.org/stable/c/45daacbead8a009844bd5dba6cfa731332184d17"
}
],
"title": "spi: s3c64xx: fix NULL-deref on driver unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46296",
"datePublished": "2026-06-08T15:46:23.539Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-19T12:00:10.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46292 (GCVE-0-2026-46292)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
pmdomain: core: Fix detach procedure for virtual devices in genpd
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: core: Fix detach procedure for virtual devices in genpd
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),
genpd calls pm_runtime_enable() for the corresponding virtual device that
it registers. While this avoids boilerplate code in drivers, there is no
corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd,
while runtime PM remains enabled for them, which is not how things are
designed to work. In worst cases it may lead to critical errors, like a
NULL pointer dereference bug in genpd_runtime_suspend(), which was recently
reported. For another case, we may end up keeping an unnecessary vote for a
performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable()
in genpd_dev_pm_detach().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3c095f32a92be4d07f3172a777dab1aacdb6a728 , < e8f8dad44f024a5c99e54a48ad5c943fa8e54319
(git)
Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 98b8104978474d381256a2b2fb0e7ca8e05a7bfa (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 52e485ed0dcb5496864003ba9ffcef7d5b613f83 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 707cb5df3eab32ddc52979418f7ace62941e6381 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 361518a26e4434e879db6ff43bf364795dcbfbff (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 51a7dd9cbae9210335ce398642ecaaa52c939eb5 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 8d44391a7f29e4601e8243f13498d0219bab2576 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 26735dfdd8930d9ef1fa92e590a9bf77726efdf6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8f8dad44f024a5c99e54a48ad5c943fa8e54319",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "98b8104978474d381256a2b2fb0e7ca8e05a7bfa",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "52e485ed0dcb5496864003ba9ffcef7d5b613f83",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "707cb5df3eab32ddc52979418f7ace62941e6381",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "361518a26e4434e879db6ff43bf364795dcbfbff",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "51a7dd9cbae9210335ce398642ecaaa52c939eb5",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "8d44391a7f29e4601e8243f13498d0219bab2576",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "26735dfdd8930d9ef1fa92e590a9bf77726efdf6",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: core: Fix detach procedure for virtual devices in genpd\n\nIf a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),\ngenpd calls pm_runtime_enable() for the corresponding virtual device that\nit registers. While this avoids boilerplate code in drivers, there is no\ncorresponding call to pm_runtime_disable() in genpd_dev_pm_detach().\n\nThis means these virtual devices are typically detached from its genpd,\nwhile runtime PM remains enabled for them, which is not how things are\ndesigned to work. In worst cases it may lead to critical errors, like a\nNULL pointer dereference bug in genpd_runtime_suspend(), which was recently\nreported. For another case, we may end up keeping an unnecessary vote for a\nperformance state for the device.\n\nTo fix these problems, let\u0027s add this missing call to pm_runtime_disable()\nin genpd_dev_pm_detach()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:08.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8f8dad44f024a5c99e54a48ad5c943fa8e54319"
},
{
"url": "https://git.kernel.org/stable/c/98b8104978474d381256a2b2fb0e7ca8e05a7bfa"
},
{
"url": "https://git.kernel.org/stable/c/52e485ed0dcb5496864003ba9ffcef7d5b613f83"
},
{
"url": "https://git.kernel.org/stable/c/707cb5df3eab32ddc52979418f7ace62941e6381"
},
{
"url": "https://git.kernel.org/stable/c/361518a26e4434e879db6ff43bf364795dcbfbff"
},
{
"url": "https://git.kernel.org/stable/c/51a7dd9cbae9210335ce398642ecaaa52c939eb5"
},
{
"url": "https://git.kernel.org/stable/c/8d44391a7f29e4601e8243f13498d0219bab2576"
},
{
"url": "https://git.kernel.org/stable/c/26735dfdd8930d9ef1fa92e590a9bf77726efdf6"
}
],
"title": "pmdomain: core: Fix detach procedure for virtual devices in genpd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46292",
"datePublished": "2026-06-08T15:46:19.431Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-19T12:00:08.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45447 (GCVE-0-2026-45447)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
Heap Use-After-Free in the PKCS7_verify() Function
Summary
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
use of the BIO by the calling application results in a use-after-free
condition.
In the common case this occurs when the application later calls
BIO_free() on the BIO originally passed to PKCS7_verify(). Depending
on allocator behavior and application-specific BIO usage patterns, this
may result in a crash or other memory corruption. In some application
contexts this may potentially be exploitable for remote code execution.
Applications that process PKCS#7 or S/MIME signed messages using OpenSSL
PKCS#7 APIs may be affected. Applications using the CMS APIs for this
processing are not affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity ?
No CVSS data available.
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Thai Duong (Calif.io in collaboration with Claude and Anthropic Research)
Igor Ustinov
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T03:59:38.212378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T13:32:20.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1.5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Insights proxy 1.5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenSSL. When processing a specially crafted PKCS#7 or S/MIME (Secure/Multipurpose Internet Mail Extensions) signed message, a heap use-after-free vulnerability in the PKCS7_verify() function can be triggered. This occurs if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, leading to incorrect memory deallocation. A remote attacker could exploit this to cause application crashes, memory corruption, or potentially achieve remote code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:25.879Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-45447"
},
{
"name": "RHBZ#2481898",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45447.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25237"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25239"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26275"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34102"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26319"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25237: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:25239: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26275: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:29197: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:34102: Red Hat Insights proxy 1.5"
},
{
"lang": "en",
"value": "RHSA-2026:26319: Red Hat Update Infrastructure 5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T14:17:46.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-09T00:00:00.000Z",
"value": "Made public."
}
],
"title": "openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zh",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zq",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Thai Duong (Calif.io in collaboration with Claude and Anthropic Research)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Igor Ustinov"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\u003cbr\u003etrigger a use-after-free during PKCS#7 signature verification.\u003cbr\u003e\u003cbr\u003eImpact summary: A use-after-free may result in process crashes, heap\u003cbr\u003ecorruption, or potentially remote code execution.\u003cbr\u003e\u003cbr\u003eWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\u003cbr\u003edigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\u003cbr\u003eincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\u003cbr\u003euse of the BIO by the calling application results in a use-after-free\u003cbr\u003econdition.\u003cbr\u003e\u003cbr\u003eIn the common case this occurs when the application later calls\u003cbr\u003eBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\u003cbr\u003eon allocator behavior and application-specific BIO usage patterns, this\u003cbr\u003emay result in a crash or other memory corruption. In some application\u003cbr\u003econtexts this may potentially be exploitable for remote code execution.\u003cbr\u003e\u003cbr\u003eApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\u003cbr\u003ePKCS#7 APIs may be affected. Applications using the CMS APIs for this\u003cbr\u003eprocessing are not affected.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\u003cbr\u003eissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\ntrigger a use-after-free during PKCS#7 signature verification.\n\nImpact summary: A use-after-free may result in process crashes, heap\ncorruption, or potentially remote code execution.\n\nWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\ndigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\nincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\nuse of the BIO by the calling application results in a use-after-free\ncondition.\n\nIn the common case this occurs when the application later calls\nBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\non allocator behavior and application-specific BIO usage patterns, this\nmay result in a crash or other memory corruption. In some application\ncontexts this may potentially be exploitable for remote code execution.\n\nApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\nPKCS#7 APIs may be affected. Applications using the CMS APIs for this\nprocessing are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "High"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:15.381Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Use-After-Free in the PKCS7_verify() Function",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-45447",
"datePublished": "2026-06-09T16:03:32.914Z",
"dateReserved": "2026-05-12T14:34:06.277Z",
"dateUpdated": "2026-07-02T12:05:25.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48914 (GCVE-0-2026-48914)
Vulnerability from cvelistv5 – Published: 2026-06-12 09:42 – Updated: 2026-06-15 13:00
VLAI?
EPSS
Title
Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling
Summary
A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.
Severity ?
6.7 (Medium)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
1.1.0 , ≤ 11.0.1
(semver)
|
||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
Credits
Red Hat would like to thank Feifan Qian <bea1e@proton.me> for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T09:57:24.232821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T09:57:53.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gitlab.com/qemu-project/qemu",
"defaultStatus": "unaffected",
"packageName": "qemu",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "qemu-kvm-ma",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux for NVIDIA 26",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Feifan Qian \u003cbea1e@proton.me\u003e for reporting this issue."
}
],
"datePublic": "2026-05-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in QEMU\u0027s virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:00:33.022Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-48914"
},
{
"name": "RHBZ#2488283",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488283"
},
{
"url": "https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T09:09:42.108Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-48914",
"datePublished": "2026-06-12T09:42:36.313Z",
"dateReserved": "2026-05-26T12:51:11.502Z",
"dateUpdated": "2026-06-15T13:00:33.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7383 (GCVE-0-2026-7383)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:47
VLAI?
EPSS
Title
Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion
Summary
Issue summary: A signed integer overflow when sizing the destination
buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap
buffer overflow.
Impact summary: A heap buffer overflow may lead to a crash or possibly
attacker controlled code execution or other undefined behaviour.
In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination
size for Unicode output is computed in a signed int: by left shift
of the input character count for BMPSTRING (UTF-16) and
UNIVERSALSTRING (UTF-32), and by summing per-character byte counts
for UTF8STRING. The calculation overflows when the input reaches
around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30
characters) the size wraps to zero, OPENSSL_malloc(1) is called, and
the subsequent character copy writes several gigabytes past the
one-byte allocation.
X.509 certificate processing routes through ASN1_STRING_set_by_NID(),
whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID
size limits cap the input length; no network protocol or
certificate-handling path in OpenSSL exercises the overflow.
Triggering the bug requires an application that calls
ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers
a custom string type via ASN1_STRING_TABLE_add(), with
attacker-controlled input on the order of half a gigabyte or more.
For these reasons this issue was assigned Low severity.
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by
this issue, as the affected code is outside the OpenSSL FIPS module
boundary.
Severity ?
No CVSS data available.
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Zehua Qiao
Jinwen He
Viktor Dukhovni
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:57.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zh",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zq",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Zehua Qiao"
},
{
"lang": "en",
"type": "reporter",
"value": "Jinwen He"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Viktor Dukhovni"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: A signed integer overflow when sizing the destination\u003cbr\u003ebuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\u003cbr\u003ebuffer overflow.\u003cbr\u003e\u003cbr\u003eImpact summary: A heap buffer overflow may lead to a crash or possibly\u003cbr\u003eattacker controlled code execution or other undefined behaviour.\u003cbr\u003e\u003cbr\u003eIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\u003cbr\u003esize for Unicode output is computed in a signed int: by left shift\u003cbr\u003eof the input character count for BMPSTRING (UTF-16) and\u003cbr\u003eUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\u003cbr\u003efor UTF8STRING. The calculation overflows when the input reaches\u003cbr\u003earound 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\u003cbr\u003echaracters) the size wraps to zero, OPENSSL_malloc(1) is called, and\u003cbr\u003ethe subsequent character copy writes several gigabytes past the\u003cbr\u003eone-byte allocation.\u003cbr\u003e\u003cbr\u003eX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\u003cbr\u003ewhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\u003cbr\u003esize limits cap the input length; no network protocol or\u003cbr\u003ecertificate-handling path in OpenSSL exercises the overflow.\u003cbr\u003eTriggering the bug requires an application that calls\u003cbr\u003eASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\u003cbr\u003ea custom string type via ASN1_STRING_TABLE_add(), with\u003cbr\u003eattacker-controlled input on the order of half a gigabyte or more.\u003cbr\u003eFor these reasons this issue was assigned Low severity.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\u003cbr\u003ethis issue, as the affected code is outside the OpenSSL FIPS module\u003cbr\u003eboundary."
}
],
"value": "Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:47:47.578Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-7383",
"datePublished": "2026-06-09T16:03:15.508Z",
"dateReserved": "2026-04-29T08:21:07.253Z",
"dateUpdated": "2026-06-10T07:47:47.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48855 (GCVE-0-2026-48855)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
EPSS
Title
SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.
The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.
The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
Jonatan Männchen / EEF
Jonatan Männchen / EEF
Michał Wąsowski
Jakub Witczak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:22:16.684743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:22:24.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "6.0.1",
"status": "unaffected"
},
{
"at": "5.5.2.1",
"status": "unaffected"
},
{
"at": "5.2.11.8",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "8f4224a0d2676b0653d2c71a889a956e8c2c62d6",
"status": "affected",
"version": "08225797f7ef943d0c82a1d9dd6650d94ca2580d",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server and the \u003ctt\u003eroot\u003c/tt\u003e option must be configured in the \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e call. Deployments without the \u003ctt\u003eroot\u003c/tt\u003e option are not affected."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server and the root option must be configured in the ssh_sftpd:subsystem_spec/1 call. Deployments without the root option are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows File Discovery.\u003cp\u003eThe \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e sends the raw result of \u003ctt\u003efile:read_link/2\u003c/tt\u003e to the client without calling \u003ctt\u003echroot_filename/2\u003c/tt\u003e to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to \u003ctt\u003e/\u003c/tt\u003e; \u003ctt\u003essh_sftpd\u003c/tt\u003e resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e returns that absolute path, for example \u003ctt\u003e/data/sftp\u003c/tt\u003e, instead of the chrooted value \u003ctt\u003e/\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.\n\nThe SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.\n\nThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8."
}
],
"impacts": [
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116 Excavation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:29.864Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48855.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48855"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/8f4224a0d2676b0653d2c71a889a956e8c2c62d6"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48855",
"datePublished": "2026-06-10T14:35:49.683Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:29.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46299 (GCVE-0-2026-46299)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
hfsplus: fix held lock freed on hfsplus_fill_super()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix held lock freed on hfsplus_fill_super()
hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the function jumps to the out_put_root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.
