Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0787
Vulnerability from certfr_avis - Published: 2026-06-19 - Updated: 2026-06-19
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 16.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-71075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71075"
},
{
"name": "CVE-2026-23198",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23198"
},
{
"name": "CVE-2026-43078",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43078"
},
{
"name": "CVE-2025-71086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71086"
},
{
"name": "CVE-2026-23260",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23260"
},
{
"name": "CVE-2026-23167",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23167"
},
{
"name": "CVE-2025-71065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71065"
},
{
"name": "CVE-2025-68374",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68374"
},
{
"name": "CVE-2026-23129",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23129"
},
{
"name": "CVE-2025-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38201"
},
{
"name": "CVE-2026-23098",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23098"
},
{
"name": "CVE-2026-47329",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47329"
},
{
"name": "CVE-2025-68749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68749"
},
{
"name": "CVE-2025-71094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71094"
},
{
"name": "CVE-2025-68788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68788"
},
{
"name": "CVE-2026-23126",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23126"
},
{
"name": "CVE-2025-68778",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68778"
},
{
"name": "CVE-2026-23054",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23054"
},
{
"name": "CVE-2025-71064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71064"
},
{
"name": "CVE-2026-23159",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23159"
},
{
"name": "CVE-2025-68725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68725"
},
{
"name": "CVE-2025-68741",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68741"
},
{
"name": "CVE-2025-68795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68795"
},
{
"name": "CVE-2025-68349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68349"
},
{
"name": "CVE-2025-68380",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68380"
},
{
"name": "CVE-2023-2640",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2640"
},
{
"name": "CVE-2026-23069",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23069"
},
{
"name": "CVE-2026-22992",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22992"
},
{
"name": "CVE-2025-71071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71071"
},
{
"name": "CVE-2025-71191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71191"
},
{
"name": "CVE-2025-68728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68728"
},
{
"name": "CVE-2025-68364",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68364"
},
{
"name": "CVE-2026-47330",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47330"
},
{
"name": "CVE-2025-71087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71087"
},
{
"name": "CVE-2025-40039",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40039"
},
{
"name": "CVE-2025-71135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71135"
},
{
"name": "CVE-2025-68746",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68746"
},
{
"name": "CVE-2025-68773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68773"
},
{
"name": "CVE-2025-71133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71133"
},
{
"name": "CVE-2026-23020",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23020"
},
{
"name": "CVE-2025-68796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68796"
},
{
"name": "CVE-2026-23187",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23187"
},
{
"name": "CVE-2026-23136",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23136"
},
{
"name": "CVE-2026-23139",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23139"
},
{
"name": "CVE-2025-68804",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68804"
},
{
"name": "CVE-2025-68769",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68769"
},
{
"name": "CVE-2025-68794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68794"
},
{
"name": "CVE-2025-71189",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71189"
},
{
"name": "CVE-2025-71088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71088"
},
{
"name": "CVE-2026-23179",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23179"
},
{
"name": "CVE-2026-23090",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23090"
},
{
"name": "CVE-2026-23035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23035"
},
{
"name": "CVE-2026-23258",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23258"
},
{
"name": "CVE-2026-23064",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23064"
},
{
"name": "CVE-2025-38591",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38591"
},
{
"name": "CVE-2025-68806",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68806"
},
{
"name": "CVE-2026-43284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43284"
},
{
"name": "CVE-2025-71098",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71098"
},
{
"name": "CVE-2025-71078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71078"
},
{
"name": "CVE-2026-43362",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43362"
},
{
"name": "CVE-2025-71083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71083"
},
{
"name": "CVE-2026-23061",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23061"
},
{
"name": "CVE-2026-23059",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23059"
},
{
"name": "CVE-2025-68813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68813"
},
{
"name": "CVE-2026-23135",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23135"
},
{
"name": "CVE-2026-23047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23047"
},
{
"name": "CVE-2025-68365",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68365"
},
{
"name": "CVE-2025-68265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68265"
},
{
"name": "CVE-2026-23119",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23119"
},
{
"name": "CVE-2025-71085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71085"
},
{
"name": "CVE-2026-23173",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23173"
},
{
"name": "CVE-2026-23123",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23123"
},
{
"name": "CVE-2025-68344",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68344"
},
{
"name": "CVE-2025-71154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71154"
},
{
"name": "CVE-2025-68257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68257"
},
{
"name": "CVE-2026-31431",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
},
{
"name": "CVE-2025-71084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71084"
},
{
"name": "CVE-2026-23094",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23094"
},
{
"name": "CVE-2026-23049",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23049"
},
{
"name": "CVE-2025-68347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68347"
},
{
"name": "CVE-2025-68770",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68770"
},
{
"name": "CVE-2025-68814",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68814"
},
{
"name": "CVE-2025-68780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68780"
},
{
"name": "CVE-2025-71081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71081"
},
{
"name": "CVE-2026-23101",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23101"
},
{
"name": "CVE-2026-23099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23099"
},
{
"name": "CVE-2025-71121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71121"
},
{
"name": "CVE-2025-38022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38022"
},
{
"name": "CVE-2026-23085",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23085"
},
{
"name": "CVE-2026-23209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
},
{
"name": "CVE-2025-71136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71136"
},
{
"name": "CVE-2025-68354",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68354"
},
{
"name": "CVE-2025-68801",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68801"
},
{
"name": "CVE-2025-40082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40082"
},
{
"name": "CVE-2026-23150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23150"
},
{
"name": "CVE-2025-68258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68258"
},
{
"name": "CVE-2026-23163",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23163"
},
{
"name": "CVE-2026-23057",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23057"
},
{
"name": "CVE-2025-37926",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37926"
},
{
"name": "CVE-2025-71138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71138"
},
{
"name": "CVE-2026-43033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43033"
},
{
"name": "CVE-2026-23166",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23166"
},
{
"name": "CVE-2025-68291",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68291"
},
{
"name": "CVE-2025-71122",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71122"
},
{
"name": "CVE-2026-22991",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22991"
},
{
"name": "CVE-2026-23264",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23264"
},
{
"name": "CVE-2026-47331",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47331"
},
{
"name": "CVE-2026-43503",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43503"
},
{
"name": "CVE-2025-68763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68763"
},
{
"name": "CVE-2025-71144",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71144"
},
{
"name": "CVE-2026-23256",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23256"
},
{
"name": "CVE-2026-23116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23116"
},
{
"name": "CVE-2025-38234",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38234"
},
{
"name": "CVE-2025-71200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71200"
},
{
"name": "CVE-2025-68255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68255"
},
{
"name": "CVE-2026-22980",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22980"
},
{
"name": "CVE-2026-23172",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23172"
},
{
"name": "CVE-2026-43500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43500"
},
{
"name": "CVE-2026-23133",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23133"
},
{
"name": "CVE-2025-71093",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71093"
},
{
"name": "CVE-2025-71102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71102"
},
{
"name": "CVE-2026-23131",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23131"
},
{
"name": "CVE-2026-23212",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23212"
},
{
"name": "CVE-2026-23032",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23032"
},
{
"name": "CVE-2026-23170",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23170"
},
{
"name": "CVE-2025-68759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68759"
},
{
"name": "CVE-2026-23204",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23204"
},
{
"name": "CVE-2026-23019",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23019"
},
{
"name": "CVE-2026-23273",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23273"
},
{
"name": "CVE-2025-71188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71188"
},
{
"name": "CVE-2026-23125",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23125"
},
{
"name": "CVE-2025-68733",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68733"
},
{
"name": "CVE-2026-23005",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23005"
},
{
"name": "CVE-2026-47328",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47328"
},
{
"name": "CVE-2026-23214",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23214"
},
{
"name": "CVE-2025-68335",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68335"
},
{
"name": "CVE-2025-71079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71079"
},
{
"name": "CVE-2026-23030",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23030"
},
{
"name": "CVE-2026-23178",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23178"
},
{
"name": "CVE-2026-22997",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22997"
},
{
"name": "CVE-2025-71153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71153"
},
{
"name": "CVE-2025-71196",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71196"
},
{
"name": "CVE-2026-31533",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31533"
},
{
"name": "CVE-2026-46323",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46323"
},
{
"name": "CVE-2025-68772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68772"
},
{
"name": "CVE-2024-57795",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57795"
},
{
"name": "CVE-2026-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23191"
},
{
"name": "CVE-2026-23078",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23078"
},
{
"name": "CVE-2026-47332",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47332"
},
{
"name": "CVE-2025-71143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71143"
},
{
"name": "CVE-2025-68785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68785"
},
{
"name": "CVE-2025-71130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71130"
},
{
"name": "CVE-2025-68808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68808"
},
{
"name": "CVE-2025-68783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68783"
},
{
"name": "CVE-2025-71147",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71147"
},
{
"name": "CVE-2025-71220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71220"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2026-23103",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23103"
},
{
"name": "CVE-2025-71126",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71126"
},
{
"name": "CVE-2025-68786",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68786"
},
{
"name": "CVE-2025-71199",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71199"
},
{
"name": "CVE-2023-32629",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32629"
},
{
"name": "CVE-2025-68797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68797"
},
{
"name": "CVE-2025-68358",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68358"
},
{
"name": "CVE-2026-23180",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23180"
},
{
"name": "CVE-2025-68259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68259"
},
{
"name": "CVE-2025-71125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71125"
},
{
"name": "CVE-2026-23006",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23006"
},
{
"name": "CVE-2025-71108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71108"
},
{
"name": "CVE-2025-71069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71069"
},
{
"name": "CVE-2025-71195",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71195"
},
{
"name": "CVE-2026-22994",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22994"
},
{
"name": "CVE-2026-23083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23083"
},
{
"name": "CVE-2026-23262",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23262"
},
{
"name": "CVE-2026-23088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23088"
},
{
"name": "CVE-2025-68774",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68774"
},
{
"name": "CVE-2026-23108",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23108"
},
{
"name": "CVE-2025-71180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71180"
},
{
"name": "CVE-2026-46000",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46000"
},
{
"name": "CVE-2026-47334",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47334"
},
{
"name": "CVE-2025-71194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71194"
},
{
"name": "CVE-2026-22999",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22999"
},
{
"name": "CVE-2025-71082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71082"
},
{
"name": "CVE-2026-23068",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23068"
},
{
"name": "CVE-2025-68765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68765"
},
{
"name": "CVE-2026-23089",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23089"
},
{
"name": "CVE-2026-23216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23216"
},
{
"name": "CVE-2025-71132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71132"
},
{
"name": "CVE-2025-71225",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71225"
},
{
"name": "CVE-2026-23071",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23071"
},
{
"name": "CVE-2026-23056",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23056"
},
{
"name": "CVE-2025-71077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71077"
},
{
"name": "CVE-2026-43077",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43077"
},
{
"name": "CVE-2025-71140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71140"
},
{
"name": "CVE-2025-22111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22111"
},
{
"name": "CVE-2026-23063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23063"
},
{
"name": "CVE-2026-47335",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47335"
},
{
"name": "CVE-2026-23073",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23073"
},
{
"name": "CVE-2025-71114",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71114"
},
{
"name": "CVE-2026-23058",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23058"
},
{
"name": "CVE-2025-71067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71067"
},
{
"name": "CVE-2025-68744",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68744"
},
{
"name": "CVE-2025-71182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71182"
},
{
"name": "CVE-2026-23038",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23038"
},
{
"name": "CVE-2025-71151",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71151"
},
{
"name": "CVE-2026-22990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22990"
},
{
"name": "CVE-2026-23000",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23000"
},
{
"name": "CVE-2025-71186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71186"
},
{
"name": "CVE-2026-47336",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47336"
},
{
"name": "CVE-2026-23176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23176"
},
{
"name": "CVE-2025-68821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68821"
},
{
"name": "CVE-2026-23026",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23026"
},
{
"name": "CVE-2026-23128",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23128"
},
{
"name": "CVE-2026-46300",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46300"
},
{
"name": "CVE-2025-68325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68325"
},
{
"name": "CVE-2025-71190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71190"
},
{
"name": "CVE-2026-23140",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23140"
},
{
"name": "CVE-2025-71089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71089"
},
{
"name": "CVE-2026-23107",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23107"
},
{
"name": "CVE-2025-68332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68332"
},
{
"name": "CVE-2025-71104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71104"
},
{
"name": "CVE-2026-22978",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22978"
},
{
"name": "CVE-2025-68378",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68378"
},
{
"name": "CVE-2025-71141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71141"
},
{
"name": "CVE-2026-23146",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23146"
},
{
"name": "CVE-2026-45998",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45998"
},
{
"name": "CVE-2026-23037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23037"
},
{
"name": "CVE-2025-71101",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71101"
},
{
"name": "CVE-2026-23001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23001"
},
{
"name": "CVE-2025-68367",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68367"
},
{
"name": "CVE-2025-71224",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71224"
},
{
"name": "CVE-2025-68820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68820"
},
{
"name": "CVE-2025-68756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68756"
},
{
"name": "CVE-2026-23193",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23193"
},
{
"name": "CVE-2026-23215",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23215"
},
{
"name": "CVE-2025-68740",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68740"
},
{
"name": "CVE-2025-68742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68742"
},
{
"name": "CVE-2026-23025",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23025"
},
{
"name": "CVE-2025-68816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68816"
},
{
"name": "CVE-2025-68379",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68379"
},
{
"name": "CVE-2025-68256",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68256"
},
{
"name": "CVE-2025-68777",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68777"
},
{
"name": "CVE-2025-68254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68254"
},
{
"name": "CVE-2026-23151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23151"
},
{
"name": "CVE-2026-22982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22982"
},
{
"name": "CVE-2026-23205",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23205"
},
{
"name": "CVE-2025-71109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71109"
},
{
"name": "CVE-2025-71222",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71222"
},
{
"name": "CVE-2026-31504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31504"
},
{
"name": "CVE-2025-71118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71118"
},
{
"name": "CVE-2026-23142",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23142"
},
{
"name": "CVE-2025-71150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71150"
},
{
"name": "CVE-2026-23213",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23213"
},
{
"name": "CVE-2026-23091",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23091"
},
{
"name": "CVE-2025-71192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71192"
},
{
"name": "CVE-2026-47327",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47327"
},
{
"name": "CVE-2026-23121",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23121"
},
{
"name": "CVE-2025-68776",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68776"
},
{
"name": "CVE-2026-23274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23274"
},
{
"name": "CVE-2025-71066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71066"
},
{
"name": "CVE-2025-68799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68799"
},
{
"name": "CVE-2025-68345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68345"
},
{
"name": "CVE-2025-71097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71097"
},
{
"name": "CVE-2026-47326",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47326"
},
{
"name": "CVE-2025-71107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71107"
},
{
"name": "CVE-2025-71111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71111"
},
{
"name": "CVE-2026-23144",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23144"
},
{
"name": "CVE-2026-23087",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23087"
},
{
"name": "CVE-2026-31419",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31419"
},
{
"name": "CVE-2025-71185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71185"
},
{
"name": "CVE-2025-68811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68811"
},
{
"name": "CVE-2025-71268",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71268"
},
{
"name": "CVE-2026-23096",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23096"
},
{
"name": "CVE-2025-68337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68337"
},
{
"name": "CVE-2025-68351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68351"
},
{
"name": "CVE-2025-71131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71131"
},
{
"name": "CVE-2025-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40149"
},
{
"name": "CVE-2025-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40164"
},
{
"name": "CVE-2026-23164",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23164"
},
{
"name": "CVE-2025-71116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71116"
},
{
"name": "CVE-2026-23124",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23124"
},
{
"name": "CVE-2025-68362",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68362"
},
{
"name": "CVE-2026-23257",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23257"
},
{
"name": "CVE-2025-71160",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71160"
},
{
"name": "CVE-2024-58096",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58096"
},
{
"name": "CVE-2025-71162",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71162"
},
{
"name": "CVE-2026-23075",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23075"
},
{
"name": "CVE-2026-23120",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23120"
},
{
"name": "CVE-2025-68803",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68803"
},
{
"name": "CVE-2026-22996",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22996"
},
{
"name": "CVE-2026-47337",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47337"
},
{
"name": "CVE-2026-23168",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23168"
},
{
"name": "CVE-2024-50004",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50004"
},
{
"name": "CVE-2026-23105",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23105"
},
{
"name": "CVE-2026-22976",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22976"
},
{
"name": "CVE-2024-35862",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35862"
},
{
"name": "CVE-2026-23141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23141"
},
{
"name": "CVE-2026-23065",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23065"
},
{
"name": "CVE-2025-68753",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68753"
},
{
"name": "CVE-2025-68369",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68369"
},
{
"name": "CVE-2025-68775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68775"
},
{
"name": "CVE-2026-23182",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23182"
},
{
"name": "CVE-2025-71112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71112"
},
{
"name": "CVE-2026-23086",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23086"
},
{
"name": "CVE-2025-22022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22022"
},
{
"name": "CVE-2025-68818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68818"
},
{
"name": "CVE-2026-23261",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23261"
},
{
"name": "CVE-2025-71148",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71148"
},
{
"name": "CVE-2025-68366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68366"
},
{
"name": "CVE-2024-36347",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36347"
},
{
"name": "CVE-2026-23156",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23156"
},
{
"name": "CVE-2025-68815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68815"
},
{
"name": "CVE-2025-71193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71193"
},
{
"name": "CVE-2026-23095",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23095"
},
{
"name": "CVE-2025-68346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68346"
},
{
"name": "CVE-2025-71163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71163"
},
{
"name": "CVE-2026-23062",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23062"
},
{
"name": "CVE-2025-71096",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71096"
},
{
"name": "CVE-2025-71095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71095"
},
{
"name": "CVE-2026-23160",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23160"
},
{
"name": "CVE-2026-46333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46333"
},
{
"name": "CVE-2025-71105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71105"
},
{
"name": "CVE-2025-68266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68266"
},
{
"name": "CVE-2025-68771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68771"
},
{
"name": "CVE-2025-68363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68363"
},
{
"name": "CVE-2026-22984",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22984"
},
{
"name": "CVE-2026-47333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47333"
},
{
"name": "CVE-2026-23206",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23206"
},
{
"name": "CVE-2025-68757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68757"
},
{
"name": "CVE-2024-58097",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58097"
},
{
"name": "CVE-2025-71068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71068"
},
{
"name": "CVE-2026-23033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23033"
},
{
"name": "CVE-2026-31676",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31676"
},
{
"name": "CVE-2026-22977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22977"
},
{
"name": "CVE-2026-23145",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23145"
},
{
"name": "CVE-2026-23003",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23003"
},
{
"name": "CVE-2025-68766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68766"
},
{
"name": "CVE-2026-23076",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23076"
},
{
"name": "CVE-2025-68823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68823"
},
{
"name": "CVE-2025-71123",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71123"
},
{
"name": "CVE-2025-68206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68206"
},
{
"name": "CVE-2026-23394",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23394"
},
{
"name": "CVE-2025-68372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68372"
},
{
"name": "CVE-2026-23010",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23010"
},
{
"name": "CVE-2026-23112",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23112"
},
{
"name": "CVE-2025-71137",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71137"
},
{
"name": "CVE-2026-23084",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23084"
},
{
"name": "CVE-2026-23190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23190"
},
{
"name": "CVE-2026-22979",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22979"
},
{
"name": "CVE-2026-23011",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23011"
},
{
"name": "CVE-2026-23110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23110"
},
{
"name": "CVE-2025-68809",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68809"
},
{
"name": "CVE-2025-71120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71120"
},
{
"name": "CVE-2025-68817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68817"
},
{
"name": "CVE-2025-71119",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71119"
},
{
"name": "CVE-2025-68787",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68787"
},
{
"name": "CVE-2026-23148",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23148"
},
{
"name": "CVE-2025-68782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68782"
},
{
"name": "CVE-2025-71197",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71197"
},
{
"name": "CVE-2025-68758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68758"
},
{
"name": "CVE-2026-23031",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23031"
},
{
"name": "CVE-2025-71113",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71113"
},
{
"name": "CVE-2025-71127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71127"
},
{
"name": "CVE-2026-23102",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23102"
},
{
"name": "CVE-2026-22998",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22998"
},
{
"name": "CVE-2026-23050",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23050"
},
{
"name": "CVE-2025-40325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40325"
},
{
"name": "CVE-2026-23113",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23113"
},
{
"name": "CVE-2025-68798",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68798"
},
{
"name": "CVE-2025-68336",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68336"
},
{
"name": "CVE-2025-68810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68810"
},
{
"name": "CVE-2026-23097",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23097"
},
{
"name": "CVE-2025-71198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71198"
},
{
"name": "CVE-2025-68819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68819"
},
{
"name": "CVE-2026-23231",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23231"
},
{
"name": "CVE-2025-71072",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71072"
},
{
"name": "CVE-2026-23021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23021"
},
{
"name": "CVE-2025-68732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68732"
},
{
"name": "CVE-2026-23093",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23093"
},
{
"name": "CVE-2026-46028",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46028"
},
{
"name": "CVE-2025-71183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71183"
},
{
"name": "CVE-2024-50060",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50060"
},
{
"name": "CVE-2025-68371",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68371"
},
{
"name": "CVE-2025-71091",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71091"
},
{
"name": "CVE-2026-23053",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23053"
},
{
"name": "CVE-2025-71184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71184"
},
{
"name": "CVE-2025-68263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68263"
},
{
"name": "CVE-2025-68800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68800"
},
{
"name": "CVE-2025-68261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68261"
},
{
"name": "CVE-2025-68755",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68755"
},
{
"name": "CVE-2025-68767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68767"
},
{
"name": "CVE-2025-68727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68727"
},
{
"name": "CVE-2026-23080",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23080"
},
{
"name": "CVE-2026-23351",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23351"
},
{
"name": "CVE-2026-23254",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23254"
},
{
"name": "CVE-2025-68264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68264"
},
{
"name": "CVE-2026-43494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43494"
},
{
"name": "CVE-2025-68764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68764"
}
],
"initial_release_date": "2026-06-19T00:00:00",
"last_revision_date": "2026-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0787",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2026-06-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8439-1",
"url": "https://ubuntu.com/security/notices/USN-8439-1"
},
{
"published_at": "2026-06-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8440-1",
"url": "https://ubuntu.com/security/notices/USN-8440-1"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8390-2",
"url": "https://ubuntu.com/security/notices/USN-8390-2"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8361-3",
"url": "https://ubuntu.com/security/notices/USN-8361-3"
},
{
"published_at": "2026-06-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8426-2",
"url": "https://ubuntu.com/security/notices/USN-8426-2"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8441-1",
"url": "https://ubuntu.com/security/notices/USN-8441-1"
}
]
}
CVE-2026-23214 (GCVE-0-2026-23214)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:21 – Updated: 2026-05-11 22:02
VLAI?