Fix this by adding the missing hfs_find_exit(&fd) call before jumping
to the out_put_root error label. This ensures that tree->tree_lock is
properly released on the error path.
The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we
used GDB to dynamically shrink the max_unistr_len parameter to 1 before
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and
exercises the faulty error path. The following warning was observed
during mount:
=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
debug_check_no_locks_freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus_fill_super+0xcb4/0x18a0
hfsplus_fill_super+0xcb4/0x18a0
? __pfx_hfsplus_fill_super+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x65f/0xc30
? srso_return_thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace_contention_end+0x11c/0x150
? __pfx_pointer+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x79b/0xc30
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso_return_thunk+0x5/0x5f
? __mutex_unlock_slowpath+0x157/0x740
? __pfx_vsnprintf+0x10/0x10
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? mark_held_locks+0x49/0x80
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? irqentry_exit+0x17b/0x5e0
? trace_irq_disable.constprop.0+0x116/0x150
? __pfx_hfsplus_fill_super+0x10/0x10
? __pfx_hfsplus_fill_super+0x10/0x10
get_tree_bdev_flags+0x302/0x580
? __pfx_get_tree_bdev_flags+0x10/0x10
? vfs_parse_fs_qstr+0x129/0x1a0
? __pfx_vfs_parse_fs_qstr+0x3/0x10
vfs_get_tree+0x89/0x320
fc_mount+0x10/0x1d0
path_mount+0x5c5/0x21c0
? __pfx_path_mount+0x10/0x10
? trace_irq_enable.constprop.0+0x116/0x150
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? kmem_cache_free+0x307/0x540
? user_path_at+0x51/0x60
? __x64_sys_mount+0x212/0x280
? srso_return_thunk+0x5/0x5f
__x64_sys_mount+0x212/0x280
? __pfx___x64_sys_mount+0x10/0x10
? srso_return_thunk+0x5/0x5f
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
do_syscall_64+0x111/0x680
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b
---truncated---
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < e890656accee4c26d932ea388eb8936a6e22184d
(git)
Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 6499c9c8ec437a369e7e221dad91f6122b50759d (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < c554ddc87af4d4e4be42f8aed1baec9e1c7588e0 (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 041acda6d9f96006703466449c10c9a69590c8b9 (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < d309d3308de658d87c42d97e044c89a226327526 (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e890656accee4c26d932ea388eb8936a6e22184d",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "6499c9c8ec437a369e7e221dad91f6122b50759d",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "c554ddc87af4d4e4be42f8aed1baec9e1c7588e0",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "041acda6d9f96006703466449c10c9a69590c8b9",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "d309d3308de658d87c42d97e044c89a226327526",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "90c500e4fd83fa33c09bc7ee23b6d9cc487ac733",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix held lock freed on hfsplus_fill_super()\n\nhfsplus_fill_super() calls hfs_find_init() to initialize a search\nstructure, which acquires tree-\u003etree_lock. If the subsequent call to\nhfsplus_cat_build_key() fails, the function jumps to the out_put_root\nerror label without releasing the lock. The later cleanup path then\nfrees the tree data structure with the lock still held, triggering a\nheld lock freed warning.\n\nFix this by adding the missing hfs_find_exit(\u0026fd) call before jumping\nto the out_put_root error label. This ensures that tree-\u003etree_lock is\nproperly released on the error path.\n\nThe bug was originally detected on v6.13-rc1 using an experimental\nstatic analysis tool we are developing, and we have verified that the\nissue persists in the latest mainline kernel. The tool is specifically\ndesigned to detect memory management issues. It is currently under active\ndevelopment and not yet publicly available.\n\nWe confirmed the bug by runtime testing under QEMU with x86_64 defconfig,\nlockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we\nused GDB to dynamically shrink the max_unistr_len parameter to 1 before\nhfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally\nreturn -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and\nexercises the faulty error path. The following warning was observed\nduring mount:\n\n\t=========================\n\tWARNING: held lock freed!\n\t7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted\n\t-------------------------\n\tmount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!\n\tffff888103f920b0 (\u0026tree-\u003etree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\t2 locks held by mount/174:\n\t#0: ffff888103f960e0 (\u0026type-\u003es_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40\n\t#1: ffff888103f920b0 (\u0026tree-\u003etree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\n\tstack backtrace:\n\tCPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tCall Trace:\n\t\u003cTASK\u003e\n\tdump_stack_lvl+0x82/0xd0\n\tdebug_check_no_locks_freed+0x13a/0x180\n\tkfree+0x16b/0x510\n\t? hfsplus_fill_super+0xcb4/0x18a0\n\thfsplus_fill_super+0xcb4/0x18a0\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x65f/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? pointer+0x4ce/0xbf0\n\t? trace_contention_end+0x11c/0x150\n\t? __pfx_pointer+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x79b/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? vsnprintf+0x6da/0x1270\n\t? srso_return_thunk+0x5/0x5f\n\t? __mutex_unlock_slowpath+0x157/0x740\n\t? __pfx_vsnprintf+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? mark_held_locks+0x49/0x80\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? irqentry_exit+0x17b/0x5e0\n\t? trace_irq_disable.constprop.0+0x116/0x150\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\tget_tree_bdev_flags+0x302/0x580\n\t? __pfx_get_tree_bdev_flags+0x10/0x10\n\t? vfs_parse_fs_qstr+0x129/0x1a0\n\t? __pfx_vfs_parse_fs_qstr+0x3/0x10\n\tvfs_get_tree+0x89/0x320\n\tfc_mount+0x10/0x1d0\n\tpath_mount+0x5c5/0x21c0\n\t? __pfx_path_mount+0x10/0x10\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? kmem_cache_free+0x307/0x540\n\t? user_path_at+0x51/0x60\n\t? __x64_sys_mount+0x212/0x280\n\t? srso_return_thunk+0x5/0x5f\n\t__x64_sys_mount+0x212/0x280\n\t? __pfx___x64_sys_mount+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\tdo_syscall_64+0x111/0x680\n\tentry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7ffacad55eae\n\tCode: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8\n\tRSP: 002b\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:12.848Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e890656accee4c26d932ea388eb8936a6e22184d"
},
{
"url": "https://git.kernel.org/stable/c/6499c9c8ec437a369e7e221dad91f6122b50759d"
},
{
"url": "https://git.kernel.org/stable/c/c554ddc87af4d4e4be42f8aed1baec9e1c7588e0"
},
{
"url": "https://git.kernel.org/stable/c/3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e"
},
{
"url": "https://git.kernel.org/stable/c/041acda6d9f96006703466449c10c9a69590c8b9"
},
{
"url": "https://git.kernel.org/stable/c/d309d3308de658d87c42d97e044c89a226327526"
},
{
"url": "https://git.kernel.org/stable/c/bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc"
},
{
"url": "https://git.kernel.org/stable/c/90c500e4fd83fa33c09bc7ee23b6d9cc487ac733"
}
],
"title": "hfsplus: fix held lock freed on hfsplus_fill_super()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46299",
"datePublished": "2026-06-08T15:46:26.670Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-19T12:00:12.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49759 (GCVE-0-2026-49759)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-07-01 04:45
VLAI?
EPSS
Title
Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.
The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.
A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
Zhang Delong
Raimo Niskanen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:18:27.945916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:18:43.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-10T14:35:38.838Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Erlang OTP (Open Telecom Platform) erts, specifically within the `inet_drv` component. An unauthenticated remote attacker can exploit a stack-based buffer overflow vulnerability by sending a specially crafted Stream Control Transmission Protocol (SCTP) ERROR chunk. This can lead to a Denial of Service (DoS) by crashing the BEAM virtual machine. Additionally, this flaw may result in limited information disclosure by leaking small portions of Erlang VM memory."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:55.439Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-49759"
},
{
"name": "RHBZ#2487607",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487607"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49759.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-10T16:01:51.030Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-10T14:35:38.838Z",
"value": "Made public."
}
],
"title": "erlang: Erlang OTP: Denial of Service via crafted SCTP ERROR chunk",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_drv"
],
"packageName": "erts",
"packageURL": "pkg:otp/erts?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"emulator/drivers/common/inet_drv.c"
],
"programRoutines": [
{
"name": "sctp_parse_error_chunk"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "15.2.7.9",
"status": "unaffected"
},
{
"at": "16.4.0.2",
"status": "unaffected"
},
{
"at": "17.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "6.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_drv"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"erts/emulator/drivers/common/inet_drv.c"
],
"programRoutines": [
{
"name": "sctp_parse_error_chunk"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "27.3.4.13",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "29.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "3983d495284331c121f600a80bac9fcf4e16381e",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via \u003ctt\u003egen_sctp\u003c/tt\u003e with the default \u003ctt\u003einet\u003c/tt\u003e backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
}
],
"value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via gen_sctp with the default inet backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhang Delong"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP \u003ctt\u003eerts\u003c/tt\u003e (\u003ctt\u003einet_drv\u003c/tt\u003e) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\u003cp\u003eThe \u003ctt\u003esctp_parse_error_chunk\u003c/tt\u003e function in \u003ctt\u003eerts/emulator/drivers/common/inet_drv.c\u003c/tt\u003e parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated \u003ctt\u003eErlDrvTermData spec[]\u003c/tt\u003e array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.\u003c/p\u003e"
}
],
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\n\nThe sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\n\nA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T04:45:31.080Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49759.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49759"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/3983d495284331c121f600a80bac9fcf4e16381e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49759",
"datePublished": "2026-06-10T14:35:38.838Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-07-01T04:45:31.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10275 (GCVE-0-2026-10275)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:45 – Updated: 2026-06-01 19:31 X_Open Source
VLAI?
EPSS
Title
OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_certwrite buffer overflow
Summary
A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
Credits
Fantasy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:31:06.822597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:31:20.646Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:opensc:opensc:*:*:*:*:*:*:*:*"
],
"modules": [
"pkcs11-tool Key Generation Module"
],
"product": "OpenSC",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.26.0"
},
{
"status": "affected",
"version": "0.26.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fantasy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:45:14.476Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367568 | OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_certwrite buffer overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367568"
},
{
"name": "VDB-367568 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367568/cti"
},
{
"name": "CVE-2026-10275 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10275"
},
{
"name": "Submit #825403 | OpenSC OpenSC 0.26.1 and earlier Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825403"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/OpenSC/OpenSC/issues/3682"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/OpenSC/OpenSC/pull/3684"
},
{
"tags": [
"exploit"
],
"url": "https://pan.baidu.com/s/1nrZPKDz2eAcCpsaFiIRlrg"
},
{
"tags": [
"patch"
],
"url": "https://github.com/OpenSC/OpenSC/commit/814f745b3b6d100295f65f1935edd33d520d33ab"
},
{
"tags": [
"product"
],
"url": "https://github.com/OpenSC/OpenSC/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:05:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_certwrite buffer overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10275",
"datePublished": "2026-06-01T16:45:14.476Z",
"dateReserved": "2026-05-31T16:00:08.522Z",
"dateUpdated": "2026-06-01T19:31:20.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46285 (GCVE-0-2026-46285)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:41 – Updated: 2026-06-14 18:06
VLAI?
EPSS
Title
mtd: docg3: fix use-after-free in docg3_release()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: docg3: fix use-after-free in docg3_release()
In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.
Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < 8408655ec8344511667b61d8257dc59c80ee3391
(git)
Affected: c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < f5d2ed4ed47d3906e2495a3537a48b127f497a17 (git) Affected: c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < 2bf706fe7831b319f23a85b9728f961cfed40c3e (git) Affected: c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < d26f8c361f751c188b7ebaf8189aa0258968fd98 (git) Affected: c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < 16f6588a3b7a2a20d10ad9b766be74c60ba347cc (git) Affected: c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < d89044889ecd11b0c2f86663597246e9bdd25679 (git) Affected: c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < d49628d63d4e6bbc8a1621afb88e5fc901611bee (git) Affected: c8ae3f744ddca0da164bcacee42d1d4b6fe7027d , < ca19808bc6fac7e29420d8508df569b346b3e339 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/devices/docg3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8408655ec8344511667b61d8257dc59c80ee3391",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
},
{
"lessThan": "f5d2ed4ed47d3906e2495a3537a48b127f497a17",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
},
{
"lessThan": "2bf706fe7831b319f23a85b9728f961cfed40c3e",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
},
{
"lessThan": "d26f8c361f751c188b7ebaf8189aa0258968fd98",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
},
{
"lessThan": "16f6588a3b7a2a20d10ad9b766be74c60ba347cc",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
},
{
"lessThan": "d89044889ecd11b0c2f86663597246e9bdd25679",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
},
{
"lessThan": "d49628d63d4e6bbc8a1621afb88e5fc901611bee",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
},
{
"lessThan": "ca19808bc6fac7e29420d8508df569b346b3e339",
"status": "affected",
"version": "c8ae3f744ddca0da164bcacee42d1d4b6fe7027d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/devices/docg3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: docg3: fix use-after-free in docg3_release()\n\nIn docg3_release(), the docg3 pointer is obtained from\ncascade-\u003efloors[0]-\u003epriv before the loop that calls\ndoc_release_device() on each floor. doc_release_device() frees the\ndocg3 struct via kfree(docg3) at line 1881. After the loop,\ndocg3-\u003ecascade-\u003ebch dereferences the already-freed pointer.\n\nFix this by accessing cascade-\u003ebch directly, which is equivalent\nsince docg3-\u003ecascade points back to the same cascade struct, and\nis already available as a local variable. This also removes the\nnow-unused docg3 local variable."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:06:23.744Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391"
},
{
"url": "https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17"
},
{
"url": "https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e"
},
{
"url": "https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98"
},
{
"url": "https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc"
},
{
"url": "https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679"
},
{
"url": "https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee"
},
{
"url": "https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339"
}
],
"title": "mtd: docg3: fix use-after-free in docg3_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46285",
"datePublished": "2026-06-08T15:41:28.566Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-14T18:06:23.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48856 (GCVE-0-2026-48856)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:41 – Updated: 2026-06-11 04:45
VLAI?