EPSS
Title
btrfs: reject new transactions if the fs is fully read-only
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reject new transactions if the fs is fully read-only
[BUG]
There is a bug report where a heavily fuzzed fs is mounted with all
rescue mount options, which leads to the following warnings during
unmount:
BTRFS: Transaction aborted (error -22)
Modules linked in:
CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted
6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]
RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611
Call Trace:
<TASK>
btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705
btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157
btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517
btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708
btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130
btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499
btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628
evict+0x5f4/0xae0 fs/inode.c:837
__dentry_kill+0x209/0x660 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661
generic_shutdown_super+0x67/0x2c0 fs/super.c:621
kill_anon_super+0x3b/0x70 fs/super.c:1289
btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127
deactivate_locked_super+0xbc/0x130 fs/super.c:474
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318
task_work_run+0x1d4/0x260 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x694/0x22f0 kernel/exit.c:971
do_group_exit+0x21c/0x2d0 kernel/exit.c:1112
__do_sys_exit_group kernel/exit.c:1123 [inline]
__se_sys_exit_group kernel/exit.c:1121 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121
x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x44f639
Code: Unable to access opcode bytes at 0x44f60f.
RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Since rescue mount options will mark the full fs read-only, there should
be no new transaction triggered.
But during unmount we will evict all inodes, which can trigger a new
transaction, and triggers warnings on a heavily corrupted fs.
[CAUSE]
Btrfs allows new transaction even on a read-only fs, this is to allow
log replay happen even on read-only mounts, just like what ext4/xfs do.
However with rescue mount options, the fs is fully read-only and cannot
be remounted read-write, thus in that case we should also reject any new
transactions.
[FIX]
If we find the fs has rescue mount options, we should treat the fs as
error, so that no new transaction can be started.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
42437a6386ffeaaf200731e73d723ea491f3fe7d , < a928eecf030a9a5dc5f5ca98332699f379b91963
(git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 3228b2eceb6c3d7e237f8a5330113dbd164fb90d (git) Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 1972f44c189c8aacde308fa9284e474c1a5cbd9f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a928eecf030a9a5dc5f5ca98332699f379b91963",
"status": "affected",
"version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
"versionType": "git"
},
{
"lessThan": "3228b2eceb6c3d7e237f8a5330113dbd164fb90d",
"status": "affected",
"version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
"versionType": "git"
},
{
"lessThan": "1972f44c189c8aacde308fa9284e474c1a5cbd9f",
"status": "affected",
"version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject new transactions if the fs is fully read-only\n\n[BUG]\nThere is a bug report where a heavily fuzzed fs is mounted with all\nrescue mount options, which leads to the following warnings during\nunmount:\n\n BTRFS: Transaction aborted (error -22)\n Modules linked in:\n CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted\n 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]\n RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611\n Call Trace:\n \u003cTASK\u003e\n btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705\n btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157\n btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517\n btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708\n btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130\n btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499\n btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628\n evict+0x5f4/0xae0 fs/inode.c:837\n __dentry_kill+0x209/0x660 fs/dcache.c:670\n finish_dput+0xc9/0x480 fs/dcache.c:879\n shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661\n generic_shutdown_super+0x67/0x2c0 fs/super.c:621\n kill_anon_super+0x3b/0x70 fs/super.c:1289\n btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127\n deactivate_locked_super+0xbc/0x130 fs/super.c:474\n cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318\n task_work_run+0x1d4/0x260 kernel/task_work.c:233\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0x694/0x22f0 kernel/exit.c:971\n do_group_exit+0x21c/0x2d0 kernel/exit.c:1112\n __do_sys_exit_group kernel/exit.c:1123 [inline]\n __se_sys_exit_group kernel/exit.c:1121 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121\n x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x44f639\n Code: Unable to access opcode bytes at 0x44f60f.\n RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\n RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639\n RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\n RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0\n R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n \u003c/TASK\u003e\n\nSince rescue mount options will mark the full fs read-only, there should\nbe no new transaction triggered.\n\nBut during unmount we will evict all inodes, which can trigger a new\ntransaction, and triggers warnings on a heavily corrupted fs.\n\n[CAUSE]\nBtrfs allows new transaction even on a read-only fs, this is to allow\nlog replay happen even on read-only mounts, just like what ext4/xfs do.\n\nHowever with rescue mount options, the fs is fully read-only and cannot\nbe remounted read-write, thus in that case we should also reject any new\ntransactions.\n\n[FIX]\nIf we find the fs has rescue mount options, we should treat the fs as\nerror, so that no new transaction can be started."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:31.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a928eecf030a9a5dc5f5ca98332699f379b91963"
},
{
"url": "https://git.kernel.org/stable/c/3228b2eceb6c3d7e237f8a5330113dbd164fb90d"
},
{
"url": "https://git.kernel.org/stable/c/1972f44c189c8aacde308fa9284e474c1a5cbd9f"
}
],
"title": "btrfs: reject new transactions if the fs is fully read-only",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23214",
"datePublished": "2026-02-18T14:21:51.507Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-05-11T22:02:31.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23053 (GCVE-0-2026-23053)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
NFS: Fix a deadlock involving nfs_release_folio()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix a deadlock involving nfs_release_folio()
Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery
waiting on kthreadd, which is attempting to reclaim memory by calling
nfs_release_folio(). The latter cannot make progress due to state
recovery being needed.
It seems that the only safe thing to do here is to kick off a writeback
of the folio, without waiting for completion, or else kicking off an
asynchronous commit.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
96780ca55e3cbf4f150fd5a833a61492c9947b5b , < a4810f8beb0122f032f10735f98d257aa6064f4c
(git)
Affected: 96780ca55e3cbf4f150fd5a833a61492c9947b5b , < 49d352bc263fe4a834233338bfaad31b3109addf (git) Affected: 96780ca55e3cbf4f150fd5a833a61492c9947b5b , < 19b4d9ab5e77843eac0429c019470c02f8710b55 (git) Affected: 96780ca55e3cbf4f150fd5a833a61492c9947b5b , < cce0be6eb4971456b703aaeafd571650d314bcca (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/file.c",
"fs/nfs/nfstrace.h",
"fs/nfs/write.c",
"include/linux/nfs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4810f8beb0122f032f10735f98d257aa6064f4c",
"status": "affected",
"version": "96780ca55e3cbf4f150fd5a833a61492c9947b5b",
"versionType": "git"
},
{
"lessThan": "49d352bc263fe4a834233338bfaad31b3109addf",
"status": "affected",
"version": "96780ca55e3cbf4f150fd5a833a61492c9947b5b",
"versionType": "git"
},
{
"lessThan": "19b4d9ab5e77843eac0429c019470c02f8710b55",
"status": "affected",
"version": "96780ca55e3cbf4f150fd5a833a61492c9947b5b",
"versionType": "git"
},
{
"lessThan": "cce0be6eb4971456b703aaeafd571650d314bcca",
"status": "affected",
"version": "96780ca55e3cbf4f150fd5a833a61492c9947b5b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/file.c",
"fs/nfs/nfstrace.h",
"fs/nfs/write.c",
"include/linux/nfs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a deadlock involving nfs_release_folio()\n\nWang Zhaolong reports a deadlock involving NFSv4.1 state recovery\nwaiting on kthreadd, which is attempting to reclaim memory by calling\nnfs_release_folio(). The latter cannot make progress due to state\nrecovery being needed.\n\nIt seems that the only safe thing to do here is to kick off a writeback\nof the folio, without waiting for completion, or else kicking off an\nasynchronous commit."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:05.561Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4810f8beb0122f032f10735f98d257aa6064f4c"
},
{
"url": "https://git.kernel.org/stable/c/49d352bc263fe4a834233338bfaad31b3109addf"
},
{
"url": "https://git.kernel.org/stable/c/19b4d9ab5e77843eac0429c019470c02f8710b55"
},
{
"url": "https://git.kernel.org/stable/c/cce0be6eb4971456b703aaeafd571650d314bcca"
}
],
"title": "NFS: Fix a deadlock involving nfs_release_folio()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23053",
"datePublished": "2026-02-04T16:04:22.574Z",
"dateReserved": "2026-01-13T15:37:45.950Z",
"dateUpdated": "2026-05-11T21:59:05.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22984 (GCVE-0-2026-22984)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-06-16 20:35
VLAI?
EPSS
Title
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 194cfe2af4d2a1de599d39dad636b47c2f6c2c96
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 79fe3511db416d2f2edcfd93569807cb02736e5e (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < ef208ea331ef688729f64089b895ed1b49e842e3 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2d653bb63d598ae4b096dd678744bdcc34ee89e8 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 818156caffbf55cb4d368f9c3cac64e458fb49c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:34:59.073775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:35:08.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "194cfe2af4d2a1de599d39dad636b47c2f6c2c96",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "79fe3511db416d2f2edcfd93569807cb02736e5e",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "ef208ea331ef688729f64089b895ed1b49e842e3",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2802ef3380fa8c4a08cda51ec1f085b1a712e9e2",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2d653bb63d598ae4b096dd678744bdcc34ee89e8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "818156caffbf55cb4d368f9c3cac64e458fb49c9",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in handle_auth_done()\n\nPerform an explicit bounds check on payload_len to avoid a possible\nout-of-bounds access in the callout.\n\n[ idryomov: changelog ]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:45.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96"
},
{
"url": "https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e"
},
{
"url": "https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3"
},
{
"url": "https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2"
},
{
"url": "https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8"
},
{
"url": "https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9"
}
],
"title": "libceph: prevent potential out-of-bounds reads in handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22984",
"datePublished": "2026-01-23T15:24:06.245Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-06-16T20:35:08.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23144 (GCVE-0-2026-23144)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
When a context DAMON sysfs directory setup is failed after setup of attrs/
directory, subdirectories of attrs/ directory are not cleaned up. As a
result, DAMON sysfs interface is nearly broken until the system reboots,
and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c951cd3b89010c7a4751b9d4ea074007e44851e6 , < db7dfe78fc81bdd2b532d77f340fe453f2360426
(git)
Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 43964644348f6b1add3055c4a6cae8f77d892a6e (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 5651c0c391c0029541794f9c4c9597faecfd401f (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 78b4eb99751ebd37ceade78810bf94de80f7fb3a (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 9814cc832b88bd040fc2a1817c2b5469d0f7e862 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:15.595572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:21.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db7dfe78fc81bdd2b532d77f340fe453f2360426",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "43964644348f6b1add3055c4a6cae8f77d892a6e",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "5651c0c391c0029541794f9c4c9597faecfd401f",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "78b4eb99751ebd37ceade78810bf94de80f7fb3a",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "9814cc832b88bd040fc2a1817c2b5469d0f7e862",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: cleanup attrs subdirs on context dir setup failure\n\nWhen a context DAMON sysfs directory setup is failed after setup of attrs/\ndirectory, subdirectories of attrs/ directory are not cleaned up. As a\nresult, DAMON sysfs interface is nearly broken until the system reboots,\nand the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:59.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db7dfe78fc81bdd2b532d77f340fe453f2360426"
},
{
"url": "https://git.kernel.org/stable/c/43964644348f6b1add3055c4a6cae8f77d892a6e"
},
{
"url": "https://git.kernel.org/stable/c/5651c0c391c0029541794f9c4c9597faecfd401f"
},
{
"url": "https://git.kernel.org/stable/c/78b4eb99751ebd37ceade78810bf94de80f7fb3a"
},
{
"url": "https://git.kernel.org/stable/c/9814cc832b88bd040fc2a1817c2b5469d0f7e862"
}
],
"title": "mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23144",
"datePublished": "2026-02-14T15:36:09.518Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-06-11T18:44:21.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71072 (GCVE-0-2025-71072)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
shmem: fix recovery on rename failures
Summary
In the Linux kernel, the following vulnerability has been resolved:
shmem: fix recovery on rename failures
maple_tree insertions can fail if we are seriously short on memory;
simple_offset_rename() does not recover well if it runs into that.
The same goes for simple_offset_rename_exchange().
Moreover, shmem_whiteout() expects that if it succeeds, the caller will
progress to d_move(), i.e. that shmem_rename2() won't fail past the
successful call of shmem_whiteout().
Not hard to fix, fortunately - mtree_store() can't fail if the index we
are trying to store into is already present in the tree as a singleton.
For simple_offset_rename_exchange() that's enough - we just need to be
careful about the order of operations.
For simple_offset_rename() solution is to preinsert the target into the
tree for new_dir; the rest can be done without any potentially failing
operations.
That preinsertion has to be done in shmem_rename2() rather than in
simple_offset_rename() itself - otherwise we'd need to deal with the
possibility of failure after successful shmem_whiteout().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a2e459555c5f9da3e619b7e47a63f98574dc75f1 , < 4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113
(git)
Affected: a2e459555c5f9da3e619b7e47a63f98574dc75f1 , < 4642686699a46718d7f2fb5acd1e9d866a9d9cca (git) Affected: a2e459555c5f9da3e619b7e47a63f98574dc75f1 , < e1b4c6a58304fd490124cc2b454d80edc786665c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/libfs.c",
"include/linux/fs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
},
{
"lessThan": "4642686699a46718d7f2fb5acd1e9d866a9d9cca",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
},
{
"lessThan": "e1b4c6a58304fd490124cc2b454d80edc786665c",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/libfs.c",
"include/linux/fs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: fix recovery on rename failures\n\nmaple_tree insertions can fail if we are seriously short on memory;\nsimple_offset_rename() does not recover well if it runs into that.\nThe same goes for simple_offset_rename_exchange().\n\nMoreover, shmem_whiteout() expects that if it succeeds, the caller will\nprogress to d_move(), i.e. that shmem_rename2() won\u0027t fail past the\nsuccessful call of shmem_whiteout().\n\nNot hard to fix, fortunately - mtree_store() can\u0027t fail if the index we\nare trying to store into is already present in the tree as a singleton.\n\nFor simple_offset_rename_exchange() that\u0027s enough - we just need to be\ncareful about the order of operations.\n\nFor simple_offset_rename() solution is to preinsert the target into the\ntree for new_dir; the rest can be done without any potentially failing\noperations.\n\nThat preinsertion has to be done in shmem_rename2() rather than in\nsimple_offset_rename() itself - otherwise we\u0027d need to deal with the\npossibility of failure after successful shmem_whiteout()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:11.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113"
},
{
"url": "https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca"
},
{
"url": "https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c"
}
],
"title": "shmem: fix recovery on rename failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71072",
"datePublished": "2026-01-13T15:31:26.089Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-05-11T21:54:11.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2640 (GCVE-0-2023-2640)
Vulnerability from cvelistv5 – Published: 2023-07-26 01:59 – Updated: 2024-10-23 14:59
VLAI?
EPSS
Summary
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
Severity ?
7.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Kernel |
Unaffected:
0 , < 6.2.0-26.26
(semver)
Unaffected: 0 , < 6.0.0-1020.20 (semver) Unaffected: 0 , < 5.4.0-155.172 (semver) |
Credits
Stonejiajia
Shir Tamari
Sagi Tzadik
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-6250-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640"
},
{
"tags": [
"technical-description",
"x_transferred"
],
"url": "https://wiz.io/blog/ubuntu-overlayfs-vulnerability"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:canonical:ubantu_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ubantu_kernel",
"vendor": "canonical",
"versions": [
{
"lessThan": "6.2.0-26.26",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.0.0-1020.20",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.4.0-155.172",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:57:20.015297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:59:17.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Linux",
"platforms": [
"Linux"
],
"product": "Ubuntu Kernel",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.2.0-26.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.0.0-1020.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.4.0-155.172",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stonejiajia"
},
{
"lang": "en",
"type": "finder",
"value": "Shir Tamari"
},
{
"lang": "en",
"type": "finder",
"value": "Sagi Tzadik"
}
],
"datePublic": "2023-06-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-26T01:59:23.543Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6250-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640"
},
{
"tags": [
"technical-description"
],
"url": "https://wiz.io/blog/ubuntu-overlayfs-vulnerability"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html"
}
],
"workarounds": [
{
"lang": "en",
"value": "If not needed, disable the ability for unprivileged users\nto create namespaces. To do this temporarily, do:\n sudo sysctl -w kernel.unprivileged_userns_clone=0\nTo disable across reboots, do:\n echo kernel.unprivileged_userns_clone=0 | \\\n sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2023-2640",
"datePublished": "2023-07-26T01:59:23.543Z",
"dateReserved": "2023-05-10T21:23:35.226Z",
"dateUpdated": "2024-10-23T14:59:17.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68336 (GCVE-0-2025-68336)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
locking/spinlock/debug: Fix data-race in do_raw_write_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
locking/spinlock/debug: Fix data-race in do_raw_write_lock
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has
adressed most of these races, but seems to be not consistent/not complete.
>From do_raw_write_lock() only debug_write_lock_after() part has been
converted to WRITE_ONCE(), but not debug_write_lock_before() part.
Do it now.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1a365e822372ba24c9da0822bc583894f6f3d821 , < 8e5b2cf10844402054b52b489b525dc30cc16908
(git)
Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < c228cb699a07a5f2d596d186bc5c314c99bb8bbf (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 93bd23524d63deb80fb85beb2e43fafeb1043d0f (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 39d2ef113416f1a4205b03fb0aa2e428d1412c77 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < b163a5e8c703201c905d6ec7920ed79d167e8442 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 16b3590c0e1e615757dade098c8fbc0d4f040c76 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 396a9270a7b90886be501611b13aa636f2e8c703 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < c14ecb555c3ee80eeb030a4e46d00e679537f03a (git) Affected: 3106fb78d3579c8e9c9b3040f7f7841981919624 (git) Affected: c0911024ff927ba5c4786b507004cb615be1d776 (git) Affected: 09226e5c38639437565af01e6009a9286a351d04 (git) Affected: c7673f01604fa722b9d7c1e29e17cec1b8ae09c5 (git) Affected: c120c3dbeb76305235c8e557f84d9e2d7d0f5933 (git) Affected: 4.4.209 , < 4.5 (semver) Affected: 4.9.209 , < 4.10 (semver) Affected: 4.14.164 , < 4.15 (semver) Affected: 4.19.95 , < 4.20 (semver) Affected: 5.4.11 , < 5.5 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e5b2cf10844402054b52b489b525dc30cc16908",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "c228cb699a07a5f2d596d186bc5c314c99bb8bbf",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "93bd23524d63deb80fb85beb2e43fafeb1043d0f",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "39d2ef113416f1a4205b03fb0aa2e428d1412c77",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "b163a5e8c703201c905d6ec7920ed79d167e8442",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "16b3590c0e1e615757dade098c8fbc0d4f040c76",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "396a9270a7b90886be501611b13aa636f2e8c703",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "c14ecb555c3ee80eeb030a4e46d00e679537f03a",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"status": "affected",
"version": "3106fb78d3579c8e9c9b3040f7f7841981919624",
"versionType": "git"
},
{
"status": "affected",
"version": "c0911024ff927ba5c4786b507004cb615be1d776",
"versionType": "git"
},
{
"status": "affected",
"version": "09226e5c38639437565af01e6009a9286a351d04",
"versionType": "git"
},
{
"status": "affected",
"version": "c7673f01604fa722b9d7c1e29e17cec1b8ae09c5",
"versionType": "git"
},
{
"status": "affected",
"version": "c120c3dbeb76305235c8e557f84d9e2d7d0f5933",
"versionType": "git"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.209",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.209",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.164",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.95",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/spinlock/debug: Fix data-race in do_raw_write_lock\n\nKCSAN reports:\n\nBUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock\n\nwrite (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:\n do_raw_write_lock+0x120/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nread to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:\n do_raw_write_lock+0x88/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nvalue changed: 0xffffffff -\u003e 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111\n\nCommit 1a365e822372 (\"locking/spinlock/debug: Fix various data races\") has\nadressed most of these races, but seems to be not consistent/not complete.\n\n\u003eFrom do_raw_write_lock() only debug_write_lock_after() part has been\nconverted to WRITE_ONCE(), but not debug_write_lock_before() part.\nDo it now."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:42.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e5b2cf10844402054b52b489b525dc30cc16908"
},
{
"url": "https://git.kernel.org/stable/c/c228cb699a07a5f2d596d186bc5c314c99bb8bbf"
},
{
"url": "https://git.kernel.org/stable/c/93bd23524d63deb80fb85beb2e43fafeb1043d0f"
},
{
"url": "https://git.kernel.org/stable/c/39d2ef113416f1a4205b03fb0aa2e428d1412c77"
},
{
"url": "https://git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442"
},
{
"url": "https://git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76"
},
{
"url": "https://git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703"
},
{
"url": "https://git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03a"
}
],
"title": "locking/spinlock/debug: Fix data-race in do_raw_write_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68336",
"datePublished": "2025-12-22T16:14:13.425Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-05-23T16:02:42.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23099 (GCVE-0-2026-23099)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-19 11:57
VLAI?
EPSS
Title
bonding: limit BOND_MODE_8023AD to Ethernet devices
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: limit BOND_MODE_8023AD to Ethernet devices
BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
syzbot reported:
BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
__hw_addr_create net/core/dev_addr_lists.c:63 [inline]
__hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:868 [inline]
dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x820 net/socket.c:2592
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
__sys_sendmsg+0x164/0x220 net/socket.c:2678
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
</TASK>
The buggy address belongs to the variable:
lacpdu_mcast_addr+0x0/0x40
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
872254dd6b1f80cb95ee9e2e22980888533fc293 , < 19266182b82e9100c799d8a29f5e0452f0bf7703
(git)
Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < 72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4 (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < 5063b2cd9b27d35ab788d707d7858ded0acc8f1d (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < 80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < ef68afb1bee8d35a18896c27d7358079353d8d8a (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < 43dee6f7ef1d228821de1b61c292af3744c8d7da (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23099",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:44.652755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:04.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19266182b82e9100c799d8a29f5e0452f0bf7703",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "5063b2cd9b27d35ab788d707d7858ded0acc8f1d",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "ef68afb1bee8d35a18896c27d7358079353d8d8a",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "43dee6f7ef1d228821de1b61c292af3744c8d7da",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: limit BOND_MODE_8023AD to Ethernet devices\n\nBOND_MODE_8023AD makes sense for ARPHRD_ETHER only.\n\nsyzbot reported:\n\n BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\nRead of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497\n\nCPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\n __dev_mc_add net/core/dev_addr_lists.c:868 [inline]\n dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886\n bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180\n do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963\n do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165\n rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072\n rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n ____sys_sendmsg+0x505/0x820 net/socket.c:2592\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646\n __sys_sendmsg+0x164/0x220 net/socket.c:2678\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307\n do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n \u003c/TASK\u003e\n\nThe buggy address belongs to the variable:\n lacpdu_mcast_addr+0x0/0x40"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:30.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19266182b82e9100c799d8a29f5e0452f0bf7703"
},
{
"url": "https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4"
},
{
"url": "https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d"
},
{
"url": "https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d"
},
{
"url": "https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a"
},
{
"url": "https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da"
},
{
"url": "https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6"
}
],
"title": "bonding: limit BOND_MODE_8023AD to Ethernet devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23099",
"datePublished": "2026-02-04T16:08:21.601Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-06-19T11:57:30.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23146 (GCVE-0-2026-23146)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.
The race condition is:
CPU0 CPU1
---- ----
hci_uart_set_proto()
set_bit(HCI_UART_PROTO_INIT)
hci_uart_register_dev()
tty write wakeup
hci_uart_tty_wakeup()
hci_uart_tx_wakeup()
schedule_work(&hu->write_work)
proto->open(hu)
// initializes hu->priv
hci_uart_write_work()
hci_uart_dequeue()
proto->dequeue(hu)
// accesses hu->priv (NULL!)
Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a40f94f7caa8d3421b64f63ac31bc0f24c890f39 , < b0a900939e7e4866d9b90e9112514b72c451e873
(git)
Affected: 9e5a0f5777162e503400c70c6ed25fbbe2d38799 , < ccc683f597ceb28deb966427ae948e5ac739a909 (git) Affected: 80f14e9de6a43a0bd8194cad1003a3e6dcbc3984 , < 937a573423ce5a96fdb1fd425dc6b8d8d4ab5779 (git) Affected: 02e1bcdfdf769974e7e9fa285e295cd9852e2a38 , < 186d147cf7689ba1f9b3ddb753ab634a84940cc9 (git) Affected: 281782d2c6730241e300d630bb9f200d831ede71 , < 53e54cb31e667fca05b1808b990eac0807d1dab0 (git) Affected: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 , < 03e8c90c62233382042b7bd0fa8b8900552fdb62 (git) Affected: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 , < 0c3cd7a0b862c37acbee6d9502107146cc944398 (git) Affected: 1dcf08fcff5ca529de6dc0395091f28854f4e54a (git) Affected: 8e5aff600539e5faea294d9612cca50220e602b8 (git) Affected: db7509fa110dd9b11134b75894677f30353b2c51 (git) Affected: 5.10.237 , < 5.10.249 (semver) Affected: 5.15.181 , < 5.15.199 (semver) Affected: 6.1.135 , < 6.1.162 (semver) Affected: 6.6.88 , < 6.6.123 (semver) Affected: 6.12.24 , < 6.12.69 (semver) Affected: 5.4.293 , < 5.5 (semver) Affected: 6.13.12 , < 6.14 (semver) Affected: 6.14.3 , < 6.15 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:53.104941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:17.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0a900939e7e4866d9b90e9112514b72c451e873",
"status": "affected",
"version": "a40f94f7caa8d3421b64f63ac31bc0f24c890f39",
"versionType": "git"
},
{
"lessThan": "ccc683f597ceb28deb966427ae948e5ac739a909",
"status": "affected",
"version": "9e5a0f5777162e503400c70c6ed25fbbe2d38799",
"versionType": "git"
},
{
"lessThan": "937a573423ce5a96fdb1fd425dc6b8d8d4ab5779",
"status": "affected",
"version": "80f14e9de6a43a0bd8194cad1003a3e6dcbc3984",
"versionType": "git"
},
{
"lessThan": "186d147cf7689ba1f9b3ddb753ab634a84940cc9",
"status": "affected",
"version": "02e1bcdfdf769974e7e9fa285e295cd9852e2a38",
"versionType": "git"
},
{
"lessThan": "53e54cb31e667fca05b1808b990eac0807d1dab0",
"status": "affected",
"version": "281782d2c6730241e300d630bb9f200d831ede71",
"versionType": "git"
},
{
"lessThan": "03e8c90c62233382042b7bd0fa8b8900552fdb62",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"lessThan": "0c3cd7a0b862c37acbee6d9502107146cc944398",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"status": "affected",
"version": "1dcf08fcff5ca529de6dc0395091f28854f4e54a",
"versionType": "git"
},
{
"status": "affected",
"version": "8e5aff600539e5faea294d9612cca50220e602b8",
"versionType": "git"
},
{
"status": "affected",
"version": "db7509fa110dd9b11134b75894677f30353b2c51",
"versionType": "git"
},
{
"lessThan": "5.10.249",
"status": "affected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThan": "5.15.199",
"status": "affected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThan": "6.6.123",
"status": "affected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThan": "6.12.69",
"status": "affected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThan": "6.15",
"status": "affected",
"version": "6.14.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\n\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto-\u003eopen() to initialize\nhu-\u003epriv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu-\u003epriv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto-\u003edequeue() accesses hu-\u003epriv.\n\nThe race condition is:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n tty write wakeup\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(\u0026hu-\u003ewrite_work)\n proto-\u003eopen(hu)\n // initializes hu-\u003epriv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto-\u003edequeue(hu)\n // accesses hu-\u003epriv (NULL!)\n\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto-\u003eopen()\nsucceeds, ensuring hu-\u003epriv is initialized before any work can be\nscheduled."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:57.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873"
},
{
"url": "https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909"
},
{
"url": "https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779"
},
{
"url": "https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9"
},
{
"url": "https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0"
},
{
"url": "https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62"
},
{
"url": "https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398"
}
],
"title": "Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23146",
"datePublished": "2026-02-14T16:01:16.169Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-06-11T18:44:17.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43077 (GCVE-0-2026-43077)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-05-11 22:17
VLAI?
EPSS
Title
crypto: algif_aead - Fix minimum RX size check for decryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Fix minimum RX size check for decryption
The check for the minimum receive buffer size did not take the
tag size into account during decryption. Fix this by adding the
required extra length.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 74a66fdb5282d89e348b00c42cfca3a936946d94
(git)
Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < fd427dd84f224309afbcc2cb67c7bb770a01265c (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 1c76b5675119f694458293a2a81f40731c69bd32 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < e86ab1e5661386a874fbb8551f0c04b8e9f8ad22 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < af2fa2fbbced26129813274b8b3f7705f280e174 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 78cea133daf721698876e56135049a96d39d610a (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 3afdc15d6173614d7d834517d9b65e7aa5a08548 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 3d14bd48e3a77091cbce637a12c2ae31b4a1687c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/algif_aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74a66fdb5282d89e348b00c42cfca3a936946d94",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "fd427dd84f224309afbcc2cb67c7bb770a01265c",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "1c76b5675119f694458293a2a81f40731c69bd32",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "e86ab1e5661386a874fbb8551f0c04b8e9f8ad22",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "af2fa2fbbced26129813274b8b3f7705f280e174",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "78cea133daf721698876e56135049a96d39d610a",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "3afdc15d6173614d7d834517d9b65e7aa5a08548",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "3d14bd48e3a77091cbce637a12c2ae31b4a1687c",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/algif_aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Fix minimum RX size check for decryption\n\nThe check for the minimum receive buffer size did not take the\ntag size into account during decryption. Fix this by adding the\nrequired extra length."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:17:16.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74a66fdb5282d89e348b00c42cfca3a936946d94"
},
{
"url": "https://git.kernel.org/stable/c/fd427dd84f224309afbcc2cb67c7bb770a01265c"
},
{
"url": "https://git.kernel.org/stable/c/1c76b5675119f694458293a2a81f40731c69bd32"
},
{
"url": "https://git.kernel.org/stable/c/e86ab1e5661386a874fbb8551f0c04b8e9f8ad22"
},
{
"url": "https://git.kernel.org/stable/c/af2fa2fbbced26129813274b8b3f7705f280e174"
},
{
"url": "https://git.kernel.org/stable/c/78cea133daf721698876e56135049a96d39d610a"
},
{
"url": "https://git.kernel.org/stable/c/3afdc15d6173614d7d834517d9b65e7aa5a08548"
},
{
"url": "https://git.kernel.org/stable/c/3d14bd48e3a77091cbce637a12c2ae31b4a1687c"
}
],
"title": "crypto: algif_aead - Fix minimum RX size check for decryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43077",
"datePublished": "2026-05-06T07:40:14.409Z",
"dateReserved": "2026-05-01T14:12:55.983Z",
"dateUpdated": "2026-05-11T22:17:16.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68206 (GCVE-0-2025-68206)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2026-05-11 21:48
VLAI?
EPSS
Title
netfilter: nft_ct: add seqadj extension for natted connections
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: add seqadj extension for natted connections
Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
due to need to re-write packet payload (IP, port) on the ftp control
connection. This can require changes to the TCP length and expected
seq / ack_seq.
The easiest way to reproduce this issue is with PASV mode.
Example ruleset:
table inet ftp_nat {
ct helper ftp_helper {
type "ftp" protocol tcp
l3proto inet
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
tcp dport 21 ct state new ct helper set "ftp_helper"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
tcp dport 21 dnat ip prefix to ip daddr map {
192.168.100.1 : 192.168.13.2/32 }
}
chain postrouting {
type nat hook postrouting priority 100 ; policy accept;
tcp sport 21 snat ip prefix to ip saddr map {
192.168.13.2 : 192.168.100.1/32 }
}
}
Note that the ftp helper gets assigned *after* the dnat setup.
The inverse (nat after helper assign) is handled by an existing
check in nf_nat_setup_info() and will not show the problem.
Topoloy:
+-------------------+ +----------------------------------+
| FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+-------------------+ +----------------------------------+
|
+-----------------------+
| Client: 192.168.100.2 |
+-----------------------+
ftp nat changes do not work as expected in this case:
Connected to 192.168.100.1.
[..]
ftp> epsv
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering passive mode (192,168,100,1,209,129).
421 Service not available, remote server has closed connection.
Kernel logs:
Missing nfct_seqadj_ext_add() setup call
WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
[..]
__nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
help+0x4d1/0x880 [nf_conntrack_ftp]
nf_confirm+0x122/0x2e0 [nf_conntrack]
nf_hook_slow+0x3c/0xb0
..