EPSS
Title
httpc leaks Authorization header to cross-origin redirect targets
Summary
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.
The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.
autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.
An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.
This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.
This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
Jonatan Männchen / EEF
Jonatan Männchen / EEF
Ingela Anderton Andin
Konrad Pietrzak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:23:52.053802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:24:02.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.7.1",
"status": "unaffected"
},
{
"at": "9.6.2.2",
"status": "unaffected"
},
{
"at": "9.3.2.6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "688d748d6f7a6a06b13b662a1d3de8af97079612",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (\u003ctt\u003ehttpc_response\u003c/tt\u003e module) allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe \u003ctt\u003ehttpc\u003c/tt\u003e client forwards the \u003ctt\u003eAuthorization\u003c/tt\u003e and \u003ctt\u003eProxy-Authorization\u003c/tt\u003e request headers to redirect targets without checking whether the redirect crosses an origin boundary. \u003ctt\u003ehttpc_response:redirect/2\u003c/tt\u003e constructs the redirected request by updating only the \u003ctt\u003ehost\u003c/tt\u003e field of the header record; all other fields (including \u003ctt\u003eauthorization\u003c/tt\u003e and \u003ctt\u003eproxy_authorization\u003c/tt\u003e) are copied verbatim. The redirect target host is never compared against the original host.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eautoredirect\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e, so this affects all \u003ctt\u003ehttpc\u003c/tt\u003e callers that do not explicitly disable automatic redirects.\u003c/p\u003e\u003cp\u003eAn attacker who controls a server that the victim contacts via \u003ctt\u003ehttpc\u003c/tt\u003e can issue a cross-origin 3xx redirect to a server they also control. The \u003ctt\u003eAuthorization\u003c/tt\u003e header (including Basic credentials derived from URL userinfo via \u003ctt\u003ehttpc_request:handle_user_info/2\u003c/tt\u003e) is forwarded to the redirect target, allowing credential theft. The same applies to the \u003ctt\u003eProxy-Authorization\u003c/tt\u003e header.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_client/httpc_response.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.\u003c/p\u003e"
}
],
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:35.836Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48856.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48856"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "httpc leaks Authorization header to cross-origin redirect targets",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eSet \u003ctt\u003e{autoredirect, false}\u003c/tt\u003e in the \u003ctt\u003ehttpc:request/4\u003c/tt\u003e options and handle redirects manually, stripping the \u003ctt\u003eAuthorization\u003c/tt\u003e header when the redirect crosses an origin boundary.\u003c/li\u003e\u003cli\u003eEnsure that \u003ctt\u003ehttpc\u003c/tt\u003e is only used to contact trusted servers that will not issue cross-origin redirects.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48856",
"datePublished": "2026-06-10T14:41:51.616Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:35.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46287 (GCVE-0-2026-46287)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:41 – Updated: 2026-06-14 18:06
VLAI?
EPSS
Title
net: txgbe: fix RTNL assertion warning when remove module
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: txgbe: fix RTNL assertion warning when remove module
For the copper NIC with external PHY, the driver called
phylink_connect_phy() during probe and phylink_disconnect_phy() during
remove. It caused an RTNL assertion warning in phylink_disconnect_phy()
upon module remove.
To fix this, add rtnl_lock() and rtnl_unlock() around the
phylink_disconnect_phy() in remove function.
------------[ cut here ]------------
RTNL: assertion failed at drivers/net/phy/phylink.c (2351)
WARNING: drivers/net/phy/phylink.c:2351 at
phylink_disconnect_phy+0xd8/0xf0 [phylink], CPU#0: rmmod/4464
Modules linked in: ...
CPU: 0 UID: 0 PID: 4464 Comm: rmmod Kdump: loaded Not tainted 7.0.0-rc4+
Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING
PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024
RIP: 0010:phylink_disconnect_phy+0xe4/0xf0 [phylink]
Code: 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 f6 31 ff e9 3a 38 8f e7
48 8d 3d 48 87 e2 ff ba 2f 09 00 00 48 c7 c6 c1 22 24 c0 <67> 48 0f b9 3a
e9 34 ff ff ff 66 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffce7288363ac0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff89654b2a1a00 RCX: 0000000000000000
RDX: 000000000000092f RSI: ffffffffc02422c1 RDI: ffffffffc0239020
RBP: ffffce7288363ae8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8964c4022000
R13: ffff89654fce3028 R14: ffff89654ebb4000 R15: ffffffffc0226348
FS: 0000795e80d93780(0000) GS:ffff896c52857000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005b528b592000 CR3: 0000000170d0f000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
txgbe_remove_phy+0xbb/0xd0 [txgbe]
txgbe_remove+0x4c/0xb0 [txgbe]
pci_device_remove+0x41/0xb0
device_remove+0x43/0x80
device_release_driver_internal+0x206/0x270
driver_detach+0x4a/0xa0
bus_remove_driver+0x83/0x120
driver_unregister+0x2f/0x60
pci_unregister_driver+0x40/0x90
txgbe_driver_exit+0x10/0x850 [txgbe]
__do_sys_delete_module.isra.0+0x1c3/0x2f0
__x64_sys_delete_module+0x12/0x20
x64_sys_call+0x20c3/0x2390
do_syscall_64+0x11c/0x1500
? srso_alias_return_thunk+0x5/0xfbef5
? do_syscall_64+0x15a/0x1500
? srso_alias_return_thunk+0x5/0xfbef5
? do_fault+0x312/0x580
? srso_alias_return_thunk+0x5/0xfbef5
? __handle_mm_fault+0x9d5/0x1040
? srso_alias_return_thunk+0x5/0xfbef5
? count_memcg_events+0x101/0x1d0
? srso_alias_return_thunk+0x5/0xfbef5
? handle_mm_fault+0x1e8/0x2f0
? srso_alias_return_thunk+0x5/0xfbef5
? do_user_addr_fault+0x2f8/0x820
? srso_alias_return_thunk+0x5/0xfbef5
? irqentry_exit+0xb2/0x600
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x92/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
02b2a6f91b9042552bc3aa728622bda97e3916fa , < 0305e7118451c7c363c18f8113b0d8e0077ffa4c
(git)
Affected: 02b2a6f91b9042552bc3aa728622bda97e3916fa , < 3e223a7fd41ce6fffdb10577df9350385262bf33 (git) Affected: 02b2a6f91b9042552bc3aa728622bda97e3916fa , < d29cafc7e4ee9e28a150ba17e9a565ec5d881fbc (git) Affected: 02b2a6f91b9042552bc3aa728622bda97e3916fa , < 6c5ec52c68a6a442c8a159615ae092512562318a (git) Affected: 02b2a6f91b9042552bc3aa728622bda97e3916fa , < e159f05e12cc1111a3103b99375ddf0dfd0e7d63 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0305e7118451c7c363c18f8113b0d8e0077ffa4c",
"status": "affected",
"version": "02b2a6f91b9042552bc3aa728622bda97e3916fa",
"versionType": "git"
},
{
"lessThan": "3e223a7fd41ce6fffdb10577df9350385262bf33",
"status": "affected",
"version": "02b2a6f91b9042552bc3aa728622bda97e3916fa",
"versionType": "git"
},
{
"lessThan": "d29cafc7e4ee9e28a150ba17e9a565ec5d881fbc",
"status": "affected",
"version": "02b2a6f91b9042552bc3aa728622bda97e3916fa",
"versionType": "git"
},
{
"lessThan": "6c5ec52c68a6a442c8a159615ae092512562318a",
"status": "affected",
"version": "02b2a6f91b9042552bc3aa728622bda97e3916fa",
"versionType": "git"
},
{
"lessThan": "e159f05e12cc1111a3103b99375ddf0dfd0e7d63",
"status": "affected",
"version": "02b2a6f91b9042552bc3aa728622bda97e3916fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: fix RTNL assertion warning when remove module\n\nFor the copper NIC with external PHY, the driver called\nphylink_connect_phy() during probe and phylink_disconnect_phy() during\nremove. It caused an RTNL assertion warning in phylink_disconnect_phy()\nupon module remove.\n\nTo fix this, add rtnl_lock() and rtnl_unlock() around the\nphylink_disconnect_phy() in remove function.\n\n ------------[ cut here ]------------\n RTNL: assertion failed at drivers/net/phy/phylink.c (2351)\n WARNING: drivers/net/phy/phylink.c:2351 at\nphylink_disconnect_phy+0xd8/0xf0 [phylink], CPU#0: rmmod/4464\n Modules linked in: ...\n CPU: 0 UID: 0 PID: 4464 Comm: rmmod Kdump: loaded Not tainted 7.0.0-rc4+\n Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING\nPLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024\n RIP: 0010:phylink_disconnect_phy+0xe4/0xf0 [phylink]\n Code: 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 f6 31 ff e9 3a 38 8f e7\n48 8d 3d 48 87 e2 ff ba 2f 09 00 00 48 c7 c6 c1 22 24 c0 \u003c67\u003e 48 0f b9 3a\ne9 34 ff ff ff 66 90 90 90 90 90 90 90 90 90 90 90\n RSP: 0018:ffffce7288363ac0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff89654b2a1a00 RCX: 0000000000000000\n RDX: 000000000000092f RSI: ffffffffc02422c1 RDI: ffffffffc0239020\n RBP: ffffce7288363ae8 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff8964c4022000\n R13: ffff89654fce3028 R14: ffff89654ebb4000 R15: ffffffffc0226348\n FS: 0000795e80d93780(0000) GS:ffff896c52857000(0000)\nknlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005b528b592000 CR3: 0000000170d0f000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n txgbe_remove_phy+0xbb/0xd0 [txgbe]\n txgbe_remove+0x4c/0xb0 [txgbe]\n pci_device_remove+0x41/0xb0\n device_remove+0x43/0x80\n device_release_driver_internal+0x206/0x270\n driver_detach+0x4a/0xa0\n bus_remove_driver+0x83/0x120\n driver_unregister+0x2f/0x60\n pci_unregister_driver+0x40/0x90\n txgbe_driver_exit+0x10/0x850 [txgbe]\n __do_sys_delete_module.isra.0+0x1c3/0x2f0\n __x64_sys_delete_module+0x12/0x20\n x64_sys_call+0x20c3/0x2390\n do_syscall_64+0x11c/0x1500\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x15a/0x1500\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_fault+0x312/0x580\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __handle_mm_fault+0x9d5/0x1040\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events+0x101/0x1d0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1e8/0x2f0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x2f8/0x820\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? irqentry_exit+0xb2/0x600\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:06:33.846Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0305e7118451c7c363c18f8113b0d8e0077ffa4c"
},
{
"url": "https://git.kernel.org/stable/c/3e223a7fd41ce6fffdb10577df9350385262bf33"
},
{
"url": "https://git.kernel.org/stable/c/d29cafc7e4ee9e28a150ba17e9a565ec5d881fbc"
},
{
"url": "https://git.kernel.org/stable/c/6c5ec52c68a6a442c8a159615ae092512562318a"
},
{
"url": "https://git.kernel.org/stable/c/e159f05e12cc1111a3103b99375ddf0dfd0e7d63"
}
],
"title": "net: txgbe: fix RTNL assertion warning when remove module",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46287",
"datePublished": "2026-06-08T15:41:30.791Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-14T18:06:33.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9076 (GCVE-0-2026-9076)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:47
VLAI?
EPSS
Title
Out-of-Bounds Read in CMS Password-Based Decryption
Summary
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)
processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK
cipher can trigger a heap out-of-bounds read in kek_unwrap_key().
Impact summary: A heap buffer over-read may trigger a crash which leads to
Denial of Service for an application if the input buffer ends at a memory
page boundary and the following page is unmapped. There is no information
disclosure as the over-read bytes are not revealed to the attacker.
The key unwrapping function performs a check-byte test as specified in the
RFC that reads 7 bytes from a heap allocation that is based on the wrapped
key length from the message. There is a minimum length check based on the
block length of the wrapping cipher. However the cipher is selected from
an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no
requirement that the cipher be a block cipher. When an attacker selects
a stream-mode cipher the guard will be ineffective and the allocated buffer
containing the unwrapped key can be too small to fit the check-bytes
specified in the RFC and a buffer over-read can happen.
Applications calling CMS_decrypt() or CMS_decrypt_set1_password()
(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS
data are vulnerable to this issue. No password knowledge is required: the
over-read happens during the unwrap attempt before any authentication
succeeds.
The over-read is limited to a few bytes and is not written to output, so
there is no information disclosure. Triggering a crash requires the
allocation to border unmapped memory, which is unlikely with the normal
allocator.
The FIPS modules are not affected by this issue.
Severity ?
No CVSS data available.