Fix this by adding the required extension when a conntrack helper is assigned
to a connection that has a nat binding.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 83273af0b60c093ba0085c205864d8542e1b1653
(git)
Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < b19492c25eff04852e0cb58f9bb8238b6695ed2d (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 4de80f0dc3868408dd7fe9817e507123c9dd8bb0 (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < b477ef7fa612fa45b6b3134d90d1eeb09396500a (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110 (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 90918e3b6404c2a37837b8f11692471b4c512de2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83273af0b60c093ba0085c205864d8542e1b1653",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "b19492c25eff04852e0cb58f9bb8238b6695ed2d",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "4de80f0dc3868408dd7fe9817e507123c9dd8bb0",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "b477ef7fa612fa45b6b3134d90d1eeb09396500a",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "4ab2cd906e4e1a19ddbda6eb532851b0e9cda110",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "90918e3b6404c2a37837b8f11692471b4c512de2",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: add seqadj extension for natted connections\n\nSequence adjustment may be required for FTP traffic with PASV/EPSV modes.\ndue to need to re-write packet payload (IP, port) on the ftp control\nconnection. This can require changes to the TCP length and expected\nseq / ack_seq.\n\nThe easiest way to reproduce this issue is with PASV mode.\nExample ruleset:\ntable inet ftp_nat {\n ct helper ftp_helper {\n type \"ftp\" protocol tcp\n l3proto inet\n }\n\n chain prerouting {\n type filter hook prerouting priority 0; policy accept;\n tcp dport 21 ct state new ct helper set \"ftp_helper\"\n }\n}\ntable ip nat {\n chain prerouting {\n type nat hook prerouting priority -100; policy accept;\n tcp dport 21 dnat ip prefix to ip daddr map {\n\t\t\t192.168.100.1 : 192.168.13.2/32 }\n }\n\n chain postrouting {\n type nat hook postrouting priority 100 ; policy accept;\n tcp sport 21 snat ip prefix to ip saddr map {\n\t\t\t192.168.13.2 : 192.168.100.1/32 }\n }\n}\n\nNote that the ftp helper gets assigned *after* the dnat setup.\n\nThe inverse (nat after helper assign) is handled by an existing\ncheck in nf_nat_setup_info() and will not show the problem.\n\nTopoloy:\n\n +-------------------+ +----------------------------------+\n | FTP: 192.168.13.2 | \u003c-\u003e | NAT: 192.168.13.3, 192.168.100.1 |\n +-------------------+ +----------------------------------+\n |\n +-----------------------+\n | Client: 192.168.100.2 |\n +-----------------------+\n\nftp nat changes do not work as expected in this case:\nConnected to 192.168.100.1.\n[..]\nftp\u003e epsv\nEPSV/EPRT on IPv4 off.\nftp\u003e ls\n227 Entering passive mode (192,168,100,1,209,129).\n421 Service not available, remote server has closed connection.\n\nKernel logs:\nMissing nfct_seqadj_ext_add() setup call\nWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41\n[..]\n __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]\n nf_nat_ftp+0x142/0x280 [nf_nat_ftp]\n help+0x4d1/0x880 [nf_conntrack_ftp]\n nf_confirm+0x122/0x2e0 [nf_conntrack]\n nf_hook_slow+0x3c/0xb0\n ..\n\nFix this by adding the required extension when a conntrack helper is assigned\nto a connection that has a nat binding."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:48:46.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83273af0b60c093ba0085c205864d8542e1b1653"
},
{
"url": "https://git.kernel.org/stable/c/b19492c25eff04852e0cb58f9bb8238b6695ed2d"
},
{
"url": "https://git.kernel.org/stable/c/4de80f0dc3868408dd7fe9817e507123c9dd8bb0"
},
{
"url": "https://git.kernel.org/stable/c/b477ef7fa612fa45b6b3134d90d1eeb09396500a"
},
{
"url": "https://git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110"
},
{
"url": "https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6"
},
{
"url": "https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2"
}
],
"title": "netfilter: nft_ct: add seqadj extension for natted connections",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68206",
"datePublished": "2025-12-16T13:48:33.763Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2026-05-11T21:48:46.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23087 (GCVE-0-2026-23087)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
Memory allocated for struct vscsiblk_info in scsiback_probe() is not
freed in scsiback_remove() leading to potential memory leaks on remove,
as well as in the scsiback_probe() error paths. Fix that by freeing it
in scsiback_remove().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d9d660f6e562a47b4065eeb7e538910b0471b988 , < a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9
(git)
Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 427b0fb30ddec3bad05dcd73b00718f98c7026d2 (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 4a975c72429b050c234405668b742cdecc11548e (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < f86264ec0e2b102fcd49bf3e4f32fee669d482fc (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 32e52b56056daf0f0881fd9254706acf25b4be97 (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 24c441f0e24da175d7912095663f526ac480dc4f (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 901a5f309daba412e2a30364d7ec1492fa11c32c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/xen-scsiback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "427b0fb30ddec3bad05dcd73b00718f98c7026d2",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "4a975c72429b050c234405668b742cdecc11548e",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "f86264ec0e2b102fcd49bf3e4f32fee669d482fc",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "32e52b56056daf0f0881fd9254706acf25b4be97",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "24c441f0e24da175d7912095663f526ac480dc4f",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "901a5f309daba412e2a30364d7ec1492fa11c32c",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/xen-scsiback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: xen: scsiback: Fix potential memory leak in scsiback_remove()\n\nMemory allocated for struct vscsiblk_info in scsiback_probe() is not\nfreed in scsiback_remove() leading to potential memory leaks on remove,\nas well as in the scsiback_probe() error paths. Fix that by freeing it\nin scsiback_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:44.956Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9"
},
{
"url": "https://git.kernel.org/stable/c/427b0fb30ddec3bad05dcd73b00718f98c7026d2"
},
{
"url": "https://git.kernel.org/stable/c/4a975c72429b050c234405668b742cdecc11548e"
},
{
"url": "https://git.kernel.org/stable/c/f86264ec0e2b102fcd49bf3e4f32fee669d482fc"
},
{
"url": "https://git.kernel.org/stable/c/32e52b56056daf0f0881fd9254706acf25b4be97"
},
{
"url": "https://git.kernel.org/stable/c/24c441f0e24da175d7912095663f526ac480dc4f"
},
{
"url": "https://git.kernel.org/stable/c/901a5f309daba412e2a30364d7ec1492fa11c32c"
}
],
"title": "scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23087",
"datePublished": "2026-02-04T16:08:10.941Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-05-11T21:59:44.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22976 (GCVE-0-2026-22976)
Vulnerability from cvelistv5 – Published: 2026-01-21 06:57 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class
itself is active.
Two qfq_class objects may point to the same leaf_qdisc. This happens
when:
1. one QFQ qdisc is attached to the dev as the root qdisc, and
2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()
/ qdisc_put()) and is pending to be destroyed, as in function
tc_new_tfilter.
When packets are enqueued through the root QFQ qdisc, the shared
leaf_qdisc->q.qlen increases. At the same time, the second QFQ
qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters
qfq_reset() with its own q->q.qlen == 0, but its class's leaf
qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate
an inactive aggregate and trigger a null-deref in qfq_deactivate_agg:
[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 0.903571] #PF: supervisor write access in kernel mode
[ 0.903860] #PF: error_code(0x0002) - not-present page
[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0
[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI
[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE
[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))
[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0
Code starting with the faulting instruction
===========================================
0: 0f 84 4d 01 00 00 je 0x153
6: 48 89 70 18 mov %rsi,0x18(%rax)
a: 8b 4b 10 mov 0x10(%rbx),%ecx
d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx
14: 48 8b 78 08 mov 0x8(%rax),%rdi
18: 48 d3 e2 shl %cl,%rdx
1b: 48 21 f2 and %rsi,%rdx
1e: 48 2b 13 sub (%rbx),%rdx
21: 48 8b 30 mov (%rax),%rsi
24: 48 d3 ea shr %cl,%rdx
27: 8b 4b 18 mov 0x18(%rbx),%ecx
...
[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246
[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000
[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000
[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000
[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880
[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000
[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0
[ 0.910247] PKRU: 55555554
[ 0.910391] Call Trace:
[ 0.910527] <TASK>
[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)
[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)
[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)
[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)
[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)
[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)
[ 0.912484] netlink_sendmsg (net/netlink/af
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0545a3037773512d3448557ba048cebb73b3e4af , < 6116a83ec167d3ab1390cded854d237481f41b63
(git)
Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 0809c4bc06c9c961222df29f2eccfd449304056f (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < cdb24200b043438a144df501f1ebbd926bb1a2c7 (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 43497313d0da3e12b5cfcd97aa17bf48ee663f95 (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < 51ffd447bc37bf1a5776b85523f51d2bc69977f6 (git) Affected: 0545a3037773512d3448557ba048cebb73b3e4af , < c1d73b1480235731e35c81df70b08f4714a7d095 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:46.449Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:23.375903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:22.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6116a83ec167d3ab1390cded854d237481f41b63",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "0809c4bc06c9c961222df29f2eccfd449304056f",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "cdb24200b043438a144df501f1ebbd926bb1a2c7",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "43497313d0da3e12b5cfcd97aa17bf48ee663f95",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "51ffd447bc37bf1a5776b85523f51d2bc69977f6",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "c1d73b1480235731e35c81df70b08f4714a7d095",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset\n\n`qfq_class-\u003eleaf_qdisc-\u003eq.qlen \u003e 0` does not imply that the class\nitself is active.\n\nTwo qfq_class objects may point to the same leaf_qdisc. This happens\nwhen:\n\n1. one QFQ qdisc is attached to the dev as the root qdisc, and\n\n2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()\n/ qdisc_put()) and is pending to be destroyed, as in function\ntc_new_tfilter.\n\nWhen packets are enqueued through the root QFQ qdisc, the shared\nleaf_qdisc-\u003eq.qlen increases. At the same time, the second QFQ\nqdisc triggers qdisc_put and qdisc_destroy: the qdisc enters\nqfq_reset() with its own q-\u003eq.qlen == 0, but its class\u0027s leaf\nqdisc-\u003eq.qlen \u003e 0. Therefore, the qfq_reset would wrongly deactivate\nan inactive aggregate and trigger a null-deref in qfq_deactivate_agg:\n\n[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 0.903571] #PF: supervisor write access in kernel mode\n[ 0.903860] #PF: error_code(0x0002) - not-present page\n[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0\n[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI\n[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE\n[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))\n[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0\n\nCode starting with the faulting instruction\n===========================================\n 0:\t0f 84 4d 01 00 00 \tje 0x153\n 6:\t48 89 70 18 \tmov %rsi,0x18(%rax)\n a:\t8b 4b 10 \tmov 0x10(%rbx),%ecx\n d:\t48 c7 c2 ff ff ff ff \tmov $0xffffffffffffffff,%rdx\n 14:\t48 8b 78 08 \tmov 0x8(%rax),%rdi\n 18:\t48 d3 e2 \tshl %cl,%rdx\n 1b:\t48 21 f2 \tand %rsi,%rdx\n 1e:\t48 2b 13 \tsub (%rbx),%rdx\n 21:\t48 8b 30 \tmov (%rax),%rsi\n 24:\t48 d3 ea \tshr %cl,%rdx\n 27:\t8b 4b 18 \tmov 0x18(%rbx),%ecx\n\t...\n[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246\n[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000\n[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000\n[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000\n[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880\n[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000\n[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0\n[ 0.910247] PKRU: 55555554\n[ 0.910391] Call Trace:\n[ 0.910527] \u003cTASK\u003e\n[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)\n[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)\n[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)\n[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)\n[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\n[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)\n[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)\n[ 0.912484] netlink_sendmsg (net/netlink/af\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:35.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63"
},
{
"url": "https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f"
},
{
"url": "https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7"
},
{
"url": "https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb"
},
{
"url": "https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95"
},
{
"url": "https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6"
},
{
"url": "https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095"
}
],
"title": "net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22976",
"datePublished": "2026-01-21T06:57:23.939Z",
"dateReserved": "2026-01-13T15:37:45.935Z",
"dateUpdated": "2026-06-11T18:44:22.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71114 (GCVE-0-2025-71114)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
via_wdt: fix critical boot hang due to unnamed resource allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
via_wdt: fix critical boot hang due to unnamed resource allocation
The VIA watchdog driver uses allocate_resource() to reserve a MMIO
region for the watchdog control register. However, the allocated
resource was not given a name, which causes the kernel resource tree
to contain an entry marked as "<BAD>" under /proc/iomem on x86
platforms.
During boot, this unnamed resource can lead to a critical hang because
subsequent resource lookups and conflict checks fail to handle the
invalid entry properly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < 1d56025a3af50db0f3da2792f41eb9943eee5324
(git)
Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < c7b986adc9e9336066350542ac5a2005d305ae78 (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < 47c910965c936724070d2a8094a4c3ed8f452856 (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < f7b6370d0fbee06a867037d675797a606cb62e57 (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < c6a2dd4f2e4e6cbdfe7a1618160281af897b75db (git) Affected: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d , < 7aa31ee9ec92915926e74731378c009c9cc04928 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:15.646108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:10.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/via_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d56025a3af50db0f3da2792f41eb9943eee5324",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "c7b986adc9e9336066350542ac5a2005d305ae78",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "47c910965c936724070d2a8094a4c3ed8f452856",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "f7b6370d0fbee06a867037d675797a606cb62e57",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "c6a2dd4f2e4e6cbdfe7a1618160281af897b75db",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "7aa31ee9ec92915926e74731378c009c9cc04928",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/via_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvia_wdt: fix critical boot hang due to unnamed resource allocation\n\nThe VIA watchdog driver uses allocate_resource() to reserve a MMIO\nregion for the watchdog control register. However, the allocated\nresource was not given a name, which causes the kernel resource tree\nto contain an entry marked as \"\u003cBAD\u003e\" under /proc/iomem on x86\nplatforms.\n\nDuring boot, this unnamed resource can lead to a critical hang because\nsubsequent resource lookups and conflict checks fail to handle the\ninvalid entry properly."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:08.117Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324"
},
{
"url": "https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78"
},
{
"url": "https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856"
},
{
"url": "https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d"
},
{
"url": "https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57"
},
{
"url": "https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db"
},
{
"url": "https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928"
}
],
"title": "via_wdt: fix critical boot hang due to unnamed resource allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71114",
"datePublished": "2026-01-14T15:06:00.848Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-06-11T18:44:10.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68366 (GCVE-0-2025-68366)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-06-16 19:12
VLAI?
EPSS
Title
nbd: defer config unlock in nbd_genl_connect
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 330d688a5ca53857828081a3cf31b92ad1b0b3ed
(git)
Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < cd93db1b1b4460e6ee77564024ea461e5940f69c (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < ae3e7bc1f4b393ae20e5c85583eb2c6977374716 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 2e5e0665a594f076ef2b9439447bae8be293d09d (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9b99c948b4fb014812afe7b5ccf2db121d22e46 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 9a38306643874566d20f7aba7dff9e6f657b51a9 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9e805f6a35d1dd189a9345595a5c20e87611942 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 1649714b930f9ea6233ce0810ba885999da3b5d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:12:23.169488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:12:35.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "330d688a5ca53857828081a3cf31b92ad1b0b3ed",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "cd93db1b1b4460e6ee77564024ea461e5940f69c",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "ae3e7bc1f4b393ae20e5c85583eb2c6977374716",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "2e5e0665a594f076ef2b9439447bae8be293d09d",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9b99c948b4fb014812afe7b5ccf2db121d22e46",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "9a38306643874566d20f7aba7dff9e6f657b51a9",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9e805f6a35d1dd189a9345595a5c20e87611942",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "1649714b930f9ea6233ce0810ba885999da3b5d4",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config unlock in nbd_genl_connect\n\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\nNBD_CLEAR_SOCK:\n\nnbd_genl_connect\n nbd_alloc_and_init_config // config_refs=1\n nbd_start_device // config_refs=2\n set NBD_RT_HAS_CONFIG_REF\t\t\topen nbd // config_refs=3\n recv_work done // config_refs=2\n\t\t\t\t\t\tNBD_CLEAR_SOCK // config_refs=1\n\t\t\t\t\t\tclose nbd // config_refs=0\n refcount_inc -\u003e uaf\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\n nbd_genl_connect+0x16d0/0x1ab0\n genl_family_rcv_msg_doit+0x1f3/0x310\n genl_rcv_msg+0x44a/0x790\n\nThe issue can be easily reproduced by adding a small delay before\nrefcount_inc(\u0026nbd-\u003econfig_refs) in nbd_genl_connect():\n\n mutex_unlock(\u0026nbd-\u003econfig_lock);\n if (!ret) {\n set_bit(NBD_RT_HAS_CONFIG_REF, \u0026config-\u003eruntime_flags);\n+ printk(\"before sleep\\n\");\n+ mdelay(5 * 1000);\n+ printk(\"after sleep\\n\");\n refcount_inc(\u0026nbd-\u003econfig_refs);\n nbd_connect_reply(info, nbd-\u003eindex);\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:48.993Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/330d688a5ca53857828081a3cf31b92ad1b0b3ed"
},
{
"url": "https://git.kernel.org/stable/c/cd93db1b1b4460e6ee77564024ea461e5940f69c"
},
{
"url": "https://git.kernel.org/stable/c/ae3e7bc1f4b393ae20e5c85583eb2c6977374716"
},
{
"url": "https://git.kernel.org/stable/c/2e5e0665a594f076ef2b9439447bae8be293d09d"
},
{
"url": "https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46"
},
{
"url": "https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9"
},
{
"url": "https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942"
},
{
"url": "https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4"
}
],
"title": "nbd: defer config unlock in nbd_genl_connect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68366",
"datePublished": "2025-12-24T10:32:53.399Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-06-16T19:12:35.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23142 (GCVE-0-2026-23142)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
When a DAMOS-scheme DAMON sysfs directory setup fails after setup of
access_pattern/ directory, subdirectories of access_pattern/ directory are
not cleaned up. As a result, DAMON sysfs interface is nearly broken until
the system reboots, and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < ae8ac0066b48ed957bdcab58f0d3543549c57a29
(git)
Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < e9711bd0e64812c694a228cf58c9e6032decee54 (git) Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < 16236b0b4a08fa3e326cf1373ef789dabdc2e30d (git) Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < 725d4fdaa01bd1161782081f419e1568cc7432e0 (git) Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < 392b3d9d595f34877dd745b470c711e8ebcd225c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs-schemes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae8ac0066b48ed957bdcab58f0d3543549c57a29",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "e9711bd0e64812c694a228cf58c9e6032decee54",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "16236b0b4a08fa3e326cf1373ef789dabdc2e30d",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "725d4fdaa01bd1161782081f419e1568cc7432e0",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "392b3d9d595f34877dd745b470c711e8ebcd225c",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs-schemes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure\n\nWhen a DAMOS-scheme DAMON sysfs directory setup fails after setup of\naccess_pattern/ directory, subdirectories of access_pattern/ directory are\nnot cleaned up. As a result, DAMON sysfs interface is nearly broken until\nthe system reboots, and the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:56.683Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae8ac0066b48ed957bdcab58f0d3543549c57a29"
},
{
"url": "https://git.kernel.org/stable/c/e9711bd0e64812c694a228cf58c9e6032decee54"
},
{
"url": "https://git.kernel.org/stable/c/16236b0b4a08fa3e326cf1373ef789dabdc2e30d"
},
{
"url": "https://git.kernel.org/stable/c/725d4fdaa01bd1161782081f419e1568cc7432e0"
},
{
"url": "https://git.kernel.org/stable/c/392b3d9d595f34877dd745b470c711e8ebcd225c"
}
],
"title": "mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23142",
"datePublished": "2026-02-14T15:36:08.147Z",
"dateReserved": "2026-01-13T15:37:45.973Z",
"dateUpdated": "2026-05-11T22:00:56.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71125 (GCVE-0-2025-71125)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
tracing: Do not register unsupported perf events
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Do not register unsupported perf events
Synthetic events currently do not have a function to register perf events.
This leads to calling the tracepoint register functions with a NULL
function pointer which triggers:
------------[ cut here ]------------
WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272
Modules linked in: kvm_intel kvm irqbypass
CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:tracepoint_add_func+0x357/0x370
Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f
RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8
RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780
R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a
R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78
FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0
Call Trace:
<TASK>
tracepoint_probe_register+0x5d/0x90
synth_event_reg+0x3c/0x60
perf_trace_event_init+0x204/0x340
perf_trace_init+0x85/0xd0
perf_tp_event_init+0x2e/0x50
perf_try_init_event+0x6f/0x230
? perf_event_alloc+0x4bb/0xdc0
perf_event_alloc+0x65a/0xdc0
__se_sys_perf_event_open+0x290/0x9f0
do_syscall_64+0x93/0x7b0
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
? trace_hardirqs_off+0x53/0xc0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Instead, have the code return -ENODEV, which doesn't warn and has perf
error out with:
# perf record -e synthetic:futex_wait
Error:
The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).
"dmesg | grep -i perf" may provide additional information.
Ideally perf should support synthetic events, but for now just fix the
warning. The support can come later.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4b147936fa509650beaf638b331573c23ba4d609 , < 6819bc6285c0ff835f67cfae7efebc03541782f6
(git)
Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < f7305697b60d79bc69c0a6e280fc931b4e8862dd (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 65b1971147ec12f0b1cee0811c859a3d7d9b04ce (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 3437c775bf209c674ad66304213b6b3c3b1b3f69 (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < 6df47e5bb9b62d72f186f826ab643ea1856877c7 (git) Affected: 4b147936fa509650beaf638b331573c23ba4d609 , < ef7f38df890f5dcd2ae62f8dbde191d72f3bebae (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:32.067455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:24.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6819bc6285c0ff835f67cfae7efebc03541782f6",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "f7305697b60d79bc69c0a6e280fc931b4e8862dd",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "65b1971147ec12f0b1cee0811c859a3d7d9b04ce",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "3437c775bf209c674ad66304213b6b3c3b1b3f69",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "6df47e5bb9b62d72f186f826ab643ea1856877c7",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "ef7f38df890f5dcd2ae62f8dbde191d72f3bebae",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not register unsupported perf events\n\nSynthetic events currently do not have a function to register perf events.\nThis leads to calling the tracepoint register functions with a NULL\nfunction pointer which triggers:\n\n ------------[ cut here ]------------\n WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:tracepoint_add_func+0x357/0x370\n Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc \u003c0f\u003e 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f\n RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246\n RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000\n RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8\n RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780\n R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a\n R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78\n FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n tracepoint_probe_register+0x5d/0x90\n synth_event_reg+0x3c/0x60\n perf_trace_event_init+0x204/0x340\n perf_trace_init+0x85/0xd0\n perf_tp_event_init+0x2e/0x50\n perf_try_init_event+0x6f/0x230\n ? perf_event_alloc+0x4bb/0xdc0\n perf_event_alloc+0x65a/0xdc0\n __se_sys_perf_event_open+0x290/0x9f0\n do_syscall_64+0x93/0x7b0\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ? trace_hardirqs_off+0x53/0xc0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInstead, have the code return -ENODEV, which doesn\u0027t warn and has perf\nerror out with:\n\n # perf record -e synthetic:futex_wait\nError:\nThe sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).\n\"dmesg | grep -i perf\" may provide additional information.\n\nIdeally perf should support synthetic events, but for now just fix the\nwarning. The support can come later."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:27.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6"
},
{
"url": "https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc"
},
{
"url": "https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd"
},
{
"url": "https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce"
},
{
"url": "https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69"
},
{
"url": "https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7"
},
{
"url": "https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae"
}
],
"title": "tracing: Do not register unsupported perf events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71125",
"datePublished": "2026-01-14T15:06:10.662Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-06-11T18:44:24.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23168 (GCVE-0-2026-23168)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
flex_proportions: make fprop_new_period() hardirq safe
Summary
In the Linux kernel, the following vulnerability has been resolved:
flex_proportions: make fprop_new_period() hardirq safe
Bernd has reported a lockdep splat from flexible proportions code that is
essentially complaining about the following race:
<timer fires>
run_timer_softirq - we are in softirq context
call_timer_fn
writeout_period
fprop_new_period
write_seqcount_begin(&p->sequence);
<hardirq is raised>
...
blk_mq_end_request()
blk_update_request()
ext4_end_bio()
folio_end_writeback()
__wb_writeout_add()
__fprop_add_percpu_max()
if (unlikely(max_frac < FPROP_FRAC_BASE)) {
fprop_fraction_percpu()
seq = read_seqcount_begin(&p->sequence);
- sees odd sequence so loops indefinitely
Note that a deadlock like this is only possible if the bdi has configured
maximum fraction of writeout throughput which is very rare in general but
frequent for example for FUSE bdis. To fix this problem we have to make
sure write section of the sequence counter is irqsafe.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a91befde350375b1ff954635acdde14dc92cd9a8 , < 0acc9ba7a1b5ba4d998c5753e709be904e179b75
(git)
Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < 884b2590ffcc7222cbbd6298051f4c243cc36f5d (git) Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < 78ede9ebd679dadf480dce6f7b798e3603f88348 (git) Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < b91a84299d72ae0e05551e851e47cd3008bd025b (git) Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/flex_proportions.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0acc9ba7a1b5ba4d998c5753e709be904e179b75",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "884b2590ffcc7222cbbd6298051f4c243cc36f5d",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "78ede9ebd679dadf480dce6f7b798e3603f88348",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "b91a84299d72ae0e05551e851e47cd3008bd025b",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/flex_proportions.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nflex_proportions: make fprop_new_period() hardirq safe\n\nBernd has reported a lockdep splat from flexible proportions code that is\nessentially complaining about the following race:\n\n\u003ctimer fires\u003e\nrun_timer_softirq - we are in softirq context\n call_timer_fn\n writeout_period\n fprop_new_period\n write_seqcount_begin(\u0026p-\u003esequence);\n\n \u003chardirq is raised\u003e\n ...\n blk_mq_end_request()\n\t blk_update_request()\n\t ext4_end_bio()\n\t folio_end_writeback()\n\t\t__wb_writeout_add()\n\t\t __fprop_add_percpu_max()\n\t\t if (unlikely(max_frac \u003c FPROP_FRAC_BASE)) {\n\t\t fprop_fraction_percpu()\n\t\t\tseq = read_seqcount_begin(\u0026p-\u003esequence);\n\t\t\t - sees odd sequence so loops indefinitely\n\nNote that a deadlock like this is only possible if the bdi has configured\nmaximum fraction of writeout throughput which is very rare in general but\nfrequent for example for FUSE bdis. To fix this problem we have to make\nsure write section of the sequence counter is irqsafe."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:38.422Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0acc9ba7a1b5ba4d998c5753e709be904e179b75"
},
{
"url": "https://git.kernel.org/stable/c/884b2590ffcc7222cbbd6298051f4c243cc36f5d"
},
{
"url": "https://git.kernel.org/stable/c/78ede9ebd679dadf480dce6f7b798e3603f88348"
},
{
"url": "https://git.kernel.org/stable/c/b91a84299d72ae0e05551e851e47cd3008bd025b"
},
{
"url": "https://git.kernel.org/stable/c/dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc"
}
],
"title": "flex_proportions: make fprop_new_period() hardirq safe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23168",
"datePublished": "2026-02-14T16:01:31.465Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-05-11T22:01:38.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31431 (GCVE-0-2026-31431)
Vulnerability from cvelistv5 – Published: 2026-04-22 08:15 – Updated: 2026-07-01 12:05
VLAI?
EPSS
Title
crypto: algif_aead - Revert to operating out-of-place
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Revert to operating out-of-place
This mostly reverts commit 72548b093ee3 except for the copying of
the associated data.
There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings. Get rid of
all the complexity added for in-place operation and just copy the
AD directly.
Severity ?
7.8 (High)
CWE
- CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 893d22e0135fa394db81df88697fba6032747667
(git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 19d43105a97be0810edbda875f2cd03f30dc130c (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 961cfa271a918ad4ae452420e7c303149002875b (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 3115af9644c342b356f3f07a4dd1c8905cd9a6fc (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 8b88d99341f139e23bdeb1027a2a3ae10d341d82 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < ce42ee423e58dffa5ec03524054c9d8bfd4f6237 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31431",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-01",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669 Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T03:55:23.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/theori-io/copy-fail-CVE-2026-31431"
},
{
"tags": [
"mitigation"
],
"url": "https://xint.io/blog/copy-fail-linux-distributions#the-fix-6"
},
{
"tags": [
"mitigation"
],
"url": "https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/"
},
{
"tags": [
"mitigation"
],
"url": "https://access.redhat.com/security/cve/cve-2026-31431#cve-details-mitigation"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "CVE-2026-31431 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-18T17:44:54.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/23"
},
{
"url": "https://copy.fail"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/25"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/26"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/18"
},
{
"url": "https://websec.net/blog/cve-2026-31431-linux-algifaead-page-cache-write-to-root-69f38a4ccddd2db1f520f170"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/22"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/23"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/19"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/21"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/23"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/25"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/13"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/13"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/27"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/28"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/29"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/31"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/06/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/07/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/07/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/13"
},
{
"url": "https://www.kb.cert.org/vuls/id/260001"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/18/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:09:03.910Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
}
],
"x_adpType": "supplier"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.17::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s algif_aead cryptographic algorithm interface. An incorrect in-place operation causes source and destination data mappings to differ during cryptographic processing. A low-privileged local attacker can exploit this flaw to corrupt the contents of sensitive system files and escalate to root privileges."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1288",
"description": "Improper Validation of Consistency within Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:05:08.344Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-31431"
},
{
"name": "RHBZ#2460538",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460538"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31431.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14926"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14097"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14112"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:15087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14773"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13729"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13885"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13727"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13690"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13862"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13811"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13566"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19074"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13936"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13734"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13932"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14339"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13565"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13577"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:15976"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14165"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14230"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16111"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13681"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16210"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16209"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16208"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16063"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16018"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:15978"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13578"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14137"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14301"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:14926: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:14097: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:14112: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:15087: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:14773: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:13729: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:13885: Red Hat OpenShift Container Platform 4.17"
},
{
"lang": "en",
"value": "RHSA-2026:13727: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:13690: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:13862: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:13811: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:13887: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13566: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19074: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:13936: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13734: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:13932: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:14339: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:13565: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19225: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:13577: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:15976: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14165: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:14230: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16111: Red Hat Enterprise Linux BaseOS E4S (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:13681: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:16210: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:16209: Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16208: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:16063: Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:16018: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:15978: Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:13578: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14137: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:14301: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-22T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-22T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: crypto: algif_aead - Revert to operating out-of-place",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_aead.c",
"crypto/algif_skcipher.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "893d22e0135fa394db81df88697fba6032747667",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "19d43105a97be0810edbda875f2cd03f30dc130c",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "961cfa271a918ad4ae452420e7c303149002875b",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "3115af9644c342b356f3f07a4dd1c8905cd9a6fc",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "8b88d99341f139e23bdeb1027a2a3ae10d341d82",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "ce42ee423e58dffa5ec03524054c9d8bfd4f6237",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_aead.c",
"crypto/algif_skcipher.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings. Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:34.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667"
},
{
"url": "https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c"
},
{
"url": "https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b"
},
{
"url": "https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc"
},
{
"url": "https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82"
},
{
"url": "https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8"
},
{
"url": "https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237"
},
{
"url": "https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5"
}
],
"title": "crypto: algif_aead - Revert to operating out-of-place",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31431",
"datePublished": "2026-04-22T08:15:10.123Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-07-01T12:05:08.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43033 (GCVE-0-2026-43033)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16
VLAI?
EPSS
Title
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.
However, the data to be hashed need to be rearranged accordingly.
Thanks,
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 8c62f618576519dbed6816fafc623ce592953025
(git)
Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < d589abd8b019b07075fda255ceab8c8e950cdb3f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5 (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < d0c4ff6812386880f30bc64c2921299cc4d7b47f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 89fe118b6470119b20c04afc36e45b81a69ea11f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 153d5520c3f9fd62e71c7e7f9e34b59cf411e555 (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < cded4002d22177e8deaca1f257ecd932c9582b6b (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < e02494114ebf7c8b42777c6cd6982f113bfdbec7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c62f618576519dbed6816fafc623ce592953025",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "d589abd8b019b07075fda255ceab8c8e950cdb3f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "d0c4ff6812386880f30bc64c2921299cc4d7b47f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "89fe118b6470119b20c04afc36e45b81a69ea11f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "153d5520c3f9fd62e71c7e7f9e34b59cf411e555",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "cded4002d22177e8deaca1f257ecd932c9582b6b",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "e02494114ebf7c8b42777c6cd6982f113bfdbec7",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n\nWhen decrypting data that is not in-place (src != dst), there is\nno need to save the high-order sequence bits in dst as it could\nsimply be re-copied from the source.\n\nHowever, the data to be hashed need to be rearranged accordingly.\n\n\nThanks,"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:25.061Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c62f618576519dbed6816fafc623ce592953025"
},
{
"url": "https://git.kernel.org/stable/c/d589abd8b019b07075fda255ceab8c8e950cdb3f"
},
{
"url": "https://git.kernel.org/stable/c/5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5"
},
{
"url": "https://git.kernel.org/stable/c/d0c4ff6812386880f30bc64c2921299cc4d7b47f"
},
{
"url": "https://git.kernel.org/stable/c/89fe118b6470119b20c04afc36e45b81a69ea11f"
},
{
"url": "https://git.kernel.org/stable/c/153d5520c3f9fd62e71c7e7f9e34b59cf411e555"
},
{
"url": "https://git.kernel.org/stable/c/cded4002d22177e8deaca1f257ecd932c9582b6b"
},
{
"url": "https://git.kernel.org/stable/c/e02494114ebf7c8b42777c6cd6982f113bfdbec7"
}
],
"title": "crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43033",
"datePublished": "2026-05-01T14:15:32.583Z",
"dateReserved": "2026-05-01T14:12:55.977Z",
"dateUpdated": "2026-05-11T22:16:25.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47337 (GCVE-0-2026-47337)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:29 – Updated: 2026-05-28 19:23
VLAI?
EPSS
Title
NULL pointer dereference in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.
Severity ?
CWE
- CWE-476 - NULL pointer dereference
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
Trevor Lawrence, _SiCk, afflicted.sh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:21:23.610809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:23:08.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
},
{
"lang": "en",
"type": "finder",
"value": "Trevor Lawrence, _SiCk, afflicted.sh"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL pointer dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:29:20.805Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=9f03f0012a2367efae1edb4798f1c5103aeb6cbc"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NULL pointer dereference in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47337",
"datePublished": "2026-05-28T18:29:20.805Z",
"dateReserved": "2026-05-19T10:37:36.434Z",
"dateUpdated": "2026-05-28T19:23:08.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71184 (GCVE-0-2025-71184)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:38 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
btrfs: fix NULL dereference on root when tracing inode eviction
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix NULL dereference on root when tracing inode eviction
When evicting an inode the first thing we do is to setup tracing for it,
which implies fetching the root's id. But in btrfs_evict_inode() the
root might be NULL, as implied in the next check that we do in
btrfs_evict_inode().
Hence, we either should set the ->root_objectid to 0 in case the root is
NULL, or we move tracing setup after checking that the root is not
NULL. Setting the rootid to 0 at least gives us the possibility to trace
this call even in the case when the root is NULL, so that's the solution
taken here.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1abe9b8a138c9988ba8f7bfded6453649a31541f , < 64d8abd8c5305795a2b35fc96039d99d34f5e762
(git)
Affected: 1abe9b8a138c9988ba8f7bfded6453649a31541f , < 582ba48e4a4c06fef6bdcf4e57b7b9af660bbd0c (git) Affected: 1abe9b8a138c9988ba8f7bfded6453649a31541f , < 99e057f3d3ef24b99a7b1d84e01dd1bd890098da (git) Affected: 1abe9b8a138c9988ba8f7bfded6453649a31541f , < f157dd661339fc6f5f2b574fe2429c43bd309534 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/btrfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64d8abd8c5305795a2b35fc96039d99d34f5e762",
"status": "affected",
"version": "1abe9b8a138c9988ba8f7bfded6453649a31541f",
"versionType": "git"
},
{
"lessThan": "582ba48e4a4c06fef6bdcf4e57b7b9af660bbd0c",
"status": "affected",
"version": "1abe9b8a138c9988ba8f7bfded6453649a31541f",
"versionType": "git"
},
{
"lessThan": "99e057f3d3ef24b99a7b1d84e01dd1bd890098da",
"status": "affected",
"version": "1abe9b8a138c9988ba8f7bfded6453649a31541f",
"versionType": "git"
},
{
"lessThan": "f157dd661339fc6f5f2b574fe2429c43bd309534",
"status": "affected",
"version": "1abe9b8a138c9988ba8f7bfded6453649a31541f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/btrfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix NULL dereference on root when tracing inode eviction\n\nWhen evicting an inode the first thing we do is to setup tracing for it,\nwhich implies fetching the root\u0027s id. But in btrfs_evict_inode() the\nroot might be NULL, as implied in the next check that we do in\nbtrfs_evict_inode().\n\nHence, we either should set the -\u003eroot_objectid to 0 in case the root is\nNULL, or we move tracing setup after checking that the root is not\nNULL. Setting the rootid to 0 at least gives us the possibility to trace\nthis call even in the case when the root is NULL, so that\u0027s the solution\ntaken here."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:17.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64d8abd8c5305795a2b35fc96039d99d34f5e762"
},
{
"url": "https://git.kernel.org/stable/c/582ba48e4a4c06fef6bdcf4e57b7b9af660bbd0c"
},
{
"url": "https://git.kernel.org/stable/c/99e057f3d3ef24b99a7b1d84e01dd1bd890098da"
},
{
"url": "https://git.kernel.org/stable/c/f157dd661339fc6f5f2b574fe2429c43bd309534"
}
],
"title": "btrfs: fix NULL dereference on root when tracing inode eviction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71184",
"datePublished": "2026-01-31T11:38:57.171Z",
"dateReserved": "2026-01-31T11:36:51.187Z",
"dateUpdated": "2026-05-11T21:56:17.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71082 (GCVE-0-2025-71082)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: revert use of devm_kzalloc in btusb
This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").
In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.
The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.
To fix this, revert the use of devm and go back to freeing memory
explicitly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < fff9206b0907252a41eb12b7c1407b9347df18b1
(git)
Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < cca0e9206e3bcc63cd3e72193e60149165d493cc (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < c0ecb3e4451fe94f4315e6d09c4046dfbc42090b (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < 1e54c19eaf84ba652c4e376571093e58e144b339 (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < fdf7c640fb8a44a59b0671143d8c2f738bc48003 (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < 252714f1e8bdd542025b16321c790458014d6880 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:23.595912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:11.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fff9206b0907252a41eb12b7c1407b9347df18b1",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "cca0e9206e3bcc63cd3e72193e60149165d493cc",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "c0ecb3e4451fe94f4315e6d09c4046dfbc42090b",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "1e54c19eaf84ba652c4e376571093e58e144b339",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "fdf7c640fb8a44a59b0671143d8c2f738bc48003",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "252714f1e8bdd542025b16321c790458014d6880",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: revert use of devm_kzalloc in btusb\n\nThis reverts commit 98921dbd00c4e (\"Bluetooth: Use devm_kzalloc in\nbtusb.c file\").\n\nIn btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This\nties the lifetime of all the btusb data to the binding of a driver to\none interface, INTF. In a driver that binds to other interfaces, ISOC\nand DIAG, this is an accident waiting to happen.\n\nThe issue is revealed in btusb_disconnect(), where calling\nusb_driver_release_interface(\u0026btusb_driver, data-\u003eintf) will have devm\nfree the data that is also being used by the other interfaces of the\ndriver that may not be released yet.\n\nTo fix this, revert the use of devm and go back to freeing memory\nexplicitly."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:23.734Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1"
},
{
"url": "https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc"
},
{
"url": "https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b"
},
{
"url": "https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339"
},
{
"url": "https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003"
},
{
"url": "https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880"
}
],
"title": "Bluetooth: btusb: revert use of devm_kzalloc in btusb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71082",
"datePublished": "2026-01-13T15:34:46.301Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-06-11T18:44:11.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68257 (GCVE-0-2025-68257)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-05-11 21:49
VLAI?
EPSS
Title
comedi: check device's attached status in compat ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: check device's attached status in compat ioctls
Syzbot identified an issue [1] that crashes kernel, seemingly due to
unexistent callback dev->get_valid_routes(). By all means, this should
not occur as said callback must always be set to
get_zero_valid_routes() in __comedi_device_postconfig().
As the crash seems to appear exclusively in i386 kernels, at least,
judging from [1] reports, the blame lies with compat versions
of standard IOCTL handlers. Several of them are modified and
do not use comedi_unlocked_ioctl(). While functionality of these
ioctls essentially copy their original versions, they do not
have required sanity check for device's attached status. This,
in turn, leads to a possibility of calling select IOCTLs on a
device that has not been properly setup, even via COMEDI_DEVCONFIG.
Doing so on unconfigured devices means that several crucial steps
are missed, for instance, specifying dev->get_valid_routes()
callback.
Fix this somewhat crudely by ensuring device's attached status before
performing any ioctls, improving logic consistency between modern
and compat functions.