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Bhabani Sankar Das
Haruki Oyama (Waseda University)
Nikola Pajkovsky
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:04:07.840133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:04:20.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zh",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zq",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bhabani Sankar Das"
},
{
"lang": "en",
"type": "reporter",
"value": "Haruki Oyama (Waseda University)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nikola Pajkovsky"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)\u003cbr\u003eprocesses attacker-supplied CMS data, an attacker-chosen stream-mode KEK\u003cbr\u003ecipher can trigger a heap out-of-bounds read in kek_unwrap_key().\u003cbr\u003e\u003cbr\u003eImpact summary: A heap buffer over-read may trigger a crash which leads to\u003cbr\u003eDenial of Service for an application if the input buffer ends at a memory\u003cbr\u003epage boundary and the following page is unmapped. There is no information\u003cbr\u003edisclosure as the over-read bytes are not revealed to the attacker.\u003cbr\u003e\u003cbr\u003eThe key unwrapping function performs a check-byte test as specified in the\u003cbr\u003eRFC that reads 7 bytes from a heap allocation that is based on the wrapped\u003cbr\u003ekey length from the message. There is a minimum length check based on the\u003cbr\u003eblock length of the wrapping cipher. However the cipher is selected from\u003cbr\u003ean OID carried in the attacker\u0027s PWRI keyEncryptionAlgorithm with no\u003cbr\u003erequirement that the cipher be a block cipher. When an attacker selects\u003cbr\u003ea stream-mode cipher the guard will be ineffective and the allocated buffer\u003cbr\u003econtaining the unwrapped key can be too small to fit the check-bytes\u003cbr\u003especified in the RFC and a buffer over-read can happen.\u003cbr\u003e\u003cbr\u003eApplications calling CMS_decrypt() or CMS_decrypt_set1_password()\u003cbr\u003e(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS\u003cbr\u003edata are vulnerable to this issue. No password knowledge is required: the\u003cbr\u003eover-read happens during the unwrap attempt before any authentication\u003cbr\u003esucceeds.\u003cbr\u003e\u003cbr\u003eThe over-read is limited to a few bytes and is not written to output, so\u003cbr\u003ethere is no information disclosure. Triggering a crash requires the\u003cbr\u003eallocation to border unmapped memory, which is unlikely with the normal\u003cbr\u003eallocator.\u003cbr\u003e\u003cbr\u003eThe FIPS modules are not affected by this issue."
}
],
"value": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)\nprocesses attacker-supplied CMS data, an attacker-chosen stream-mode KEK\ncipher can trigger a heap out-of-bounds read in kek_unwrap_key().\n\nImpact summary: A heap buffer over-read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not revealed to the attacker.\n\nThe key unwrapping function performs a check-byte test as specified in the\nRFC that reads 7 bytes from a heap allocation that is based on the wrapped\nkey length from the message. There is a minimum length check based on the\nblock length of the wrapping cipher. However the cipher is selected from\nan OID carried in the attacker\u0027s PWRI keyEncryptionAlgorithm with no\nrequirement that the cipher be a block cipher. When an attacker selects\na stream-mode cipher the guard will be ineffective and the allocated buffer\ncontaining the unwrapped key can be too small to fit the check-bytes\nspecified in the RFC and a buffer over-read can happen.\n\nApplications calling CMS_decrypt() or CMS_decrypt_set1_password()\n(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS\ndata are vulnerable to this issue. No password knowledge is required: the\nover-read happens during the unwrap attempt before any authentication\nsucceeds.\n\nThe over-read is limited to a few bytes and is not written to output, so\nthere is no information disclosure. Triggering a crash requires the\nallocation to border unmapped memory, which is unlikely with the normal\nallocator.\n\nThe FIPS modules are not affected by this issue."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:47:51.139Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/715349a1d7c6db970e6815dafb90915f07307f98"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/05b066366842f930fadd9a6e94df98030af431bb"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in CMS Password-Based Decryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-9076",
"datePublished": "2026-06-09T16:03:16.306Z",
"dateReserved": "2026-05-20T12:43:37.677Z",
"dateUpdated": "2026-06-10T07:47:51.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46274 (GCVE-0-2026-46274)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:30 – Updated: 2026-06-14 18:05
VLAI?
EPSS
Title
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled
work was the tail of its hash bucket. When doing this, it checks whether
the preceding entry in acct->work_list has the same hash value, but
never checks that the predecessor is hashed at all. io_get_work_hash()
is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash
bits are never set for non-hashed work, so it returns 0. Thus, when a
hashed bucket-0 work is cancelled while a non-hashed work is its list
predecessor, the check spuriously passes and a pointer to the non-hashed
io_kiocb is stored in wq->hash_tail[0].
Because non-hashed work is dequeued via the fast path in
io_get_next_work(), which never touches hash_tail[], the stale pointer
is never cleared. Therefore, after the non-hashed io_kiocb completes and
is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The
io_wq is per-task (tctx->io_wq) and survives ring open/close, so the
dangling pointer persists for the lifetime of the task; the next hashed
bucket-0 enqueue dereferences it in io_wq_insert_work() and
wq_list_add_after() writes through freed memory.
Add the missing io_wq_is_hashed() check so a non-hashed predecessor
never inherits a hash_tail[] slot.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
204361a77f4018627addd4a06877448f088ddfc0 , < d6bda9df0c0a3080804181464d5c0f4d78a4e769
(git)
Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < 5a20ebf0c81b61f5ea3b1b529c100cad69b9f603 (git) Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < 252c5051dba9c709b6a72f2866f93e5e618b3f06 (git) Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < d376c131af7c7739a87ff037ed2fdb67c2542c8a (git) Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc (git) Affected: 13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5 (git) Affected: 5.8.6 , < 5.9 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6bda9df0c0a3080804181464d5c0f4d78a4e769",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "5a20ebf0c81b61f5ea3b1b529c100cad69b9f603",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "252c5051dba9c709b6a72f2866f93e5e618b3f06",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "d376c131af7c7739a87ff037ed2fdb67c2542c8a",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"status": "affected",
"version": "13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5",
"versionType": "git"
},
{
"lessThan": "5.9",
"status": "affected",
"version": "5.8.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\n\nio_wq_remove_pending() needs to fix up wq-\u003ehash_tail[] if the cancelled\nwork was the tail of its hash bucket. When doing this, it checks whether\nthe preceding entry in acct-\u003ework_list has the same hash value, but\nnever checks that the predecessor is hashed at all. io_get_work_hash()\nis simply atomic_read(\u0026work-\u003eflags) \u003e\u003e IO_WQ_HASH_SHIFT, and the hash\nbits are never set for non-hashed work, so it returns 0. Thus, when a\nhashed bucket-0 work is cancelled while a non-hashed work is its list\npredecessor, the check spuriously passes and a pointer to the non-hashed\nio_kiocb is stored in wq-\u003ehash_tail[0].\n\nBecause non-hashed work is dequeued via the fast path in\nio_get_next_work(), which never touches hash_tail[], the stale pointer\nis never cleared. Therefore, after the non-hashed io_kiocb completes and\nis freed back to req_cachep, wq-\u003ehash_tail[0] is a dangling pointer. The\nio_wq is per-task (tctx-\u003eio_wq) and survives ring open/close, so the\ndangling pointer persists for the lifetime of the task; the next hashed\nbucket-0 enqueue dereferences it in io_wq_insert_work() and\nwq_list_add_after() writes through freed memory.\n\nAdd the missing io_wq_is_hashed() check so a non-hashed predecessor\nnever inherits a hash_tail[] slot."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:05:34.336Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769"
},
{
"url": "https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603"
},
{
"url": "https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06"
},
{
"url": "https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a"
},
{
"url": "https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc"
}
],
"title": "io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46274",
"datePublished": "2026-06-08T14:30:53.323Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-14T18:05:34.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46289 (GCVE-0-2026-46289)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:06
VLAI?
EPSS
Title
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Patch series "Fix bugs in extract_iter_to_sg()", v3.
Fix bugs in the kvec and user variants of extract_iter_to_sg. This series
is growing due to useful remarks made by sashiko.dev.
The main bugs are:
- The length for an sglist entry when extracting from
a kvec can exceed the number of bytes in the page. This
is obviously not intended.
- When extracting a user buffer the sglist is temporarily
used as a scratch buffer for extracted page pointers.
If the sglist already contains some elements this scratch
buffer could overlap with existing entries in the sglist.
The series adds test cases to the kunit_iov_iter test that demonstrate all
of these bugs. Additionally, there is a memory leak fix for the test
itself.
The bugs were orignally introduced into kernel v6.3 where the function
lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in
v6.5. Thus the actual fix is only marked for backports to v6.5+.
This patch (of 5):
When extracting from a kvec to a scatterlist, do not cross page
boundaries. The required length was already calculated but not used as
intended.
Adjust the copied length if the loop runs out of sglist entries without
extracting everything.
While there, return immediately from extract_iter_to_sg if there are no
sglist entries at all.
A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0185846975339a5c348373aa450a977f5242366b , < 3f17500e86d730c76db638bb3ae52f9b5e496c76
(git)
Affected: 0185846975339a5c348373aa450a977f5242366b , < e5e22fc9963469e678c4f4bb38d26adcec107f1e (git) Affected: 0185846975339a5c348373aa450a977f5242366b , < 8fbba6829057979149d1b37d65690c037f3ddf4d (git) Affected: 0185846975339a5c348373aa450a977f5242366b , < 9d38756d0a93b66163554219fa9c3365f40c4035 (git) Affected: 0185846975339a5c348373aa450a977f5242366b , < 07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/scatterlist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f17500e86d730c76db638bb3ae52f9b5e496c76",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "e5e22fc9963469e678c4f4bb38d26adcec107f1e",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "8fbba6829057979149d1b37d65690c037f3ddf4d",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "9d38756d0a93b66163554219fa9c3365f40c4035",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/scatterlist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/scatterlist: fix length calculations in extract_kvec_to_sg\n\nPatch series \"Fix bugs in extract_iter_to_sg()\", v3.\n\nFix bugs in the kvec and user variants of extract_iter_to_sg. This series\nis growing due to useful remarks made by sashiko.dev.\n\nThe main bugs are:\n- The length for an sglist entry when extracting from\n a kvec can exceed the number of bytes in the page. This\n is obviously not intended.\n- When extracting a user buffer the sglist is temporarily\n used as a scratch buffer for extracted page pointers.\n If the sglist already contains some elements this scratch\n buffer could overlap with existing entries in the sglist.\n\nThe series adds test cases to the kunit_iov_iter test that demonstrate all\nof these bugs. Additionally, there is a memory leak fix for the test\nitself.\n\nThe bugs were orignally introduced into kernel v6.3 where the function\nlived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in\nv6.5. Thus the actual fix is only marked for backports to v6.5+.\n\n\nThis patch (of 5):\n\nWhen extracting from a kvec to a scatterlist, do not cross page\nboundaries. The required length was already calculated but not used as\nintended.\n\nAdjust the copied length if the loop runs out of sglist entries without\nextracting everything.\n\nWhile there, return immediately from extract_iter_to_sg if there are no\nsglist entries at all.\n\nA subsequent commit will add kunit test cases that demonstrate that the\npatch is necessary."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:06:42.893Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f17500e86d730c76db638bb3ae52f9b5e496c76"
},
{
"url": "https://git.kernel.org/stable/c/e5e22fc9963469e678c4f4bb38d26adcec107f1e"
},
{
"url": "https://git.kernel.org/stable/c/8fbba6829057979149d1b37d65690c037f3ddf4d"
},
{
"url": "https://git.kernel.org/stable/c/9d38756d0a93b66163554219fa9c3365f40c4035"
},
{
"url": "https://git.kernel.org/stable/c/07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45"
}
],
"title": "lib/scatterlist: fix length calculations in extract_kvec_to_sg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46289",
"datePublished": "2026-06-08T15:46:15.888Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-14T18:06:42.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48860 (GCVE-0-2026-48860)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
EPSS
Title
Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
Summary
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.
The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.
This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.
This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
Lukas Backström
Ingela Anderton Andin
Raimo Niskanen
Jakub Witczak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:23:08.922807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:23:31.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_tls_dist"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/inet_tls_dist.erl"
],
"programRoutines": [
{
"name": "inet_tls_dist:check_ip/1"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.7.2",
"status": "unaffected"
},
{
"at": "11.6.0.2",
"status": "unaffected"
},
{
"at": "11.2.12.9",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "11.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_tls_dist"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssl/src/inet_tls_dist.erl"
],
"programRoutines": [
{
"name": "inet_tls_dist:check_ip/1"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "26.0",
"versionType": "otp"
},
{
"lessThan": "0209a6df65d605552b378273027b3968b35f26b4",
"status": "affected",
"version": "7a08c5507862a7011568506d0c17b1fdef30bee4",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Erlang distribution must be configured to use TLS (\u003ctt\u003einet_tls_dist\u003c/tt\u003e) with the \u003ctt\u003echeck_ip\u003c/tt\u003e option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
}
],
"value": "The Erlang distribution must be configured to use TLS (inet_tls_dist) with the check_ip option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Raimo Niskanen"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003einet_tls_dist:check_ip/1\u003c/tt\u003e function, which enforces a LAN allowlist for Erlang distribution over TLS, calls \u003ctt\u003einet:sockname/1\u003c/tt\u003e instead of \u003ctt\u003einet:peername/1\u003c/tt\u003e to obtain the peer\u0027s IP address. Because \u003ctt\u003einet:sockname/1\u003c/tt\u003e returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including \u003ctt\u003erpc:call/4\u003c/tt\u003e and \u003ctt\u003ecode:load_binary/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/inet_tls_dist.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.\u003c/p\u003e"
}
],
"value": "Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\n\nThe inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer\u0027s IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.\n\nThis vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.\n\nThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1025",
"description": "CWE-1025 Comparison Using Wrong Factors",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:42.753Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48860.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48860"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0209a6df65d605552b378273027b3968b35f26b4"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement a custom \u003ctt\u003everify_fun\u003c/tt\u003e SSL option that correctly checks the peer IP address using \u003ctt\u003einet:peername/1\u003c/tt\u003e on the socket."
}
],
"value": "Implement a custom verify_fun SSL option that correctly checks the peer IP address using inet:peername/1 on the socket."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48860",
"datePublished": "2026-06-10T14:35:49.987Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:42.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46303 (GCVE-0-2026-46303)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI?
EPSS
Title
isofs: validate Rock Ridge CE continuation extent against volume size
Summary
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate Rock Ridge CE continuation extent against volume size
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f54e18f1b831c92f6512d2eedb224cd63d607d3d , < 8356fb821016797f5677cbeee5ddc0d32a95b4be
(git)
Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < d582e12378bc1637f337622feef762f53c43fd57 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < c9b37c8b73f6368e4750e5ccb0632c380b43c6e5 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < 22b36fa081f38ab397c7697f9d539211b51a0cfc (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < e69da8eeab74b4f4505024c38a17bce060fe7df8 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < ef048470c90bc8c1b8318bb2ce329da9ef64b9fe (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < a36d990f591320e9dd379ab30063ebfe91d47e1f (git) Affected: 08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56 (git) Affected: 212c4d33ca83e2144064fe9c2911607fbed5386f (git) Affected: 96e44adce250199ec9b2b928be66365779ff1b59 (git) Affected: 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 (git) Affected: fbce0d7dc8965c9fb8d411862040239d4a768c71 (git) Affected: 8190393a88f2b0321263a54f2a9eb5a2aa43be7e (git) Affected: 486aa789eadcf44ed87f972b209299c516454693 (git) Affected: b6d20edb6e7cedb4eedb9e0193d20dd488ebae84 (git) Affected: 2.6.32.66 , < 2.6.33 (semver) Affected: 3.2.67 , < 3.3 (semver) Affected: 3.4.107 , < 3.5 (semver) Affected: 3.10.64 , < 3.11 (semver) Affected: 3.12.36 , < 3.13 (semver) Affected: 3.14.28 , < 3.15 (semver) Affected: 3.17.8 , < 3.18 (semver) Affected: 3.18.2 , < 3.19 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/isofs/rock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8356fb821016797f5677cbeee5ddc0d32a95b4be",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "d582e12378bc1637f337622feef762f53c43fd57",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "c9b37c8b73f6368e4750e5ccb0632c380b43c6e5",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "22b36fa081f38ab397c7697f9d539211b51a0cfc",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "e69da8eeab74b4f4505024c38a17bce060fe7df8",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "ef048470c90bc8c1b8318bb2ce329da9ef64b9fe",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "a36d990f591320e9dd379ab30063ebfe91d47e1f",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"status": "affected",
"version": "08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56",
"versionType": "git"
},
{
"status": "affected",
"version": "212c4d33ca83e2144064fe9c2911607fbed5386f",
"versionType": "git"
},
{
"status": "affected",
"version": "96e44adce250199ec9b2b928be66365779ff1b59",
"versionType": "git"
},
{
"status": "affected",
"version": "1fe5620fcd6c2f0a4a927ee10c8e53196da392f3",
"versionType": "git"
},
{
"status": "affected",
"version": "fbce0d7dc8965c9fb8d411862040239d4a768c71",
"versionType": "git"
},
{
"status": "affected",
"version": "8190393a88f2b0321263a54f2a9eb5a2aa43be7e",
"versionType": "git"
},
{
"status": "affected",
"version": "486aa789eadcf44ed87f972b209299c516454693",
"versionType": "git"
},
{
"status": "affected",
"version": "b6d20edb6e7cedb4eedb9e0193d20dd488ebae84",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.66",
"versionType": "semver"
},
{
"lessThan": "3.3",
"status": "affected",
"version": "3.2.67",
"versionType": "semver"
},
{
"lessThan": "3.5",
"status": "affected",
"version": "3.4.107",
"versionType": "semver"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.64",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.36",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.28",
"versionType": "semver"
},
{
"lessThan": "3.18",
"status": "affected",
"version": "3.17.8",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/isofs/rock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate Rock Ridge CE continuation extent against volume size\n\nrock_continue() reads rs-\u003econt_extent verbatim from the Rock Ridge CE\nrecord and passes it to sb_bread() without checking that the block\nnumber is within the mounted ISO 9660 volume. commit e595447e177b\n(\"[PATCH] rock.c: handle corrupted directories\") added cont_offset\nand cont_size rejection for the CE continuation but did not validate\nthe extent block number itself. commit f54e18f1b831 (\"isofs: Fix\ninfinite looping over CE entries\") later capped the CE chain length\nat RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.\n\nWith a crafted ISO mounted via udisks2 (desktop optical auto-mount)\nor via CAP_SYS_ADMIN mount, rs-\u003econt_extent can therefore point at\nan out-of-range block or at blocks belonging to an adjacent\nfilesystem on the same block device. sb_bread() on an out-of-range\nblock returns NULL cleanly via the block layer EIO path, so there\nis no memory-safety violation. For in-range reads of adjacent-\nfilesystem data, the CE buffer is parsed as Rock Ridge records and\nonly the text of SL sub-records reaches userspace through\nreadlink(), which makes the info-leak channel narrow and difficult\nto exploit; still, rejecting the malformed CE outright matches the\nrejection shape already present in the same function for\ncont_offset and cont_size.\n\nAdd an ISOFS_SB(sb)-\u003es_nzones bounds check to rock_continue() next\nto the existing offset/size rejection, printing the same\ncorrupted-directory-entry notice."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:47.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be"
},
{
"url": "https://git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57"
},
{
"url": "https://git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9"
},
{
"url": "https://git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5"
},
{
"url": "https://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc"
},
{
"url": "https://git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8"
},
{
"url": "https://git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe"
},
{
"url": "https://git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1f"
}
],
"title": "isofs: validate Rock Ridge CE continuation extent against volume size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46303",
"datePublished": "2026-06-08T15:46:30.642Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:07:47.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46280 (GCVE-0-2026-46280)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:41 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
lib: test_hmm: evict device pages on file close to avoid use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib: test_hmm: evict device pages on file close to avoid use-after-free
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly
reported by Zenghui Yu with special thanks to Lorenzo for analysing and
pointing out the problems.
This patch (of 3):
When dmirror_fops_release() is called it frees the dmirror struct but
doesn't migrate device private pages back to system memory first. This
leaves those pages with a dangling zone_device_data pointer to the freed
dmirror.
If a subsequent fault occurs on those pages (eg. during coredump) the
dmirror_devmem_fault() callback dereferences the stale pointer causing a
kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,
where a test failure triggered SIGABRT and the resulting coredump walked
the VMAs faulting in the stale device private pages.
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in
dmirror_fops_release() to migrate all device private pages back to system
memory before freeing the dmirror struct. The function is moved earlier
in the file to avoid a forward declaration.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b2ef9f5a5cb37643ca5def3516c546457074b882 , < 234071b4318feaeb27cd2e4e1b16ef6b055adf89
(git)
Affected: b2ef9f5a5cb37643ca5def3516c546457074b882 , < bf477abd448c76bb8ea51c9b4f63a3a17c4b6239 (git) Affected: b2ef9f5a5cb37643ca5def3516c546457074b882 , < 5846715b6382dd4c6a69b35a56ca6115d33bc2a0 (git) Affected: b2ef9f5a5cb37643ca5def3516c546457074b882 , < 38f113f81d3f0adc658a4475dd3ecaec985e21d3 (git) Affected: b2ef9f5a5cb37643ca5def3516c546457074b882 , < 9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1 (git) Affected: b2ef9f5a5cb37643ca5def3516c546457074b882 , < 744dd97752ef1076a8d8672bb0d8aa2c7abc1144 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/test_hmm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "234071b4318feaeb27cd2e4e1b16ef6b055adf89",
"status": "affected",
"version": "b2ef9f5a5cb37643ca5def3516c546457074b882",
"versionType": "git"
},
{
"lessThan": "bf477abd448c76bb8ea51c9b4f63a3a17c4b6239",
"status": "affected",
"version": "b2ef9f5a5cb37643ca5def3516c546457074b882",
"versionType": "git"
},
{
"lessThan": "5846715b6382dd4c6a69b35a56ca6115d33bc2a0",
"status": "affected",
"version": "b2ef9f5a5cb37643ca5def3516c546457074b882",
"versionType": "git"
},
{
"lessThan": "38f113f81d3f0adc658a4475dd3ecaec985e21d3",
"status": "affected",
"version": "b2ef9f5a5cb37643ca5def3516c546457074b882",
"versionType": "git"
},
{
"lessThan": "9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1",
"status": "affected",
"version": "b2ef9f5a5cb37643ca5def3516c546457074b882",
"versionType": "git"
},
{
"lessThan": "744dd97752ef1076a8d8672bb0d8aa2c7abc1144",
"status": "affected",
"version": "b2ef9f5a5cb37643ca5def3516c546457074b882",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/test_hmm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: test_hmm: evict device pages on file close to avoid use-after-free\n\nPatch series \"Minor hmm_test fixes and cleanups\".\n\nTwo bugfixes a cleanup for the HMM kernel selftests. These were mostly\nreported by Zenghui Yu with special thanks to Lorenzo for analysing and\npointing out the problems.\n\n\nThis patch (of 3):\n\nWhen dmirror_fops_release() is called it frees the dmirror struct but\ndoesn\u0027t migrate device private pages back to system memory first. This\nleaves those pages with a dangling zone_device_data pointer to the freed\ndmirror.\n\nIf a subsequent fault occurs on those pages (eg. during coredump) the\ndmirror_devmem_fault() callback dereferences the stale pointer causing a\nkernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,\nwhere a test failure triggered SIGABRT and the resulting coredump walked\nthe VMAs faulting in the stale device private pages.\n\nFix this by calling dmirror_device_evict_chunk() for each devmem chunk in\ndmirror_fops_release() to migrate all device private pages back to system\nmemory before freeing the dmirror struct. The function is moved earlier\nin the file to avoid a forward declaration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:04.813Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/234071b4318feaeb27cd2e4e1b16ef6b055adf89"
},
{
"url": "https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239"
},
{
"url": "https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0"
},
{
"url": "https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3"
},
{
"url": "https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1"
},
{
"url": "https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144"
}
],
"title": "lib: test_hmm: evict device pages on file close to avoid use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46280",
"datePublished": "2026-06-08T15:41:23.095Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-19T12:00:04.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46306 (GCVE-0-2026-46306)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:08
VLAI?
EPSS
Title
flow_dissector: do not dissect PPPoE PFC frames
Summary
In the Linux kernel, the following vulnerability has been resolved:
flow_dissector: do not dissect PPPoE PFC frames
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
$ 0 : 00000000 80c40000 00000000 85144817
$ 4 : 00000008 00000100 80a75758 81dc9bb8
$ 8 : 00000010 8087ae2c 0000003d 00000000
$12 : 000000e0 00000039 00000000 00000000
$16 : 85043240 80a75758 81dc9bb8 00006488
$20 : 0000002f 00000007 85144810 80a70000
$24 : 81d1bda0 00000000
$28 : 81dc8000 81dc9aa8 00000000 805ead08
Hi : 00009d51
Lo : 2163358a
epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403 KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c
Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000
To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames.