[1] Syzbot report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
Call Trace:
<TASK>
get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
__do_compat_sys_ioctl fs/ioctl.c:695 [inline]
__se_compat_sys_ioctl fs/ioctl.c:638 [inline]
__ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3fbfd2223a271426509830e6340c386a1054cfad , < 4836ba483a22ebd076c8faaf8293a7295fad4142
(git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 7141915bf0c41cb57d83cdbaf695b8c731b16b71 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f13895c03620933a58907e3250016f087e39b78c (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < b975f91de5f8f63cf490f0393775cc795f8b0557 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f6e629dfe6f590091c662a87c9fcf118b1c1c7dc (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 573b07d2e3d473ee7eb625ef87519922cf01168d (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < aac80e912de306815297a3b74f0426873ffa7dc3 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4836ba483a22ebd076c8faaf8293a7295fad4142",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "7141915bf0c41cb57d83cdbaf695b8c731b16b71",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f13895c03620933a58907e3250016f087e39b78c",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "b975f91de5f8f63cf490f0393775cc795f8b0557",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f6e629dfe6f590091c662a87c9fcf118b1c1c7dc",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "573b07d2e3d473ee7eb625ef87519922cf01168d",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "aac80e912de306815297a3b74f0426873ffa7dc3",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "0de7d9cd07a2671fa6089173bccc0b2afe6b93ee",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device\u0027s attached status in compat ioctls\n\nSyzbot identified an issue [1] that crashes kernel, seemingly due to\nunexistent callback dev-\u003eget_valid_routes(). By all means, this should\nnot occur as said callback must always be set to\nget_zero_valid_routes() in __comedi_device_postconfig().\n\nAs the crash seems to appear exclusively in i386 kernels, at least,\njudging from [1] reports, the blame lies with compat versions\nof standard IOCTL handlers. Several of them are modified and\ndo not use comedi_unlocked_ioctl(). While functionality of these\nioctls essentially copy their original versions, they do not\nhave required sanity check for device\u0027s attached status. This,\nin turn, leads to a possibility of calling select IOCTLs on a\ndevice that has not been properly setup, even via COMEDI_DEVCONFIG.\n\nDoing so on unconfigured devices means that several crucial steps\nare missed, for instance, specifying dev-\u003eget_valid_routes()\ncallback.\n\nFix this somewhat crudely by ensuring device\u0027s attached status before\nperforming any ioctls, improving logic consistency between modern\nand compat functions.\n\n[1] Syzbot report:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]\n parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401\n do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594\n compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]\n comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273\n __do_compat_sys_ioctl fs/ioctl.c:695 [inline]\n __se_compat_sys_ioctl fs/ioctl.c:638 [inline]\n __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:52.497Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4836ba483a22ebd076c8faaf8293a7295fad4142"
},
{
"url": "https://git.kernel.org/stable/c/7141915bf0c41cb57d83cdbaf695b8c731b16b71"
},
{
"url": "https://git.kernel.org/stable/c/f13895c03620933a58907e3250016f087e39b78c"
},
{
"url": "https://git.kernel.org/stable/c/b975f91de5f8f63cf490f0393775cc795f8b0557"
},
{
"url": "https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc"
},
{
"url": "https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d"
},
{
"url": "https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3"
},
{
"url": "https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee"
}
],
"title": "comedi: check device\u0027s attached status in compat ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68257",
"datePublished": "2025-12-16T14:44:59.535Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-05-11T21:49:52.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23078 (GCVE-0-2026-23078)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
ALSA: scarlett2: Fix buffer overflow in config retrieval
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: scarlett2: Fix buffer overflow in config retrieval
The scarlett2_usb_get_config() function has a logic error in the
endianness conversion code that can cause buffer overflows when
count > 1.
The code checks `if (size == 2)` where `size` is the total buffer size in
bytes, then loops `count` times treating each element as u16 (2 bytes).
This causes the loop to access `count * 2` bytes when the buffer only
has `size` bytes allocated.
Fix by checking the element size (config_item->size) instead of the
total buffer size. This ensures the endianness conversion matches the
actual element type.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ac34df733d2dfe3b553897a1e9e1a44414f09834 , < d5e80d1f97ae55bcea1426f551e4419245b41b9c
(git)
Affected: ac34df733d2dfe3b553897a1e9e1a44414f09834 , < 51049f6e3f05d70660e2458ad3bb302a3721b751 (git) Affected: ac34df733d2dfe3b553897a1e9e1a44414f09834 , < 91a756d22f0482eac5bedb113c8922f90b254449 (git) Affected: ac34df733d2dfe3b553897a1e9e1a44414f09834 , < 27049f50be9f5ae3a62d272128ce0b381cb26a24 (git) Affected: ac34df733d2dfe3b553897a1e9e1a44414f09834 , < 31a3eba5c265a763260976674a22851e83128f6d (git) Affected: ac34df733d2dfe3b553897a1e9e1a44414f09834 , < 6f5c69f72e50d51be3a8c028ae7eda42c82902cb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_scarlett2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5e80d1f97ae55bcea1426f551e4419245b41b9c",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "51049f6e3f05d70660e2458ad3bb302a3721b751",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "91a756d22f0482eac5bedb113c8922f90b254449",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "27049f50be9f5ae3a62d272128ce0b381cb26a24",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "31a3eba5c265a763260976674a22851e83128f6d",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "6f5c69f72e50d51be3a8c028ae7eda42c82902cb",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_scarlett2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Fix buffer overflow in config retrieval\n\nThe scarlett2_usb_get_config() function has a logic error in the\nendianness conversion code that can cause buffer overflows when\ncount \u003e 1.\n\nThe code checks `if (size == 2)` where `size` is the total buffer size in\nbytes, then loops `count` times treating each element as u16 (2 bytes).\nThis causes the loop to access `count * 2` bytes when the buffer only\nhas `size` bytes allocated.\n\nFix by checking the element size (config_item-\u003esize) instead of the\ntotal buffer size. This ensures the endianness conversion matches the\nactual element type."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:34.569Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c"
},
{
"url": "https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751"
},
{
"url": "https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449"
},
{
"url": "https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24"
},
{
"url": "https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d"
},
{
"url": "https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb"
}
],
"title": "ALSA: scarlett2: Fix buffer overflow in config retrieval",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23078",
"datePublished": "2026-02-04T16:08:03.283Z",
"dateReserved": "2026-01-13T15:37:45.959Z",
"dateUpdated": "2026-05-11T21:59:34.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23102 (GCVE-0-2026-23102)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
arm64/fpsimd: signal: Fix restoration of SVE context
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: signal: Fix restoration of SVE context
When SME is supported, Restoring SVE signal context can go wrong in a
few ways, including placing the task into an invalid state where the
kernel may read from out-of-bounds memory (and may potentially take a
fatal fault) and/or may kill the task with a SIGKILL.
(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into
an invalid state where SVCR.SM is set (and sve_state is non-NULL)
but TIF_SME is clear, consequently resuting in out-of-bounds memory
reads and/or killing the task with SIGKILL.
This can only occur in unusual (but legitimate) cases where the SVE
signal context has either been modified by userspace or was saved in
the context of another task (e.g. as with CRIU), as otherwise the
presence of an SVE signal context with SVE_SIG_FLAG_SM implies that
TIF_SME is already set.
While in this state, task_fpsimd_load() will NOT configure SMCR_ELx
(leaving some arbitrary value configured in hardware) before
restoring SVCR and attempting to restore the streaming mode SVE
registers from memory via sve_load_state(). As the value of
SMCR_ELx.LEN may be larger than the task's streaming SVE vector
length, this may read memory outside of the task's allocated
sve_state, reading unrelated data and/or triggering a fault.
While this can result in secrets being loaded into streaming SVE
registers, these values are never exposed. As TIF_SME is clear,
fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0
accesses to streaming mode SVE registers, so these cannot be
accessed directly at EL0. As fpsimd_save_user_state() verifies the
live vector length before saving (S)SVE state to memory, no secret
values can be saved back to memory (and hence cannot be observed via
ptrace, signals, etc).
When the live vector length doesn't match the expected vector length
for the task, fpsimd_save_user_state() will send a fatal SIGKILL
signal to the task. Hence the task may be killed after executing
userspace for some period of time.
(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the
task's SVCR.SM. If SVCR.SM was set prior to restoring the context,
then the task will be left in streaming mode unexpectedly, and some
register state will be combined inconsistently, though the task will
be left in legitimate state from the kernel's PoV.
This can only occur in unusual (but legitimate) cases where ptrace
has been used to set SVCR.SM after entry to the sigreturn syscall,
as syscall entry clears SVCR.SM.
In these cases, the the provided SVE register data will be loaded
into the task's sve_state using the non-streaming SVE vector length
and the FPSIMD registers will be merged into this using the
streaming SVE vector length.
Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires
ensuring that the task's sme_state has been allocated, but as this could
contain live ZA state, it should not be zeroed. Fix (2) by clearing
SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.
For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME,
and fp_type earlier, immediately after the allocation of
sve_state/sme_state, before the restore of the actual register state.
This makes it easier to ensure that these are always modified
consistently, even if a fault is taken while reading the register data
from the signal context. I do not expect any software to depend on the
exact state restored when a fault is taken while reading the context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
85ed24dad2904f7c141911d91b7807ab02694b5e , < 9bc3adba8c35119be80ab20217027720446742f2
(git)
Affected: 85ed24dad2904f7c141911d91b7807ab02694b5e , < ce820dd4e6e2d711242dc4331713b9bb4fe06d09 (git) Affected: 85ed24dad2904f7c141911d91b7807ab02694b5e , < 7b5a52cf252a0d2e89787b645290ad288878f332 (git) Affected: 85ed24dad2904f7c141911d91b7807ab02694b5e , < d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bc3adba8c35119be80ab20217027720446742f2",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
},
{
"lessThan": "ce820dd4e6e2d711242dc4331713b9bb4fe06d09",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
},
{
"lessThan": "7b5a52cf252a0d2e89787b645290ad288878f332",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
},
{
"lessThan": "d2907cbe9ea0a54cbe078076f9d089240ee1e2d9",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Fix restoration of SVE context\n\nWhen SME is supported, Restoring SVE signal context can go wrong in a\nfew ways, including placing the task into an invalid state where the\nkernel may read from out-of-bounds memory (and may potentially take a\nfatal fault) and/or may kill the task with a SIGKILL.\n\n(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into\n an invalid state where SVCR.SM is set (and sve_state is non-NULL)\n but TIF_SME is clear, consequently resuting in out-of-bounds memory\n reads and/or killing the task with SIGKILL.\n\n This can only occur in unusual (but legitimate) cases where the SVE\n signal context has either been modified by userspace or was saved in\n the context of another task (e.g. as with CRIU), as otherwise the\n presence of an SVE signal context with SVE_SIG_FLAG_SM implies that\n TIF_SME is already set.\n\n While in this state, task_fpsimd_load() will NOT configure SMCR_ELx\n (leaving some arbitrary value configured in hardware) before\n restoring SVCR and attempting to restore the streaming mode SVE\n registers from memory via sve_load_state(). As the value of\n SMCR_ELx.LEN may be larger than the task\u0027s streaming SVE vector\n length, this may read memory outside of the task\u0027s allocated\n sve_state, reading unrelated data and/or triggering a fault.\n\n While this can result in secrets being loaded into streaming SVE\n registers, these values are never exposed. As TIF_SME is clear,\n fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0\n accesses to streaming mode SVE registers, so these cannot be\n accessed directly at EL0. As fpsimd_save_user_state() verifies the\n live vector length before saving (S)SVE state to memory, no secret\n values can be saved back to memory (and hence cannot be observed via\n ptrace, signals, etc).\n\n When the live vector length doesn\u0027t match the expected vector length\n for the task, fpsimd_save_user_state() will send a fatal SIGKILL\n signal to the task. Hence the task may be killed after executing\n userspace for some period of time.\n\n(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the\n task\u0027s SVCR.SM. If SVCR.SM was set prior to restoring the context,\n then the task will be left in streaming mode unexpectedly, and some\n register state will be combined inconsistently, though the task will\n be left in legitimate state from the kernel\u0027s PoV.\n\n This can only occur in unusual (but legitimate) cases where ptrace\n has been used to set SVCR.SM after entry to the sigreturn syscall,\n as syscall entry clears SVCR.SM.\n\n In these cases, the the provided SVE register data will be loaded\n into the task\u0027s sve_state using the non-streaming SVE vector length\n and the FPSIMD registers will be merged into this using the\n streaming SVE vector length.\n\nFix (1) by setting TIF_SME when setting SVCR.SM. This also requires\nensuring that the task\u0027s sme_state has been allocated, but as this could\ncontain live ZA state, it should not be zeroed. Fix (2) by clearing\nSVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.\n\nFor consistency, I\u0027ve pulled the manipulation of SVCR, TIF_SVE, TIF_SME,\nand fp_type earlier, immediately after the allocation of\nsve_state/sme_state, before the restore of the actual register state.\nThis makes it easier to ensure that these are always modified\nconsistently, even if a fault is taken while reading the register data\nfrom the signal context. I do not expect any software to depend on the\nexact state restored when a fault is taken while reading the context."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:09.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bc3adba8c35119be80ab20217027720446742f2"
},
{
"url": "https://git.kernel.org/stable/c/ce820dd4e6e2d711242dc4331713b9bb4fe06d09"
},
{
"url": "https://git.kernel.org/stable/c/7b5a52cf252a0d2e89787b645290ad288878f332"
},
{
"url": "https://git.kernel.org/stable/c/d2907cbe9ea0a54cbe078076f9d089240ee1e2d9"
}
],
"title": "arm64/fpsimd: signal: Fix restoration of SVE context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23102",
"datePublished": "2026-02-04T16:08:24.034Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-05-11T22:00:09.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31676 (GCVE-0-2026-31676)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-06-01 16:13
VLAI?
EPSS
Title
rxrpc: only handle RESPONSE during service challenge
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: only handle RESPONSE during service challenge
Only process RESPONSE packets while the service connection is still in
RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
running response verification and security initialization, then use a local
secured flag to decide whether to queue the secured-connection work after
the state transition. This keeps duplicate or late RESPONSE packets from
re-running the setup path and removes the unlocked post-transition state
test.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17926a79320afa9b95df6b977b40cca6d8713cea , < a1a8efde03a40b6c658d580e96644d9b9a2a0d3a
(git)
Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 6c3a0fbdafef8316e34ae22333e317a341e737cd (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 0afdfd4941c1b60a1f5c361760daa970edca60cd (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < a6bcf8010af093fe04f7100562e9542ab7882585 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 29b44d904dceb832be880def08b8cb17a0aba91c (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < d0035e634dae83237ab7f5681eb52b2f65d0ceb8 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 03fd2ef73cb4ffd0af100a95b634af54f474414e (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < c43ffdcfdbb5567b1f143556df8a04b4eeea041c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a1a8efde03a40b6c658d580e96644d9b9a2a0d3a",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "6c3a0fbdafef8316e34ae22333e317a341e737cd",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "0afdfd4941c1b60a1f5c361760daa970edca60cd",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "a6bcf8010af093fe04f7100562e9542ab7882585",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "29b44d904dceb832be880def08b8cb17a0aba91c",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "d0035e634dae83237ab7f5681eb52b2f65d0ceb8",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "03fd2ef73cb4ffd0af100a95b634af54f474414e",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "c43ffdcfdbb5567b1f143556df8a04b4eeea041c",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: only handle RESPONSE during service challenge\n\nOnly process RESPONSE packets while the service connection is still in\nRXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before\nrunning response verification and security initialization, then use a local\nsecured flag to decide whether to queue the secured-connection work after\nthe state transition. This keeps duplicate or late RESPONSE packets from\nre-running the setup path and removes the unlocked post-transition state\ntest."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:13:19.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a1a8efde03a40b6c658d580e96644d9b9a2a0d3a"
},
{
"url": "https://git.kernel.org/stable/c/6c3a0fbdafef8316e34ae22333e317a341e737cd"
},
{
"url": "https://git.kernel.org/stable/c/0afdfd4941c1b60a1f5c361760daa970edca60cd"
},
{
"url": "https://git.kernel.org/stable/c/a6bcf8010af093fe04f7100562e9542ab7882585"
},
{
"url": "https://git.kernel.org/stable/c/29b44d904dceb832be880def08b8cb17a0aba91c"
},
{
"url": "https://git.kernel.org/stable/c/d0035e634dae83237ab7f5681eb52b2f65d0ceb8"
},
{
"url": "https://git.kernel.org/stable/c/03fd2ef73cb4ffd0af100a95b634af54f474414e"
},
{
"url": "https://git.kernel.org/stable/c/c43ffdcfdbb5567b1f143556df8a04b4eeea041c"
}
],
"title": "rxrpc: only handle RESPONSE during service challenge",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31676",
"datePublished": "2026-04-25T08:46:52.285Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-06-01T16:13:19.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68818 (GCVE-0-2025-68818)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
231cfa78ec5badd84a1a2b09465bfad1a926aba1 , < b04b3733fff7e94566386b962e4795550fbdfd3d
(git)
Affected: d6f7377528d2abf338e504126e44439541be8f7d , < 50b097d92c99f718831b8b349722bc79f718ba1b (git) Affected: cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 , < c5c37a821bd1708f26a9522b4a6f47b9f7a20003 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < e9e601b7df58ba0c667baf30263331df2c02ffe1 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < 1c728951bc769b795d377852eae1abddad88635d (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b57fbc88715b6d18f379463f48a15b560b087ffe (git) Affected: 9189f20b4c5307c0998682bb522e481b4567a8b8 (git) Affected: 415d614344a4f1bbddf55d724fc7eb9ef4b39aad (git) Affected: 5.10.177 , < 5.10.248 (semver) Affected: 5.15.105 , < 5.15.198 (semver) Affected: 6.1.22 , < 6.1.160 (semver) Affected: 5.4.240 , < 5.5 (semver) Affected: 6.2.9 , < 6.3 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b04b3733fff7e94566386b962e4795550fbdfd3d",
"status": "affected",
"version": "231cfa78ec5badd84a1a2b09465bfad1a926aba1",
"versionType": "git"
},
{
"lessThan": "50b097d92c99f718831b8b349722bc79f718ba1b",
"status": "affected",
"version": "d6f7377528d2abf338e504126e44439541be8f7d",
"versionType": "git"
},
{
"lessThan": "c5c37a821bd1708f26a9522b4a6f47b9f7a20003",
"status": "affected",
"version": "cd0a1804ac5bab2545ac700c8d0fe9ae9284c567",
"versionType": "git"
},
{
"lessThan": "e9e601b7df58ba0c667baf30263331df2c02ffe1",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b10ebbfd59a535c8d22f4ede6e8389622ce98dc0",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "1c728951bc769b795d377852eae1abddad88635d",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b57fbc88715b6d18f379463f48a15b560b087ffe",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"status": "affected",
"version": "9189f20b4c5307c0998682bb522e481b4567a8b8",
"versionType": "git"
},
{
"status": "affected",
"version": "415d614344a4f1bbddf55d724fc7eb9ef4b39aad",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.105",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.22",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThan": "6.3",
"status": "affected",
"version": "6.2.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp-\u003edone() without holding a spinlock. But unlike the older code\nbelow it, this new code failed to check sp-\u003ecmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n 0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -\u003e fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n 0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \u003c/TASK\u003e\n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash. But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:58.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d"
},
{
"url": "https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b"
},
{
"url": "https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003"
},
{
"url": "https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1"
},
{
"url": "https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0"
},
{
"url": "https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d"
},
{
"url": "https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe"
}
],
"title": "scsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68818",
"datePublished": "2026-01-13T15:29:22.018Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-05-23T16:02:58.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71105 (GCVE-0-2025-71105)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
f2fs: use global inline_xattr_slab instead of per-sb slab cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: use global inline_xattr_slab instead of per-sb slab cache
As Hong Yun reported in mailing list:
loop7: detected capacity change from 0 to 131072
------------[ cut here ]------------
kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
Call Trace:
__kmem_cache_create include/linux/slab.h:353 [inline]
f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
vfs_get_tree+0x43/0x140 fs/super.c:1815
do_new_mount+0x201/0x550 fs/namespace.c:3808
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug can be reproduced w/ below scripts:
- mount /dev/vdb /mnt1
- mount /dev/vdc /mnt2
- umount /mnt1
- mounnt /dev/vdb /mnt1
The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
slab system will only create one slab cache core structure which has
slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
structure and cache address.