[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
10f665b52a75df6eb26ddebbbc072ee264183731 , < e7c811ca372d53c2be7d01a1614e71fae1054836
(git)
Affected: d7e541e86122d21f71eb71c5dfa7fb1eb6623fe8 , < abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < db104b0d8a7856397c0469d83a4289adf7c54863 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 6044392d9cace3a3672b02c8bc7d38b502e51734 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 0d00b9015069712944934bab09eaa6c542143049 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 7c93f353eab4ea911e394630f07d72e040a729d8 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < d6c19b31a3c1d519fabdcf0aa239e6b6109b9473 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/flow_dissector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7c811ca372d53c2be7d01a1614e71fae1054836",
"status": "affected",
"version": "10f665b52a75df6eb26ddebbbc072ee264183731",
"versionType": "git"
},
{
"lessThan": "abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200",
"status": "affected",
"version": "d7e541e86122d21f71eb71c5dfa7fb1eb6623fe8",
"versionType": "git"
},
{
"lessThan": "18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "db104b0d8a7856397c0469d83a4289adf7c54863",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "6044392d9cace3a3672b02c8bc7d38b502e51734",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "0d00b9015069712944934bab09eaa6c542143049",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "7c93f353eab4ea911e394630f07d72e040a729d8",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "d6c19b31a3c1d519fabdcf0aa239e6b6109b9473",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/flow_dissector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nflow_dissector: do not dissect PPPoE PFC frames\n\nRFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT\nRECOMMENDED for PPPoE. In practice, pppd does not support negotiating\nPFC for PPPoE sessions, and the flow dissector driver has assumed an\nuncompressed frame until the blamed commit.\n\nDuring the review process of that commit [1], support for PFC is\nsuggested. However, having a compressed (1-byte) protocol field means\nthe subsequent PPP payload is shifted by one byte, causing 4-byte\nmisalignment for the network header and an unaligned access exception\non some architectures.\n\nThe exception can be reproduced by sending a PPPoE PFC frame to an\nethernet interface of a MIPS board, with RPS enabled, even if no PPPoE\nsession is active on that interface:\n\n$ 0 : 00000000 80c40000 00000000 85144817\n$ 4 : 00000008 00000100 80a75758 81dc9bb8\n$ 8 : 00000010 8087ae2c 0000003d 00000000\n$12 : 000000e0 00000039 00000000 00000000\n$16 : 85043240 80a75758 81dc9bb8 00006488\n$20 : 0000002f 00000007 85144810 80a70000\n$24 : 81d1bda0 00000000\n$28 : 81dc8000 81dc9aa8 00000000 805ead08\nHi : 00009d51\nLo : 2163358a\nepc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50\nra : 805ead08 __skb_get_hash_net+0x74/0x12c\nStatus: 11000403 KERNEL EXL IE\nCause : 40800010 (ExcCode 04)\nBadVA : 85144817\nPrId : 0001992f (MIPS 1004Kc)\nCall Trace:\n[\u003c805e91f0\u003e] __skb_flow_dissect+0x1b0/0x1b50\n[\u003c805ead08\u003e] __skb_get_hash_net+0x74/0x12c\n[\u003c805ef330\u003e] get_rps_cpu+0x1b8/0x3fc\n[\u003c805fca70\u003e] netif_receive_skb_list_internal+0x324/0x364\n[\u003c805fd120\u003e] napi_complete_done+0x68/0x2a4\n[\u003c8058de5c\u003e] mtk_napi_rx+0x228/0xfec\n[\u003c805fd398\u003e] __napi_poll+0x3c/0x1c4\n[\u003c805fd754\u003e] napi_threaded_poll_loop+0x234/0x29c\n[\u003c805fd848\u003e] napi_threaded_poll+0x8c/0xb0\n[\u003c80053544\u003e] kthread+0x104/0x12c\n[\u003c80002bd8\u003e] ret_from_kernel_thread+0x14/0x1c\n\nCode: 02d51821 1060045b 00000000 \u003c8c640000\u003e 3084000f 2c820005 144001a2 00042080 8e220000\n\nTo reduce the attack surface and maintain performance, do not process\nPPPoE PFC frames.\n\n[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:00.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7c811ca372d53c2be7d01a1614e71fae1054836"
},
{
"url": "https://git.kernel.org/stable/c/abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200"
},
{
"url": "https://git.kernel.org/stable/c/18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3"
},
{
"url": "https://git.kernel.org/stable/c/db104b0d8a7856397c0469d83a4289adf7c54863"
},
{
"url": "https://git.kernel.org/stable/c/6044392d9cace3a3672b02c8bc7d38b502e51734"
},
{
"url": "https://git.kernel.org/stable/c/0d00b9015069712944934bab09eaa6c542143049"
},
{
"url": "https://git.kernel.org/stable/c/7c93f353eab4ea911e394630f07d72e040a729d8"
},
{
"url": "https://git.kernel.org/stable/c/d6c19b31a3c1d519fabdcf0aa239e6b6109b9473"
}
],
"title": "flow_dissector: do not dissect PPPoE PFC frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46306",
"datePublished": "2026-06-08T15:46:33.936Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:08:00.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46291 (GCVE-0-2026-46291)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in
hash_digest_key() to avoid leaking secrets at runtime when
CONFIG_DYNAMIC_DEBUG is enabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < e8e72fdf47bd5ef7abe642b034c6178a61a8580a
(git)
Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < cd849c07b8d706425e60a4dfcef54b7b67c967ce (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < a9207798fe619cbc85c8744a9b9e2af1db2b6e1a (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < 2adbfca7452eeac45117b8e803288a2767f7075f (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < c7e52fe3f7901ccb9cd29b3f7c683d809ba87e48 (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < 5cffe3c136891aa4d579bf5c079a68f7cb371b0c (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < b8f12d9b00c1950779e5679b9c13908584682bb6 (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < 177730a273b18e195263ed953853273e901b5064 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/caam/caamalg_qi2.c",
"drivers/crypto/caam/caamhash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8e72fdf47bd5ef7abe642b034c6178a61a8580a",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "cd849c07b8d706425e60a4dfcef54b7b67c967ce",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "a9207798fe619cbc85c8744a9b9e2af1db2b6e1a",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "2adbfca7452eeac45117b8e803288a2767f7075f",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "c7e52fe3f7901ccb9cd29b3f7c683d809ba87e48",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "5cffe3c136891aa4d579bf5c079a68f7cb371b0c",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "b8f12d9b00c1950779e5679b9c13908584682bb6",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "177730a273b18e195263ed953853273e901b5064",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/caam/caamalg_qi2.c",
"drivers/crypto/caam/caamhash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - guard HMAC key hex dumps in hash_digest_key\n\nUse print_hex_dump_devel() for dumping sensitive HMAC key bytes in\nhash_digest_key() to avoid leaking secrets at runtime when\nCONFIG_DYNAMIC_DEBUG is enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:06.481Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8e72fdf47bd5ef7abe642b034c6178a61a8580a"
},
{
"url": "https://git.kernel.org/stable/c/cd849c07b8d706425e60a4dfcef54b7b67c967ce"
},
{
"url": "https://git.kernel.org/stable/c/a9207798fe619cbc85c8744a9b9e2af1db2b6e1a"
},
{
"url": "https://git.kernel.org/stable/c/2adbfca7452eeac45117b8e803288a2767f7075f"
},
{
"url": "https://git.kernel.org/stable/c/c7e52fe3f7901ccb9cd29b3f7c683d809ba87e48"
},
{
"url": "https://git.kernel.org/stable/c/5cffe3c136891aa4d579bf5c079a68f7cb371b0c"
},
{
"url": "https://git.kernel.org/stable/c/b8f12d9b00c1950779e5679b9c13908584682bb6"
},
{
"url": "https://git.kernel.org/stable/c/177730a273b18e195263ed953853273e901b5064"
}
],
"title": "crypto: caam - guard HMAC key hex dumps in hash_digest_key",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46291",
"datePublished": "2026-06-08T15:46:18.317Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-19T12:00:06.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46312 (GCVE-0-2026-46312)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-14 18:08
VLAI?
EPSS
Title
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not
see a reason why vb2_dma_sg should behave differently. This avoids
hitting `WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));` in
drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of
tree Apple ISP camera capture driver which uses vb2_dma_sg_memops.
gst-launch-1.0 v4l2src ! gtk4paintablesink
[ 38.201528] ------------[ cut here ]------------
[ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210
[ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer
snd_seq snd_seq_device uinput nf_conntrack_netbios_ns
nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib
nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat
nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep
nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc
hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic
cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev
aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2
snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor
macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi
macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3
snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon
apple_sart apple_dockchannel macsmc apple_rtkit_helper
spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses
pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core
spi_apple
[ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram
[ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)
[ 38.219040] Tainted: [W]=WARN
[ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
[ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210
[ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210
[ 38.222178] sp : ffffc0008dc678e0
[ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480
[ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968
[ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0
[ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968
[ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8
[ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff
[ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8
[ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000
[ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038
[ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb
[ 38.231488] Call trace:
[ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)
[ 38.232342] drm_gem_mmap+0x140/0x260
[ 38.232813] __mmap_region+0x488/0x9a0
[ 38.233277] mmap_region+0xd0/0x148
[ 38.233703] do_mmap+0x350/0x5c0
[ 38.234148] vm_mmap_pgoff+0x14c/0x200
[ 38.234612] ksys_mmap_pgoff+0x150/0x208
[ 38.235107] __arm64_sys_mmap+0x34/0x50
[ 38.235611] invoke_syscall+0x50/0x120
[ 38.236075] el0_svc_common.constprop.0+0x48/0xf0
[ 38.236680] do_el0_svc+0x24/0x38
[ 38.237113] el0_svc+0x38/0x168
[ 38.237507] el0t_64_sync_handler+0xa0/0xe8
[ 38.238034] el0t_64_sync+0x198/0x1a0
[ 38.238491] ---[ end trace 0000000000000000 ]---
There were discussions in [1] at the end of 2023 that mmap() on imported
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5ba3f757f0592ca001266b4a6214d0332349909c , < feb17524aa4ec337749344be0db52b88663e25ab
(git)
Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 1a1360264f699521e001e7739009ee3ee3c6a4f5 (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 21fade52ab9fb13368a5709e60b0d9909197aeae (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < b4cf91658a636618f1437beec971dec25dec28eb (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 7254b31a13aaa0c2c0f9ffbc335b718656117ff4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-dma-sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feb17524aa4ec337749344be0db52b88663e25ab",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "1a1360264f699521e001e7739009ee3ee3c6a4f5",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "21fade52ab9fb13368a5709e60b0d9909197aeae",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "b4cf91658a636618f1437beec971dec25dec28eb",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "7254b31a13aaa0c2c0f9ffbc335b718656117ff4",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-dma-sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap\n\nvb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not\nsee a reason why vb2_dma_sg should behave differently. This avoids\nhitting `WARN_ON(!(vma-\u003evm_flags \u0026 VM_DONTEXPAND));` in\ndrm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of\ntree Apple ISP camera capture driver which uses vb2_dma_sg_memops.\n\ngst-launch-1.0 v4l2src ! gtk4paintablesink\n\n[ 38.201528] ------------[ cut here ]------------\n[ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210\n[ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer\nsnd_seq snd_seq_device uinput nf_conntrack_netbios_ns\nnf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat\nnf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep\nnls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc\nhid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic\ncfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev\naop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2\nsnd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor\nmacsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi\nmacsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3\nsnd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon\napple_sart apple_dockchannel macsmc apple_rtkit_helper\nspmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses\npinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core\nspi_apple\n[ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram\n[ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)\n[ 38.219040] Tainted: [W]=WARN\n[ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)\n[ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210\n[ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210\n[ 38.222178] sp : ffffc0008dc678e0\n[ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480\n[ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968\n[ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0\n[ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968\n[ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8\n[ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff\n[ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8\n[ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000\n[ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038\n[ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb\n[ 38.231488] Call trace:\n[ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)\n[ 38.232342] drm_gem_mmap+0x140/0x260\n[ 38.232813] __mmap_region+0x488/0x9a0\n[ 38.233277] mmap_region+0xd0/0x148\n[ 38.233703] do_mmap+0x350/0x5c0\n[ 38.234148] vm_mmap_pgoff+0x14c/0x200\n[ 38.234612] ksys_mmap_pgoff+0x150/0x208\n[ 38.235107] __arm64_sys_mmap+0x34/0x50\n[ 38.235611] invoke_syscall+0x50/0x120\n[ 38.236075] el0_svc_common.constprop.0+0x48/0xf0\n[ 38.236680] do_el0_svc+0x24/0x38\n[ 38.237113] el0_svc+0x38/0x168\n[ 38.237507] el0t_64_sync_handler+0xa0/0xe8\n[ 38.238034] el0t_64_sync+0x198/0x1a0\n[ 38.238491] ---[ end trace 0000000000000000 ]---\n\nThere were discussions in [1] at the end of 2023 that mmap() on imported\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:26.067Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feb17524aa4ec337749344be0db52b88663e25ab"
},
{
"url": "https://git.kernel.org/stable/c/1a1360264f699521e001e7739009ee3ee3c6a4f5"
},
{
"url": "https://git.kernel.org/stable/c/21fade52ab9fb13368a5709e60b0d9909197aeae"
},
{
"url": "https://git.kernel.org/stable/c/b4cf91658a636618f1437beec971dec25dec28eb"
},
{
"url": "https://git.kernel.org/stable/c/7254b31a13aaa0c2c0f9ffbc335b718656117ff4"
}
],
"title": "media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46312",
"datePublished": "2026-06-08T15:50:42.964Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:08:26.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46304 (GCVE-0-2026-46304)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI?
EPSS
Title
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the
final controller reference through nvmet_cq_put(). If that triggers
nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on
the same nvmet-wq.
Call chain:
nvmet_tcp_schedule_release_queue()
kref_put(&queue->kref, nvmet_tcp_release_queue)
nvmet_tcp_release_queue()
queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq
process_one_work()
nvmet_tcp_release_queue_work()
nvmet_cq_put(&queue->nvme_cq)
nvmet_cq_destroy()
nvmet_ctrl_put(cq->ctrl)
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work) <--- nvmet_wq
Previously Scheduled by :-
nvmet_add_async_event
queue_work(nvmet_wq, &ctrl->async_event_work);
This trips lockdep with a possible recursive locking warning.
[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55
[ 5223.061801] loop0: detected capacity change from 0 to 2097152
[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)
[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.
[ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
[ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"
[ 5233.227718] ============================================
[ 5233.231283] WARNING: possible recursive locking detected
[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N
[ 5233.238434] --------------------------------------------
[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:
[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90
[ 5233.251438]
but task is already holding lock:
[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.261125]
other info that might help us debug this:
[ 5233.265333] Possible unsafe locking scenario:
[ 5233.269217] CPU0
[ 5233.270795] ----
[ 5233.272436] lock((wq_completion)nvmet-wq);
[ 5233.275241] lock((wq_completion)nvmet-wq);
[ 5233.278020]
*** DEADLOCK ***
[ 5233.281793] May be due to missing lock nesting notation
[ 5233.286195] 3 locks held by kworker/u192:6/2413:
[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0
[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530
[ 5233.304290]
stack backtrace:
[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)
[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST
[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]
[ 5233.306532] Call Trace:
[ 5233.306534] <TASK>
[ 5233.306536] dump_stack_lvl+0x73/0xb0
[ 5233.306552] print_deadlock_bug+0x225/0x2f0
[ 5233.306556] __lock_acquire+0x13f0/0x2290
[ 5233.306563] lock_acquire+0xd0/0x300
[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306571] ? __flush_work+0x20b/0x530
[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90
[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90
[ 52
---truncated---
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < ae5b0cad163833e10b271e9becc05d81dae56e5f
(git)
Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 8d66ba89480ff098a58d79003a505f383aa4e920 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < a696fbbd5240b4ac9b166f7bd4c550882ff543f1 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 9a4d7222c0955b221e38bb66d10e6bccb672c8a1 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < ee6e20c4bc9eae542a0954a368449532383169d4 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 781f47d641432c26c19625b2cdd7f40825097592 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 551f445a56a11a6457550cddcf39c9ebb8bcacc6 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < aade8abd8b868b6ffa9697aadaea28ec7f65bee6 (git) Affected: 3976dd677e891c0b2c63d08028d445663539472c (git) Affected: 4.9.68 , < 4.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae5b0cad163833e10b271e9becc05d81dae56e5f",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "8d66ba89480ff098a58d79003a505f383aa4e920",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "a696fbbd5240b4ac9b166f7bd4c550882ff543f1",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "9a4d7222c0955b221e38bb66d10e6bccb672c8a1",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "ee6e20c4bc9eae542a0954a368449532383169d4",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "781f47d641432c26c19625b2cdd7f40825097592",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "551f445a56a11a6457550cddcf39c9ebb8bcacc6",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "aade8abd8b868b6ffa9697aadaea28ec7f65bee6",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"status": "affected",
"version": "3976dd677e891c0b2c63d08028d445663539472c",
"versionType": "git"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.68",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free\n\nnvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the\nfinal controller reference through nvmet_cq_put(). If that triggers\nnvmet_ctrl_free(), the teardown path flushes ctrl-\u003easync_event_work on\nthe same nvmet-wq.\n\nCall chain:\n\n nvmet_tcp_schedule_release_queue()\n kref_put(\u0026queue-\u003ekref, nvmet_tcp_release_queue)\n nvmet_tcp_release_queue()\n queue_work(nvmet_wq, \u0026queue-\u003erelease_work) \u003c--- nvmet_wq\n process_one_work()\n nvmet_tcp_release_queue_work()\n nvmet_cq_put(\u0026queue-\u003envme_cq)\n nvmet_cq_destroy()\n nvmet_ctrl_put(cq-\u003ectrl)\n nvmet_ctrl_free()\n flush_work(\u0026ctrl-\u003easync_event_work) \u003c--- nvmet_wq\n\n Previously Scheduled by :-\n\t\t nvmet_add_async_event\n\t\t queue_work(nvmet_wq, \u0026ctrl-\u003easync_event_work);\n\nThis trips lockdep with a possible recursive locking warning.\n\n[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55\n[ 5223.061801] loop0: detected capacity change from 0 to 2097152\n[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1\n[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)\n[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.\n[ 5223.128453] nvme nvme1: new ctrl: NQN \"nqn.2014-08.org.nvmexpress.discovery\", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349\n[ 5233.199447] nvme nvme1: Removing ctrl: NQN \"nqn.2014-08.org.nvmexpress.discovery\"\n\n[ 5233.227718] ============================================\n[ 5233.231283] WARNING: possible recursive locking detected\n[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N\n[ 5233.238434] --------------------------------------------\n[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:\n[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n[ 5233.251438]\n but task is already holding lock:\n[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0\n[ 5233.261125]\n other info that might help us debug this:\n[ 5233.265333] Possible unsafe locking scenario:\n\n[ 5233.269217] CPU0\n[ 5233.270795] ----\n[ 5233.272436] lock((wq_completion)nvmet-wq);\n[ 5233.275241] lock((wq_completion)nvmet-wq);\n[ 5233.278020]\n *** DEADLOCK ***\n\n[ 5233.281793] May be due to missing lock nesting notation\n\n[ 5233.286195] 3 locks held by kworker/u192:6/2413:\n[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0\n[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(\u0026queue-\u003erelease_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0\n[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n[ 5233.304290]\n stack backtrace:\n[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)\n[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST\n[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]\n[ 5233.306532] Call Trace:\n[ 5233.306534] \u003cTASK\u003e\n[ 5233.306536] dump_stack_lvl+0x73/0xb0\n[ 5233.306552] print_deadlock_bug+0x225/0x2f0\n[ 5233.306556] __lock_acquire+0x13f0/0x2290\n[ 5233.306563] lock_acquire+0xd0/0x300\n[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90\n[ 5233.306571] ? __flush_work+0x20b/0x530\n[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90\n[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90\n[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90\n[ 52\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:50.649Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae5b0cad163833e10b271e9becc05d81dae56e5f"
},
{
"url": "https://git.kernel.org/stable/c/8d66ba89480ff098a58d79003a505f383aa4e920"
},
{
"url": "https://git.kernel.org/stable/c/a696fbbd5240b4ac9b166f7bd4c550882ff543f1"
},
{
"url": "https://git.kernel.org/stable/c/9a4d7222c0955b221e38bb66d10e6bccb672c8a1"
},
{
"url": "https://git.kernel.org/stable/c/ee6e20c4bc9eae542a0954a368449532383169d4"
},
{
"url": "https://git.kernel.org/stable/c/781f47d641432c26c19625b2cdd7f40825097592"
},
{
"url": "https://git.kernel.org/stable/c/551f445a56a11a6457550cddcf39c9ebb8bcacc6"
},
{
"url": "https://git.kernel.org/stable/c/aade8abd8b868b6ffa9697aadaea28ec7f65bee6"
}
],
"title": "nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46304",
"datePublished": "2026-06-08T15:46:31.747Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:07:50.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42766 (GCVE-0-2026-42766)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48
VLAI?
EPSS
Title
Possible NULL Dereference in Password-Based CMS Decryption
Summary
Issue summary: A specially crafted password-encrypted CMS message
can trigger a NULL pointer dereference during CMS decryption.
Impact summary: This NULL pointer dereference leads to an application crash
and a Denial of Service.
The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as
OPTIONAL in the ASN.1 specification and may therefore be absent in specially
crafted inputs. During the password-based CMS decryption the OpenSSL
CMS implementation dereferences this field without first checking whether it
was present.
An attacker who supplies such a CMS message to an application performing
password-based CMS decryption can trigger an application crash, leading to
a Denial of Service.
Applications that process password-encrypted CMS messages may be affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity ?
No CVSS data available.
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Mayank Jangid
Kushal Khemka
Hari Priandana
Bhabani Sankar Das
Qifan Zhang (Palo Alto Networks)
Igor Ustinov
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:46:24.673332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:46:27.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zh",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zq",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mayank Jangid"
},
{
"lang": "en",
"type": "reporter",
"value": "Kushal Khemka"
},
{
"lang": "en",
"type": "reporter",
"value": "Hari Priandana"
},
{
"lang": "en",
"type": "reporter",
"value": "Bhabani Sankar Das"
},
{
"lang": "en",
"type": "reporter",
"value": "Qifan Zhang (Palo Alto Networks)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Igor Ustinov"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: A specially crafted password-encrypted CMS message\u003cbr\u003ecan trigger a NULL pointer dereference during CMS decryption.\u003cbr\u003e\u003cbr\u003eImpact summary: This NULL pointer dereference leads to an application crash\u003cbr\u003eand a Denial of Service.\u003cbr\u003e\u003cbr\u003eThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\u003cbr\u003eOPTIONAL in the ASN.1 specification and may therefore be absent in specially\u003cbr\u003ecrafted inputs. During the password-based CMS decryption the OpenSSL\u003cbr\u003eCMS implementation dereferences this field without first checking whether it\u003cbr\u003ewas present.\u003cbr\u003e\u003cbr\u003eAn attacker who supplies such a CMS message to an application performing\u003cbr\u003epassword-based CMS decryption can trigger an application crash, leading to\u003cbr\u003ea Denial of Service.\u003cbr\u003e\u003cbr\u003eApplications that process password-encrypted CMS messages may be affected.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\u003cbr\u003eissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:01.992Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possible NULL Dereference in Password-Based CMS Decryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-42766",
"datePublished": "2026-06-09T16:03:26.679Z",
"dateReserved": "2026-04-29T09:22:27.968Z",
"dateUpdated": "2026-06-10T07:48:01.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8643 (GCVE-0-2026-8643)
Vulnerability from cvelistv5 – Published: 2026-06-01 15:01 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
pip can extract console_scripts and gui_scripts outside installation directory
Summary
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Python Packaging Authority | pip |
Affected:
24.0 , < 26.1.2
(python)
|
Credits
Lumír Balhar
Damian Shaw (https://github.com/notatallshaw)
Gregory P. Smith (https://github.com/gpshead)
Jannis Leidel (https://github.com/jezdez)
Pradyun Gedam (https://github.com/pradyunsg)
Paul Moore (https://github.com/pfmoore)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-01T18:55:02.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8643",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:57:40.345155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:02:53.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 3.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:exploit_intelligence:0"
],
"defaultStatus": "affected",
"product": "Exploit Intelligence",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_virtualization:2"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Virtualization",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:pdrive_lightspeed:0"
],
"defaultStatus": "affected",
"product": "Pen Drive Powered by Red Hat Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "unaffected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:stf:1.5"
],
"defaultStatus": "unaffected",
"product": "Service Telemetry Framework 1.5",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T17:03:36.585Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to write generated script wrappers outside the intended installation directory, leading to arbitrary file overwrite. This can severely impact system integrity and availability, and in certain scenarios, may lead to arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:13.916Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-8643"
},
{
"name": "RHBZ#2460927",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460927"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8643.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34374"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33313"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34891"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34772"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34778"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34780"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34773"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34774"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34739"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34752"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34765"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34758"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34756"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34760"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34776"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34748"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34775"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34740"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34749"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34750"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34741"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34777"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34456"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34374: Red Hat Ansible Automation Platform 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:33313: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:34891: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:34772: Red Hat OpenShift AI 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:34778: Red Hat OpenShift AI 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:34780: Red Hat OpenShift AI 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:34773: Red Hat OpenShift AI 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:34774: Red Hat OpenShift AI 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:34739: Red Hat OpenShift AI 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:34752: Red Hat OpenShift AI 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:34765: Red Hat OpenShift AI 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:34758: Red Hat OpenShift AI 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:34756: Red Hat OpenShift AI 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:34760: Red Hat OpenShift AI 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:34776: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34748: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34775: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34740: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34749: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34750: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34741: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34777: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:34456: Red Hat OpenShift AI 3.4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-22T23:09:35.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T17:03:36.585Z",
"value": "Made public."
}
],
"title": "python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, users should avoid installing Python wheels from untrusted sources. It is strongly advised against using `pip install` with elevated privileges, such as `sudo`, when installing wheels. Additionally, administrators should inspect `entry_points.txt` within wheels for path separators or absolute paths before installation."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/pip",
"defaultStatus": "unaffected",
"packageName": "pip",
"product": "pip",
"repo": "https://github.com/pypa/pip",
"vendor": "Python Packaging Authority",
"versions": [
{
"lessThan": "26.1.2",
"status": "affected",
"version": "24.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Lum\u00edr Balhar"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Damian Shaw (https://github.com/notatallshaw)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jannis Leidel (https://github.com/jezdez)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Pradyun Gedam (https://github.com/pradyunsg)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Paul Moore (https://github.com/pfmoore)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory."
}
],
"value": "pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:07:48.871Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/pypa/pip/pull/14000"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "pip can extract console_scripts and gui_scripts outside installation directory",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-8643",
"datePublished": "2026-06-01T15:01:32.143Z",
"dateReserved": "2026-05-14T20:21:04.562Z",
"dateUpdated": "2026-07-03T12:05:13.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48858 (GCVE-0-2026-48858)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
EPSS
Title
ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
Summary
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.
The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.
The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.
The ftp application is deprecated and scheduled for removal in OTP-30.
This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).
This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Jonatan Männchen / EEF
Jonatan Männchen / EEF
Ingela Anderton Andin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:20:57.662713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:21:08.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ftp/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "7.0",
"status": "affected",
"version": "5.10.4",
"versionType": "otp"
}
]
},
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "ftp",
"packageURL": "pkg:otp/ftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.2.6",
"status": "unaffected"
},
{
"at": "1.2.4.1",
"status": "unaffected"
},
{
"at": "1.2.3.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/ftp/ftp_internal.erl",
"lib/ftp/src/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.4",
"versionType": "otp"
},
{
"changes": [
{
"at": "2691a806231ffd0490a8a9e20500dec0c7e73727",
"status": "unaffected"
},
{
"at": "521bcfa24407ee8cb5614823cf905c37ea3aa605",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "be95772ee1fcfe71045ef070130bea7a910b81e3",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerable path is active under the default configuration: \u003ctt\u003emode=passive\u003c/tt\u003e, \u003ctt\u003eipfamily=inet\u003c/tt\u003e, and \u003ctt\u003eftp_extension=false\u003c/tt\u003e are all defaults for \u003ctt\u003eftp:open/2\u003c/tt\u003e."
}
],
"value": "The vulnerable path is active under the default configuration: mode=passive, ipfamily=inet, and ftp_extension=false are all defaults for ftp:open/2."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eServer-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp_internal:handle_ctrl_result/2\u003c/tt\u003e PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to \u003ctt\u003egen_tcp:connect/4\u003c/tt\u003e without validating it against the control connection peer address. The adjacent EPSV handlers correctly call \u003ctt\u003epeername(CSock)\u003c/tt\u003e to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (\u003ctt\u003eftp:ls/1,2\u003c/tt\u003e, \u003ctt\u003eftp:nlist/1,2\u003c/tt\u003e, \u003ctt\u003eftp:recv/2,3\u003c/tt\u003e), data from the redirected target is returned to the caller. On write operations (\u003ctt\u003eftp:send/2,3\u003c/tt\u003e, \u003ctt\u003eftp:append/2,3\u003c/tt\u003e), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\u003c/p\u003e\u003cp\u003eThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp\u003c/tt\u003e application is deprecated and scheduled for removal in OTP-30.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/ftp/ftp_internal.erl\u003c/tt\u003e (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and \u003ctt\u003elib/ftp/src/ftp_internal.erl\u003c/tt\u003e (ftp 1.0 and later, OTP 21.0 and later).\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\n\nThe ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\n\nThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\n\nThe ftp application is deprecated and scheduled for removal in OTP-30.\n\nThis vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).\n\nThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:36.460Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48858.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48858"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pass \u003ctt\u003e{ftp_extension, true}\u003c/tt\u003e to \u003ctt\u003eftp:open/2\u003c/tt\u003e to use EPSV instead of PASV. Alternatively, pass \u003ctt\u003e{mode, active}\u003c/tt\u003e to use active mode, or pass \u003ctt\u003e{ipfamily, inet6}\u003c/tt\u003e to force IPv6, both of which bypass the vulnerable PASV path."