So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
decrease reference count of slab cache, rather than release slab cache
entirely, since there is one more user has referenced the cache.
Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
slab system will find that there is existed cache which has the same name
and trigger the warning.
Let's changes to use global inline_xattr_slab instead of per-sb slab cache
for fixing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a999150f4fe3abbb7efd05411fd5b460be699943 , < 93d30fe19660dec6bf1bd3d5c186c1c737b21aa5
(git)
Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 474cc3ed37436ddfd63cac8dbffe3b1e219e9100 (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 72ce19dfed162da6e430467333b2da70471d08a4 (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 1eb0b130196bcbc56c5c80c83139fa70c0aa82c5 (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < e6d828eae00ec192e18c2ddaa2fd32050a96048a (git) Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c",
"fs/f2fs/xattr.c",
"fs/f2fs/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d30fe19660dec6bf1bd3d5c186c1c737b21aa5",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "474cc3ed37436ddfd63cac8dbffe3b1e219e9100",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "72ce19dfed162da6e430467333b2da70471d08a4",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "1eb0b130196bcbc56c5c80c83139fa70c0aa82c5",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "e6d828eae00ec192e18c2ddaa2fd32050a96048a",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "1f27ef42bb0b7c0740c5616ec577ec188b8a1d05",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c",
"fs/f2fs/xattr.c",
"fs/f2fs/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use global inline_xattr_slab instead of per-sb slab cache\n\nAs Hong Yun reported in mailing list:\n\nloop7: detected capacity change from 0 to 131072\n------------[ cut here ]------------\nkmem_cache of name \u0027f2fs_xattr_entry-7:7\u0027 already exists\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nRIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCall Trace:\n\u00a0__kmem_cache_create include/linux/slab.h:353 [inline]\n\u00a0f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]\n\u00a0f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843\n\u00a0f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918\n\u00a0get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692\n\u00a0vfs_get_tree+0x43/0x140 fs/super.c:1815\n\u00a0do_new_mount+0x201/0x550 fs/namespace.c:3808\n\u00a0do_mount fs/namespace.c:4136 [inline]\n\u00a0__do_sys_mount fs/namespace.c:4347 [inline]\n\u00a0__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324\n\u00a0do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n\u00a0do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94\n\u00a0entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug can be reproduced w/ below scripts:\n- mount /dev/vdb /mnt1\n- mount /dev/vdc /mnt2\n- umount /mnt1\n- mounnt /dev/vdb /mnt1\n\nThe reason is if we created two slab caches, named f2fs_xattr_entry-7:3\nand f2fs_xattr_entry-7:7, and they have the same slab size. Actually,\nslab system will only create one slab cache core structure which has\nslab name of \"f2fs_xattr_entry-7:3\", and two slab caches share the same\nstructure and cache address.\n\nSo, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will\ndecrease reference count of slab cache, rather than release slab cache\nentirely, since there is one more user has referenced the cache.\n\nThen, if we try to create slab cache w/ name \"f2fs_xattr_entry-7:3\" again,\nslab system will find that there is existed cache which has the same name\nand trigger the warning.\n\nLet\u0027s changes to use global inline_xattr_slab instead of per-sb slab cache\nfor fixing."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:54.803Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5"
},
{
"url": "https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100"
},
{
"url": "https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4"
},
{
"url": "https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a"
},
{
"url": "https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5"
},
{
"url": "https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a"
},
{
"url": "https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05"
}
],
"title": "f2fs: use global inline_xattr_slab instead of per-sb slab cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71105",
"datePublished": "2026-01-14T15:05:54.510Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-05-11T21:54:54.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38234 (GCVE-0-2025-38234)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23
VLAI?
EPSS
Title
sched/rt: Fix race in push_rt_task
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/rt: Fix race in push_rt_task
Overview
========
When a CPU chooses to call push_rt_task and picks a task to push to
another CPU's runqueue then it will call find_lock_lowest_rq method
which would take a double lock on both CPUs' runqueues. If one of the
locks aren't readily available, it may lead to dropping the current
runqueue lock and reacquiring both the locks at once. During this window
it is possible that the task is already migrated and is running on some
other CPU. These cases are already handled. However, if the task is
migrated and has already been executed and another CPU is now trying to
wake it up (ttwu) such that it is queued again on the runqeue
(on_rq is 1) and also if the task was run by the same CPU, then the
current checks will pass even though the task was migrated out and is no
longer in the pushable tasks list.
Crashes
=======
This bug resulted in quite a few flavors of crashes triggering kernel
panics with various crash signatures such as assert failures, page
faults, null pointer dereferences, and queue corruption errors all
coming from scheduler itself.
Some of the crashes:
-> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? pick_next_task_rt+0x6e/0x1d0
? do_error_trap+0x64/0xa0
? pick_next_task_rt+0x6e/0x1d0
? exc_invalid_op+0x4c/0x60
? pick_next_task_rt+0x6e/0x1d0
? asm_exc_invalid_op+0x12/0x20
? pick_next_task_rt+0x6e/0x1d0
__schedule+0x5cb/0x790
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: kernel NULL pointer dereference, address: 00000000000000c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? __warn+0x8a/0xe0
? exc_page_fault+0x3d6/0x520
? asm_exc_page_fault+0x1e/0x30
? pick_next_task_rt+0xb5/0x1d0
? pick_next_task_rt+0x8c/0x1d0
__schedule+0x583/0x7e0
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: unable to handle page fault for address: ffff9464daea5900
kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p))
-> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? dequeue_top_rt_rq+0xa2/0xb0
? do_error_trap+0x64/0xa0
? dequeue_top_rt_rq+0xa2/0xb0
? exc_invalid_op+0x4c/0x60
? dequeue_top_rt_rq+0xa2/0xb0
? asm_exc_invalid_op+0x12/0x20
? dequeue_top_rt_rq+0xa2/0xb0
dequeue_rt_entity+0x1f/0x70
dequeue_task_rt+0x2d/0x70
__schedule+0x1a8/0x7e0
? blk_finish_plug+0x25/0x40
schedule+0x3c/0xb0
futex_wait_queue_me+0xb6/0x120
futex_wait+0xd9/0x240
do_futex+0x344/0xa90
? get_mm_exe_file+0x30/0x60
? audit_exe_compare+0x58/0x70
? audit_filter_rules.constprop.26+0x65e/0x1220
__x64_sys_futex+0x148/0x1f0
do_syscall_64+0x30/0x80
entry_SYSCALL_64_after_hwframe+0x62/0xc7
-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? spurious_kernel_fault+0x171/0x1c0
? exc_page_fault+0x3b6/0x520
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? asm_exc_page_fault+0x1e/0x30
? _cond_resched+0x15/0x30
? futex_wait_queue_me+0xc8/0x120
? futex_wait+0xd9/0x240
? try_to_wake_up+0x1b8/0x490
? futex_wake+0x78/0x160
? do_futex+0xcd/0xa90
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? plist_del+0x6a/0xd0
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? dequeue_pushable_task+0x20/0x70
? __schedule+0x382/0x7e0
? asm_sysvec_reschedule_i
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e8fa136262e1121288bb93befe2295928ffd240d , < 9f6022b2573ae068793810db719e131df3ded405
(git)
Affected: e8fa136262e1121288bb93befe2295928ffd240d , < debfbc047196df1f6bfd52f2d028c21dce67f0de (git) Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 07ecabfbca64f4f0b6071cf96e49d162fa9d138d (git) Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 690e47d1403e90b7f2366f03b52ed3304194c793 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f6022b2573ae068793810db719e131df3ded405",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "debfbc047196df1f6bfd52f2d028c21dce67f0de",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "07ecabfbca64f4f0b6071cf96e49d162fa9d138d",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "690e47d1403e90b7f2366f03b52ed3304194c793",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Fix race in push_rt_task\n\nOverview\n========\nWhen a CPU chooses to call push_rt_task and picks a task to push to\nanother CPU\u0027s runqueue then it will call find_lock_lowest_rq method\nwhich would take a double lock on both CPUs\u0027 runqueues. If one of the\nlocks aren\u0027t readily available, it may lead to dropping the current\nrunqueue lock and reacquiring both the locks at once. During this window\nit is possible that the task is already migrated and is running on some\nother CPU. These cases are already handled. However, if the task is\nmigrated and has already been executed and another CPU is now trying to\nwake it up (ttwu) such that it is queued again on the runqeue\n(on_rq is 1) and also if the task was run by the same CPU, then the\ncurrent checks will pass even though the task was migrated out and is no\nlonger in the pushable tasks list.\n\nCrashes\n=======\nThis bug resulted in quite a few flavors of crashes triggering kernel\npanics with various crash signatures such as assert failures, page\nfaults, null pointer dereferences, and queue corruption errors all\ncoming from scheduler itself.\n\nSome of the crashes:\n-\u003e kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx \u003e= MAX_RT_PRIO)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? pick_next_task_rt+0x6e/0x1d0\n ? do_error_trap+0x64/0xa0\n ? pick_next_task_rt+0x6e/0x1d0\n ? exc_invalid_op+0x4c/0x60\n ? pick_next_task_rt+0x6e/0x1d0\n ? asm_exc_invalid_op+0x12/0x20\n ? pick_next_task_rt+0x6e/0x1d0\n __schedule+0x5cb/0x790\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: kernel NULL pointer dereference, address: 00000000000000c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? __warn+0x8a/0xe0\n ? exc_page_fault+0x3d6/0x520\n ? asm_exc_page_fault+0x1e/0x30\n ? pick_next_task_rt+0xb5/0x1d0\n ? pick_next_task_rt+0x8c/0x1d0\n __schedule+0x583/0x7e0\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: unable to handle page fault for address: ffff9464daea5900\n kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq-\u003ecpu != task_cpu(p))\n\n-\u003e kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq-\u003enr_running)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? do_error_trap+0x64/0xa0\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? exc_invalid_op+0x4c/0x60\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? asm_exc_invalid_op+0x12/0x20\n ? dequeue_top_rt_rq+0xa2/0xb0\n dequeue_rt_entity+0x1f/0x70\n dequeue_task_rt+0x2d/0x70\n __schedule+0x1a8/0x7e0\n ? blk_finish_plug+0x25/0x40\n schedule+0x3c/0xb0\n futex_wait_queue_me+0xb6/0x120\n futex_wait+0xd9/0x240\n do_futex+0x344/0xa90\n ? get_mm_exe_file+0x30/0x60\n ? audit_exe_compare+0x58/0x70\n ? audit_filter_rules.constprop.26+0x65e/0x1220\n __x64_sys_futex+0x148/0x1f0\n do_syscall_64+0x30/0x80\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\n\n-\u003e BUG: unable to handle page fault for address: ffff8cf3608bc2c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? spurious_kernel_fault+0x171/0x1c0\n ? exc_page_fault+0x3b6/0x520\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? asm_exc_page_fault+0x1e/0x30\n ? _cond_resched+0x15/0x30\n ? futex_wait_queue_me+0xc8/0x120\n ? futex_wait+0xd9/0x240\n ? try_to_wake_up+0x1b8/0x490\n ? futex_wake+0x78/0x160\n ? do_futex+0xcd/0xa90\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? plist_del+0x6a/0xd0\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? dequeue_pushable_task+0x20/0x70\n ? __schedule+0x382/0x7e0\n ? asm_sysvec_reschedule_i\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:23:49.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f6022b2573ae068793810db719e131df3ded405"
},
{
"url": "https://git.kernel.org/stable/c/debfbc047196df1f6bfd52f2d028c21dce67f0de"
},
{
"url": "https://git.kernel.org/stable/c/07ecabfbca64f4f0b6071cf96e49d162fa9d138d"
},
{
"url": "https://git.kernel.org/stable/c/690e47d1403e90b7f2366f03b52ed3304194c793"
}
],
"title": "sched/rt: Fix race in push_rt_task",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38234",
"datePublished": "2025-07-04T13:37:46.960Z",
"dateReserved": "2025-04-16T04:51:23.996Z",
"dateUpdated": "2026-05-11T21:23:49.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68803 (GCVE-0-2025-68803)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
NFSD: NFSv4 file creation neglects setting ACL
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: NFSv4 file creation neglects setting ACL
An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".
The issue occurs in nfsd_create_setattr(), which calls
nfsd_attrs_valid() to determine whether to call nfsd_setattr().
However, nfsd_attrs_valid() checks only for iattr changes and
security labels, but not POSIX ACLs. When only an ACL is present,
the function returns false, nfsd_setattr() is skipped, and the
POSIX ACL is never applied to the inode.
Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c5409ce523af40d5c3019717bc5b4f72038d48be , < c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d
(git)
Affected: d52acd23a327cada5fb597591267cfc09f08bb1d , < 75f91534f9acdfef77f8fa094313b7806f801725 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 60dbdef2ebc2317266a385e4debdb1bb0e57afe1 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 381261f24f4e4b41521c0e5ef5cc0b9a786a9862 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < bf4e671c651534a307ab2fabba4926116beef8c3 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 214b396480061cbc8b16f2c518b2add7fbfa5192 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 913f7cf77bf14c13cfea70e89bcb6d0b22239562 (git) Affected: 5.10.220 , < 5.10.248 (semver) Affected: 5.15.154 , < 5.15.198 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d",
"status": "affected",
"version": "c5409ce523af40d5c3019717bc5b4f72038d48be",
"versionType": "git"
},
{
"lessThan": "75f91534f9acdfef77f8fa094313b7806f801725",
"status": "affected",
"version": "d52acd23a327cada5fb597591267cfc09f08bb1d",
"versionType": "git"
},
{
"lessThan": "60dbdef2ebc2317266a385e4debdb1bb0e57afe1",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "381261f24f4e4b41521c0e5ef5cc0b9a786a9862",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "bf4e671c651534a307ab2fabba4926116beef8c3",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "214b396480061cbc8b16f2c518b2add7fbfa5192",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "913f7cf77bf14c13cfea70e89bcb6d0b22239562",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.220",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.154",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: NFSv4 file creation neglects setting ACL\n\nAn NFSv4 client that sets an ACL with a named principal during file\ncreation retrieves the ACL afterwards, and finds that it is only a\ndefault ACL (based on the mode bits) and not the ACL that was\nrequested during file creation. This violates RFC 8881 section\n6.4.1.3: \"the ACL attribute is set as given\".\n\nThe issue occurs in nfsd_create_setattr(), which calls\nnfsd_attrs_valid() to determine whether to call nfsd_setattr().\nHowever, nfsd_attrs_valid() checks only for iattr changes and\nsecurity labels, but not POSIX ACLs. When only an ACL is present,\nthe function returns false, nfsd_setattr() is skipped, and the\nPOSIX ACL is never applied to the inode.\n\nSubsequently, when the client retrieves the ACL, the server finds\nno POSIX ACL on the inode and returns one generated from the file\u0027s\nmode bits rather than returning the originally-specified ACL."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:53.125Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d"
},
{
"url": "https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725"
},
{
"url": "https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1"
},
{
"url": "https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862"
},
{
"url": "https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3"
},
{
"url": "https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192"
},
{
"url": "https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562"
}
],
"title": "NFSD: NFSv4 file creation neglects setting ACL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68803",
"datePublished": "2026-01-13T15:29:11.732Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-05-23T16:02:53.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43078 (GCVE-0-2026-43078)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-05-11 22:17
VLAI?
EPSS
Title
crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
When page reassignment was added to af_alg_pull_tsgl the original
loop wasn't updated so it may try to reassign one more page than
necessary.
Add the check to the reassignment so that this does not happen.
Also update the comment which still refers to the obsolete offset
argument.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e
(git)
Affected: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < 2b781d1d4f933990318bcc5c68fb75a717379e42 (git) Affected: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < f7826bc0b39928a4a22f6b815dd9940b22a63503 (git) Affected: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < 710a4ce5d7afd9fe082c75dec282ab4a11c0fe71 (git) Affected: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < c8369a6d62f5abde9cbd4b62c45bf4b996be2468 (git) Affected: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f (git) Affected: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < 9532501e0f1b200ea80baa0e33e0b06da10bb271 (git) Affected: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a , < 31d00156e50ecad37f2cb6cbf04aaa9a260505ef (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
},
{
"lessThan": "2b781d1d4f933990318bcc5c68fb75a717379e42",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
},
{
"lessThan": "f7826bc0b39928a4a22f6b815dd9940b22a63503",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
},
{
"lessThan": "710a4ce5d7afd9fe082c75dec282ab4a11c0fe71",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
},
{
"lessThan": "c8369a6d62f5abde9cbd4b62c45bf4b996be2468",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
},
{
"lessThan": "dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
},
{
"lessThan": "9532501e0f1b200ea80baa0e33e0b06da10bb271",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
},
{
"lessThan": "31d00156e50ecad37f2cb6cbf04aaa9a260505ef",
"status": "affected",
"version": "e870456d8e7c8d57c059ea479b5aadbb55ff4c3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl\n\nWhen page reassignment was added to af_alg_pull_tsgl the original\nloop wasn\u0027t updated so it may try to reassign one more page than\nnecessary.\n\nAdd the check to the reassignment so that this does not happen.\n\nAlso update the comment which still refers to the obsolete offset\nargument."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:17:17.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e"
},
{
"url": "https://git.kernel.org/stable/c/2b781d1d4f933990318bcc5c68fb75a717379e42"
},
{
"url": "https://git.kernel.org/stable/c/f7826bc0b39928a4a22f6b815dd9940b22a63503"
},
{
"url": "https://git.kernel.org/stable/c/710a4ce5d7afd9fe082c75dec282ab4a11c0fe71"
},
{
"url": "https://git.kernel.org/stable/c/c8369a6d62f5abde9cbd4b62c45bf4b996be2468"
},
{
"url": "https://git.kernel.org/stable/c/dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f"
},
{
"url": "https://git.kernel.org/stable/c/9532501e0f1b200ea80baa0e33e0b06da10bb271"
},
{
"url": "https://git.kernel.org/stable/c/31d00156e50ecad37f2cb6cbf04aaa9a260505ef"
}
],
"title": "crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43078",
"datePublished": "2026-05-06T07:40:15.092Z",
"dateReserved": "2026-05-01T14:12:55.983Z",
"dateUpdated": "2026-05-11T22:17:17.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50004 (GCVE-0-2024-50004)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:53 – Updated: 2026-05-11 20:43
VLAI?
EPSS
Title
drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35
[WHY & HOW]
Mismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause
grey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override
to match HW spec.