}
],
"value": "Pass {ftp_extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode, or pass {ipfamily, inet6} to force IPv6, both of which bypass the vulnerable PASV path."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48858",
"datePublished": "2026-06-10T14:35:45.466Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:36.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46293 (GCVE-0-2026-46293)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI?
EPSS
Title
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
UBSAN reported an out of bounds access during registration of the last
two outputs. This out of bounds access occurs because space is only
allocated in the hws array for two PLLs and the four output dividers
that each has, but the defined IDs contain two DLLS and their two
outputs each, which are not supported by the driver. The ID order is
PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs
by two while adding them to the array to avoid the problem.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d39fb172760e426e0628f16b785c85e16d17bd5e , < 9ed9b580a814773482c0a4f1be045636e68cc109
(git)
Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < 47bc7a03449c39805bc2665d3e57c73195d5bcf8 (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < dbfcb09656cb30439577325c9dea2250203c2e3c (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < a0780aeea166a7cf4706c45af4cadbb2a43a1fc9 (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < f24efd415455b98a1f1cfc6071fe6fde71986706 (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < 2f7ae8ab6aa73daaf080d5332110357c29df9c36 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/microchip/clk-mpfs-ccc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ed9b580a814773482c0a4f1be045636e68cc109",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "47bc7a03449c39805bc2665d3e57c73195d5bcf8",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "dbfcb09656cb30439577325c9dea2250203c2e3c",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "a0780aeea166a7cf4706c45af4cadbb2a43a1fc9",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "f24efd415455b98a1f1cfc6071fe6fde71986706",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "2f7ae8ab6aa73daaf080d5332110357c29df9c36",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/microchip/clk-mpfs-ccc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: microchip: mpfs-ccc: fix out of bounds access during output registration\n\nUBSAN reported an out of bounds access during registration of the last\ntwo outputs. This out of bounds access occurs because space is only\nallocated in the hws array for two PLLs and the four output dividers\nthat each has, but the defined IDs contain two DLLS and their two\noutputs each, which are not supported by the driver. The ID order is\nPLLs -\u003e DLLs -\u003e PLL outputs -\u003e DLL outputs. Decrement the PLL output IDs\nby two while adding them to the array to avoid the problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:01.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ed9b580a814773482c0a4f1be045636e68cc109"
},
{
"url": "https://git.kernel.org/stable/c/47bc7a03449c39805bc2665d3e57c73195d5bcf8"
},
{
"url": "https://git.kernel.org/stable/c/dbfcb09656cb30439577325c9dea2250203c2e3c"
},
{
"url": "https://git.kernel.org/stable/c/a0780aeea166a7cf4706c45af4cadbb2a43a1fc9"
},
{
"url": "https://git.kernel.org/stable/c/f24efd415455b98a1f1cfc6071fe6fde71986706"
},
{
"url": "https://git.kernel.org/stable/c/2f7ae8ab6aa73daaf080d5332110357c29df9c36"
}
],
"title": "clk: microchip: mpfs-ccc: fix out of bounds access during output registration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46293",
"datePublished": "2026-06-08T15:46:20.288Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-14T18:07:01.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45445 (GCVE-0-2026-45445)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48
VLAI?
EPSS
Title
AES-OCB IV Ignored on EVP_Cipher() Path
Summary
Issue summary: When an application drives an AES-OCB context through the
public EVP_Cipher() one-shot interface, the application-supplied
initialisation vector (IV) is silently discarded.
Impact summary: Every message encrypted under the same key uses the
same effective nonce regardless of the IV supplied by the caller,
resulting in (key, nonce) reuse and loss of confidentiality. If the
same code path is used to compute the authentication tag, the tag
depends only on the (key, IV) pair and not on the plaintext or
ciphertext, allowing universal forgery of arbitrary ciphertext from a
single captured message.
OpenSSL provides two ways to drive a cipher: the documented streaming
interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level
one-shot, EVP_Cipher(), whose documentation explicitly recommends
against use by applications in favour of EVP_CipherUpdate() and
EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes
the application-supplied IV into the OCB context before processing
data; the one-shot handler did not. Every call to EVP_Cipher() on an
AES-OCB context therefore ran with the all-zero key-derived offset
state left by cipher initialisation, regardless of the caller's IV.
If EVP_EncryptFinal_ex() is subsequently used to obtain the
authentication tag, the deferred IV setup runs at that point and
clears the running checksum that should have been accumulated over the
plaintext. The resulting tag is a function of (key, IV) only and
verifies against any ciphertext produced under the same (key, IV)
pair.
The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a
TLS cipher suite, and libssl does not call EVP_Cipher() in any case.
Applications that drive AES-OCB through the documented streaming AEAD
API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only
applications that combine the AES-OCB cipher with the EVP_Cipher()
one-shot API are vulnerable.
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by
this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
Severity ?
No CVSS data available.
CWE
- CWE-325 - Missing Cryptographic Step
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Alex Gaynor (Anthropic)
Viktor Dukhovni
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:22:47.789275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:23:02.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Alex Gaynor (Anthropic)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Viktor Dukhovni"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: When an application drives an AES-OCB context through the\u003cbr\u003epublic EVP_Cipher() one-shot interface, the application-supplied\u003cbr\u003einitialisation vector (IV) is silently discarded.\u003cbr\u003e\u003cbr\u003eImpact summary: Every message encrypted under the same key uses the\u003cbr\u003esame effective nonce regardless of the IV supplied by the caller,\u003cbr\u003eresulting in (key, nonce) reuse and loss of confidentiality. If the\u003cbr\u003esame code path is used to compute the authentication tag, the tag\u003cbr\u003edepends only on the (key, IV) pair and not on the plaintext or\u003cbr\u003eciphertext, allowing universal forgery of arbitrary ciphertext from a\u003cbr\u003esingle captured message.\u003cbr\u003e\u003cbr\u003eOpenSSL provides two ways to drive a cipher: the documented streaming\u003cbr\u003einterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\u003cbr\u003eone-shot, EVP_Cipher(), whose documentation explicitly recommends\u003cbr\u003eagainst use by applications in favour of EVP_CipherUpdate() and\u003cbr\u003eEVP_CipherFinal_ex(). The OCB provider\u0027s streaming handler flushes\u003cbr\u003ethe application-supplied IV into the OCB context before processing\u003cbr\u003edata; the one-shot handler did not. Every call to EVP_Cipher() on an\u003cbr\u003eAES-OCB context therefore ran with the all-zero key-derived offset\u003cbr\u003estate left by cipher initialisation, regardless of the caller\u0027s IV.\u003cbr\u003e\u003cbr\u003eIf EVP_EncryptFinal_ex() is subsequently used to obtain the\u003cbr\u003eauthentication tag, the deferred IV setup runs at that point and\u003cbr\u003eclears the running checksum that should have been accumulated over the\u003cbr\u003eplaintext. The resulting tag is a function of (key, IV) only and\u003cbr\u003everifies against any ciphertext produced under the same (key, IV)\u003cbr\u003epair.\u003cbr\u003e\u003cbr\u003eThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\u003cbr\u003eTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\u003cbr\u003eApplications that drive AES-OCB through the documented streaming AEAD\u003cbr\u003eAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\u003cbr\u003eapplications that combine the AES-OCB cipher with the EVP_Cipher()\u003cbr\u003eone-shot API are vulnerable.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\u003cbr\u003ethis issue, as AES-OCB is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: When an application drives an AES-OCB context through the\npublic EVP_Cipher() one-shot interface, the application-supplied\ninitialisation vector (IV) is silently discarded.\n\nImpact summary: Every message encrypted under the same key uses the\nsame effective nonce regardless of the IV supplied by the caller,\nresulting in (key, nonce) reuse and loss of confidentiality. If the\nsame code path is used to compute the authentication tag, the tag\ndepends only on the (key, IV) pair and not on the plaintext or\nciphertext, allowing universal forgery of arbitrary ciphertext from a\nsingle captured message.\n\nOpenSSL provides two ways to drive a cipher: the documented streaming\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\none-shot, EVP_Cipher(), whose documentation explicitly recommends\nagainst use by applications in favour of EVP_CipherUpdate() and\nEVP_CipherFinal_ex(). The OCB provider\u0027s streaming handler flushes\nthe application-supplied IV into the OCB context before processing\ndata; the one-shot handler did not. Every call to EVP_Cipher() on an\nAES-OCB context therefore ran with the all-zero key-derived offset\nstate left by cipher initialisation, regardless of the caller\u0027s IV.\n\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\nauthentication tag, the deferred IV setup runs at that point and\nclears the running checksum that should have been accumulated over the\nplaintext. The resulting tag is a function of (key, IV) only and\nverifies against any ciphertext produced under the same (key, IV)\npair.\n\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\nApplications that drive AES-OCB through the documented streaming AEAD\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\napplications that combine the AES-OCB cipher with the EVP_Cipher()\none-shot API are vulnerable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Moderate"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325 Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:10.949Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AES-OCB IV Ignored on EVP_Cipher() Path",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-45445",
"datePublished": "2026-06-09T16:03:31.338Z",
"dateReserved": "2026-05-12T14:34:06.276Z",
"dateUpdated": "2026-06-10T07:48:10.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34180 (GCVE-0-2026-34180)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:47
VLAI?
EPSS
Title
Heap Buffer Over-read in ASN.1 Content Parsing
Summary
Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive
element whose content exceeds 2 gigabytes in length may cause a heap buffer
over-read on 64-bit Unix and Unix-like platforms.
Impact summary: The heap buffer over-read may crash the application (Denial of
Service) or to load into the decoded ASN.1 object contents of memory beyond the
end of the input buffer. More typically such ASN.1 elements would instead be
truncated.
An integer truncation in OpenSSL's ASN.1 decoder causes the content length of
an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the
worst case the truncated length is treated as a request to scan the binary
content for a terminating zero byte, possibly causing OpenSSL to read either
less than or beyond the end of the allocated buffer.
Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or
any other d2i_* decoding function are affected. OpenSSL's own command-line
tools are not vulnerable, as data read through the BIO layer is checked before
it reaches the affected code. The issue only affects 64-bit Unix and Unix-like
platforms; 32-bit platforms and 64-bit Windows are not affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue,
as the affected code is outside the OpenSSL FIPS module boundary.
Severity ?
No CVSS data available.
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Frank Buss
Viktor Dukhovni
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-34180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:00:59.503895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:02:24.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zh",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zq",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Frank Buss"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Viktor Dukhovni"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive\u003cbr\u003eelement whose content exceeds 2 gigabytes in length may cause a heap buffer\u003cbr\u003eover-read on 64-bit Unix and Unix-like platforms.\u003cbr\u003e\u003cbr\u003eImpact summary: The heap buffer over-read may crash the application (Denial of\u003cbr\u003eService) or to load into the decoded ASN.1 object contents of memory beyond the\u003cbr\u003eend of the input buffer. More typically such ASN.1 elements would instead be\u003cbr\u003etruncated.\u003cbr\u003e\u003cbr\u003eAn integer truncation in OpenSSL\u0027s ASN.1 decoder causes the content length of\u003cbr\u003ean ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the\u003cbr\u003eworst case the truncated length is treated as a request to scan the binary\u003cbr\u003econtent for a terminating zero byte, possibly causing OpenSSL to read either\u003cbr\u003eless than or beyond the end of the allocated buffer.\u003cbr\u003e\u003cbr\u003eApplications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or\u003cbr\u003eany other d2i_* decoding function are affected. OpenSSL\u0027s own command-line\u003cbr\u003etools are not vulnerable, as data read through the BIO layer is checked before\u003cbr\u003eit reaches the affected code. The issue only affects 64-bit Unix and Unix-like\u003cbr\u003eplatforms; 32-bit platforms and 64-bit Windows are not affected.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue,\u003cbr\u003eas the affected code is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive\nelement whose content exceeds 2 gigabytes in length may cause a heap buffer\nover-read on 64-bit Unix and Unix-like platforms.\n\nImpact summary: The heap buffer over-read may crash the application (Denial of\nService) or to load into the decoded ASN.1 object contents of memory beyond the\nend of the input buffer. More typically such ASN.1 elements would instead be\ntruncated.\n\nAn integer truncation in OpenSSL\u0027s ASN.1 decoder causes the content length of\nan ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the\nworst case the truncated length is treated as a request to scan the binary\ncontent for a terminating zero byte, possibly causing OpenSSL to read either\nless than or beyond the end of the allocated buffer.\n\nApplications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or\nany other d2i_* decoding function are affected. OpenSSL\u0027s own command-line\ntools are not vulnerable, as data read through the BIO layer is checked before\nit reaches the affected code. The issue only affects 64-bit Unix and Unix-like\nplatforms; 32-bit platforms and 64-bit Windows are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:47:52.427Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/f696c73c3e61b8c502d040af62e690c060908a16"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/d93853c42110d6319e3df07842b488cb9f7ac5ff"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/da5d62af75f69d6fbf7803743d7c56ac75461e43"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/1c6908e4fa5fa568752221d8eaf561a809751e5d"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Buffer Over-read in ASN.1 Content Parsing",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-34180",
"datePublished": "2026-06-09T16:03:17.082Z",
"dateReserved": "2026-03-26T09:29:36.012Z",
"dateUpdated": "2026-06-10T07:47:52.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…