(cherry picked from commit 9dad21f910fcea2bdcff4af46159101d7f9cd8ba)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7966f319c66d9468623c6a6a017ecbc0dd79be75 , < 945dc25eda88b5d6e30c9686dc619ab981c22d0e
(git)
Affected: 7966f319c66d9468623c6a6a017ecbc0dd79be75 , < 4010efc8516899981cc3b57be2d4a2d5d9e50228 (git) Affected: 7966f319c66d9468623c6a6a017ecbc0dd79be75 , < 0d5e5e8a0aa49ea2163abf128da3b509a6c58286 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50004",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:29:33.584285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:40.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "945dc25eda88b5d6e30c9686dc619ab981c22d0e",
"status": "affected",
"version": "7966f319c66d9468623c6a6a017ecbc0dd79be75",
"versionType": "git"
},
{
"lessThan": "4010efc8516899981cc3b57be2d4a2d5d9e50228",
"status": "affected",
"version": "7966f319c66d9468623c6a6a017ecbc0dd79be75",
"versionType": "git"
},
{
"lessThan": "0d5e5e8a0aa49ea2163abf128da3b509a6c58286",
"status": "affected",
"version": "7966f319c66d9468623c6a6a017ecbc0dd79be75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35\n\n[WHY \u0026 HOW]\nMismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause\ngrey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override\nto match HW spec.\n\n(cherry picked from commit 9dad21f910fcea2bdcff4af46159101d7f9cd8ba)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:43:40.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/945dc25eda88b5d6e30c9686dc619ab981c22d0e"
},
{
"url": "https://git.kernel.org/stable/c/4010efc8516899981cc3b57be2d4a2d5d9e50228"
},
{
"url": "https://git.kernel.org/stable/c/0d5e5e8a0aa49ea2163abf128da3b509a6c58286"
}
],
"title": "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50004",
"datePublished": "2024-10-21T18:53:58.609Z",
"dateReserved": "2024-10-21T12:17:06.059Z",
"dateUpdated": "2026-05-11T20:43:40.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71148 (GCVE-0-2025-71148)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
net/handshake: restore destructor on submit failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: restore destructor on submit failure
handshake_req_submit() replaces sk->sk_destruct but never restores it when
submission fails before the request is hashed. handshake_sk_destruct() then
returns early and the original destructor never runs, leaking the socket.
Restore sk_destruct on the error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3b3009ea8abb713b022d94fba95ec270cf6e7eae , < cd8cf2be3717137554744233fda051ffc09d1d44
(git)
Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 7b82a1d6ae869533d8bdb0282a3a78faed8e63dd (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < b225325be7b247c7268e65eea6090db1fc786d1f (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 6af2a01d65f89e73c1cbb9267f8880d83a88cee4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd8cf2be3717137554744233fda051ffc09d1d44",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "7b82a1d6ae869533d8bdb0282a3a78faed8e63dd",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "b225325be7b247c7268e65eea6090db1fc786d1f",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "6af2a01d65f89e73c1cbb9267f8880d83a88cee4",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: restore destructor on submit failure\n\nhandshake_req_submit() replaces sk-\u003esk_destruct but never restores it when\nsubmission fails before the request is hashed. handshake_sk_destruct() then\nreturns early and the original destructor never runs, leaking the socket.\nRestore sk_destruct on the error path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:54.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44"
},
{
"url": "https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd"
},
{
"url": "https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f"
},
{
"url": "https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4"
}
],
"title": "net/handshake: restore destructor on submit failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71148",
"datePublished": "2026-01-23T14:15:14.963Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-05-11T21:55:54.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71069 (GCVE-0-2025-71069)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
f2fs: invalidate dentry cache on failed whiteout creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: invalidate dentry cache on failed whiteout creation
F2FS can mount filesystems with corrupted directory depth values that
get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
operations are performed on such directories, f2fs_rename performs
directory modifications (updating target entry and deleting source
entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the
function returns an error to VFS, but the partial directory
modifications have already been committed to disk. VFS assumes the
entire rename operation failed and does not update the dentry cache,
leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry
cache. This results in new_dentry still pointing to the old inode
(new_inode) which has already had its i_nlink decremented to zero.
The stale cache causes subsequent operations to incorrectly reference
the freed inode.
This causes subsequent operations to use cached dentry information that
no longer matches the on-disk state. When a second rename targets the
same entry, VFS attempts to decrement i_nlink on the stale inode, which
may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence:
1. First rename (RENAME_WHITEOUT): file2 → file1
- f2fs updates file1 entry on disk (points to inode 8)
- f2fs deletes file2 entry on disk
- f2fs_add_link(whiteout) fails (corrupted directory)
- Returns error to VFS
- VFS does not call d_move() due to error
- VFS cache still has: file1 → inode 7 (stale!)
- inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1
- VFS uses stale cache: file1 → inode 7
- Tries to drop_nlink on inode 7 (i_nlink already 0)
- WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when
f2fs_add_link fails during whiteout creation. This forces VFS to
refresh from disk on subsequent operations, ensuring cache consistency
even when the rename partially succeeds.
Reproducer:
1. Mount F2FS image with corrupted i_current_depth
2. renameat2(file2, file1, RENAME_WHITEOUT)
3. renameat2(file3, file1, 0)
4. System triggers WARNING in drop_nlink()
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 7f2bae0c881aa1e0a6318756df692cc13df2cc83
(git)
Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 3d95ed8cf980fdfa67a3ab9491357521ae576168 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < c89845fae250efdd59c1d4ec60e9e1c652cee4b6 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 0dde30753c1e8648665dbe069d814e540ce2fd37 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < d33f89b34aa313f50f9a512d58dd288999f246b0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f2bae0c881aa1e0a6318756df692cc13df2cc83",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d95ed8cf980fdfa67a3ab9491357521ae576168",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "c89845fae250efdd59c1d4ec60e9e1c652cee4b6",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "0dde30753c1e8648665dbe069d814e540ce2fd37",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "d33f89b34aa313f50f9a512d58dd288999f246b0",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: invalidate dentry cache on failed whiteout creation\n\nF2FS can mount filesystems with corrupted directory depth values that\nget runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT\noperations are performed on such directories, f2fs_rename performs\ndirectory modifications (updating target entry and deleting source\nentry) before attempting to add the whiteout entry via f2fs_add_link.\n\nIf f2fs_add_link fails due to the corrupted directory structure, the\nfunction returns an error to VFS, but the partial directory\nmodifications have already been committed to disk. VFS assumes the\nentire rename operation failed and does not update the dentry cache,\nleaving stale mappings.\n\nIn the error path, VFS does not call d_move() to update the dentry\ncache. This results in new_dentry still pointing to the old inode\n(new_inode) which has already had its i_nlink decremented to zero.\nThe stale cache causes subsequent operations to incorrectly reference\nthe freed inode.\n\nThis causes subsequent operations to use cached dentry information that\nno longer matches the on-disk state. When a second rename targets the\nsame entry, VFS attempts to decrement i_nlink on the stale inode, which\nmay already have i_nlink=0, triggering a WARNING in drop_nlink().\n\nExample sequence:\n1. First rename (RENAME_WHITEOUT): file2 \u2192 file1\n - f2fs updates file1 entry on disk (points to inode 8)\n - f2fs deletes file2 entry on disk\n - f2fs_add_link(whiteout) fails (corrupted directory)\n - Returns error to VFS\n - VFS does not call d_move() due to error\n - VFS cache still has: file1 \u2192 inode 7 (stale!)\n - inode 7 has i_nlink=0 (already decremented)\n\n2. Second rename: file3 \u2192 file1\n - VFS uses stale cache: file1 \u2192 inode 7\n - Tries to drop_nlink on inode 7 (i_nlink already 0)\n - WARNING in drop_nlink()\n\nFix this by explicitly invalidating old_dentry and new_dentry when\nf2fs_add_link fails during whiteout creation. This forces VFS to\nrefresh from disk on subsequent operations, ensuring cache consistency\neven when the rename partially succeeds.\n\nReproducer:\n1. Mount F2FS image with corrupted i_current_depth\n2. renameat2(file2, file1, RENAME_WHITEOUT)\n3. renameat2(file3, file1, 0)\n4. System triggers WARNING in drop_nlink()"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:08.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83"
},
{
"url": "https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168"
},
{
"url": "https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb"
},
{
"url": "https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5"
},
{
"url": "https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6"
},
{
"url": "https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37"
},
{
"url": "https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0"
}
],
"title": "f2fs: invalidate dentry cache on failed whiteout creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71069",
"datePublished": "2026-01-13T15:31:23.948Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-05-11T21:54:08.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47335 (GCVE-0-2026-47335)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:28 – Updated: 2026-05-28 19:23
VLAI?
EPSS
Title
NULL pointer dereference in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL pointer dereference
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
|
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:21:08.045629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:23:36.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL pointer dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:28:49.870Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=406571d530ccdbae6119fe64ce9cf5c74160f20b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NULL pointer dereference in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47335",
"datePublished": "2026-05-28T18:28:49.870Z",
"dateReserved": "2026-05-19T10:37:36.434Z",
"dateUpdated": "2026-05-28T19:23:36.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23205 (GCVE-0-2026-23205)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
smb/client: fix memory leak in smb2_open_file()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix memory leak in smb2_open_file()
Reproducer:
1. server: directories are exported read-only
2. client: mount -t cifs //${server_ip}/export /mnt
3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
4. client: umount /mnt
5. client: sleep 1
6. client: modprobe -r cifs
The error message is as follows:
=============================================================================
BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000d47521be @offset=14336
...
WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577
...
Call Trace:
<TASK>
kmem_cache_destroy+0x94/0x190
cifs_destroy_request_bufs+0x3e/0x50 [cifs]
cleanup_module+0x4e/0x540 [cifs]
__se_sys_delete_module+0x278/0x400
__x64_sys_delete_module+0x5f/0x70
x64_sys_call+0x2299/0x2ff0
do_syscall_64+0x89/0x350
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]
WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
17e53a15e64b65623b8f2b1185d27d7b1cbf69ab , < 743f70406264348c0830f38409eb6c40a42fb2db
(git)
Affected: 18066188eb90cc0c798f3370a8078a79ddb73f70 , < 3a6d6b332f92990958602c1e35ce0173e2dd62e9 (git) Affected: 6ebb9d54eccc8026b386e76eff69364d33373da5 , < b64e3b5d8d759dd4333992e4ba4dadf9359952c8 (git) Affected: e255612b5ed9f179abe8196df7c2ba09dd227900 , < 9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5 (git) Affected: e255612b5ed9f179abe8196df7c2ba09dd227900 , < e3a43633023e3cacaca60d4b8972d084a2b06236 (git) Affected: bcd15f06c7e8904116cfb06526bcc189b86aff85 (git) Affected: 6.1.141 , < 6.1.163 (semver) Affected: 6.6.93 , < 6.6.124 (semver) Affected: 6.12.31 , < 6.12.70 (semver) Affected: 6.14.9 , < 6.15 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "743f70406264348c0830f38409eb6c40a42fb2db",
"status": "affected",
"version": "17e53a15e64b65623b8f2b1185d27d7b1cbf69ab",
"versionType": "git"
},
{
"lessThan": "3a6d6b332f92990958602c1e35ce0173e2dd62e9",
"status": "affected",
"version": "18066188eb90cc0c798f3370a8078a79ddb73f70",
"versionType": "git"
},
{
"lessThan": "b64e3b5d8d759dd4333992e4ba4dadf9359952c8",
"status": "affected",
"version": "6ebb9d54eccc8026b386e76eff69364d33373da5",
"versionType": "git"
},
{
"lessThan": "9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5",
"status": "affected",
"version": "e255612b5ed9f179abe8196df7c2ba09dd227900",
"versionType": "git"
},
{
"lessThan": "e3a43633023e3cacaca60d4b8972d084a2b06236",
"status": "affected",
"version": "e255612b5ed9f179abe8196df7c2ba09dd227900",
"versionType": "git"
},
{
"status": "affected",
"version": "bcd15f06c7e8904116cfb06526bcc189b86aff85",
"versionType": "git"
},
{
"lessThan": "6.1.163",
"status": "affected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThan": "6.12.70",
"status": "affected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThan": "6.15",
"status": "affected",
"version": "6.14.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix memory leak in smb2_open_file()\n\nReproducer:\n\n 1. server: directories are exported read-only\n 2. client: mount -t cifs //${server_ip}/export /mnt\n 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct\n 4. client: umount /mnt\n 5. client: sleep 1\n 6. client: modprobe -r cifs\n\nThe error message is as follows:\n\n =============================================================================\n BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()\n -----------------------------------------------------------------------------\n\n Object 0x00000000d47521be @offset=14336\n ...\n WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577\n ...\n Call Trace:\n \u003cTASK\u003e\n kmem_cache_destroy+0x94/0x190\n cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n cleanup_module+0x4e/0x540 [cifs]\n __se_sys_delete_module+0x278/0x400\n __x64_sys_delete_module+0x5f/0x70\n x64_sys_call+0x2299/0x2ff0\n do_syscall_64+0x89/0x350\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:10.175Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/743f70406264348c0830f38409eb6c40a42fb2db"
},
{
"url": "https://git.kernel.org/stable/c/3a6d6b332f92990958602c1e35ce0173e2dd62e9"
},
{
"url": "https://git.kernel.org/stable/c/b64e3b5d8d759dd4333992e4ba4dadf9359952c8"
},
{
"url": "https://git.kernel.org/stable/c/9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5"
},
{
"url": "https://git.kernel.org/stable/c/e3a43633023e3cacaca60d4b8972d084a2b06236"
}
],
"title": "smb/client: fix memory leak in smb2_open_file()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23205",
"datePublished": "2026-02-14T16:27:28.409Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-05-23T16:04:10.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47330 (GCVE-0-2026-47330)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:27 – Updated: 2026-05-28 19:24
VLAI?
EPSS
Title
Use of uninitialized value in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.
Severity ?
CWE
- CWE-457 - Use of uninitialized variable
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:19:48.305274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:24:45.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457 Use of uninitialized variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:27:58.545Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=9b2c6eded493fa50e7c8cd3618d7ebe1358abaab"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Use of uninitialized value in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47330",
"datePublished": "2026-05-28T18:27:58.545Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-28T19:24:45.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68796 (GCVE-0-2025-68796)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
f2fs: fix to avoid updating zero-sized extent in extent cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating zero-sized extent in extent cache
As syzbot reported:
F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
Call Trace:
<TASK>
f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
vfs_fallocate+0x669/0x7e0 fs/open.c:342
ioctl_preallocate fs/ioctl.c:289 [inline]
file_ioctl+0x611/0x780 fs/ioctl.c:-1
do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
__do_sys_ioctl fs/ioctl.c:595 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07bc58eec9
In error path of f2fs_zero_range(), it may add a zero-sized extent
into extent cache, it should be avoided.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6e9619499f53b22ead972e476c0e8341c997d929 , < 9c07bd262c13ca922adad6e7613d48505f97f548
(git)
Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 72c58a82e6fb7b327e8701f5786c70c3edc56188 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < e50b81c50fcbe63f50405bb40f262162ff32af88 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < efe3371001f50a2d6f746b50bdc6f9f26b2089ec (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 4f244c64efe628d277b916f47071adf480eb8646 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < bac23833220a1f8fe8dfab7e16efa20ff64d7589 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 7c37c79510329cd951a4dedf3f7bf7e2b18dccec (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c07bd262c13ca922adad6e7613d48505f97f548",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "72c58a82e6fb7b327e8701f5786c70c3edc56188",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "e50b81c50fcbe63f50405bb40f262162ff32af88",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "efe3371001f50a2d6f746b50bdc6f9f26b2089ec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "4f244c64efe628d277b916f47071adf480eb8646",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "bac23833220a1f8fe8dfab7e16efa20ff64d7589",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "7c37c79510329cd951a4dedf3f7bf7e2b18dccec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating zero-sized extent in extent cache\n\nAs syzbot reported:\n\nF2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/extent_cache.c:678!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678\nCall Trace:\n \u003cTASK\u003e\n f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085\n f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]\n f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737\n f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030\n vfs_fallocate+0x669/0x7e0 fs/open.c:342\n ioctl_preallocate fs/ioctl.c:289 [inline]\n file_ioctl+0x611/0x780 fs/ioctl.c:-1\n do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576\n __do_sys_ioctl fs/ioctl.c:595 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f07bc58eec9\n\nIn error path of f2fs_zero_range(), it may add a zero-sized extent\ninto extent cache, it should be avoided."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:30.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548"
},
{
"url": "https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188"
},
{
"url": "https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88"
},
{
"url": "https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec"
},
{
"url": "https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646"
},
{
"url": "https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589"
},
{
"url": "https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec"
}
],
"title": "f2fs: fix to avoid updating zero-sized extent in extent cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68796",
"datePublished": "2026-01-13T15:29:06.892Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-05-11T21:53:30.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43284 (GCVE-0-2026-43284)
Vulnerability from cvelistv5 – Published: 2026-05-08 07:21 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
xfrm: esp: avoid in-place decrypt on shared skb frags
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Severity ?
8.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < a6cb440f274a22456ef3e86b457344f1678f38f9
(git)
Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < ab8b995323e5237041472d07e5055f5f7dcdf15b (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < fe785bb3a8096dffcc4048a85cd0c83337eeecad (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 5d55c7336f8032d434adcc5fab987ccc93a44aec (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 8253aab4659ca16116b522203c2a6b18dccacea7 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 50ed1e7873100f77abad20fd31c51029bc49cd03 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < b54edf1e9a3fd3491bdcb82a21f8d21315271e0d (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 71a1d9d985d26716f74d21f18ee8cac821b06e97 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 52646cbd00e765a6db9c3afe9535f26218276034 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-26T17:32:27.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/13/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/4"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-detection-script-dirty-frag-linux-kernel-local-privilege-escalation"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-mitigation-script-dirty-frag-linux-kernel-local-privilege-escalation"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:46.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s xfrm-ESP and RxRPC subsystems. Unsafe in-place cryptographic processing of shared socket buffer fragments allows a low-privileged local attacker to corrupt page-cache contents of readable files, including sensitive system files, and gain root privileges. The xfrm-ESP variant requires unprivileged user or network namespace creation, while the RxRPC variant depends on the rxrpc module being available on the target system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:24.067Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43284"
},
{
"name": "RHBZ#2467771",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467771"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43284.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17795"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16180"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21695"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16176"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16171"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16160"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16161"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16157"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16155"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16314"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16062"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19074"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16202"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16328"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16100"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16312"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16206"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16195"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19574"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16201"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16204"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19564"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16061"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19572"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19575"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19573"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19577"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18025"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16196"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16203"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16254"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:17795: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:16180: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:21695: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:16176: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:16171: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:16160: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:16161: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:16157: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:16155: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:16314: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16062: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19074: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:16202: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16328: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:16100: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:16312: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16206: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19225: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:16195: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:19574: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:16201: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:16204: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19564: Red Hat Enterprise Linux BaseOS E4S (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16061: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:19572: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:19575: Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19573: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:19577: Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:18025: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16196: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:16203: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16254: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T15:56:04.044Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: \"Dirty Frag\" ESP XFRM variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6cb440f274a22456ef3e86b457344f1678f38f9",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "ab8b995323e5237041472d07e5055f5f7dcdf15b",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "fe785bb3a8096dffcc4048a85cd0c83337eeecad",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "5d55c7336f8032d434adcc5fab987ccc93a44aec",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "8253aab4659ca16116b522203c2a6b18dccacea7",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "50ed1e7873100f77abad20fd31c51029bc49cd03",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "b54edf1e9a3fd3491bdcb82a21f8d21315271e0d",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "71a1d9d985d26716f74d21f18ee8cac821b06e97",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "52646cbd00e765a6db9c3afe9535f26218276034",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.206",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.255",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.205",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.206",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.171",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.172",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.138",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.87",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.28",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.5",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:56.673Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9"
},
{
"url": "https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b"
},
{
"url": "https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad"
},
{
"url": "https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec"
},
{
"url": "https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7"
},
{
"url": "https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03"
},
{
"url": "https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d"
},
{
"url": "https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97"
},
{
"url": "https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034"
},
{
"url": "https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4"
}
],
"title": "xfrm: esp: avoid in-place decrypt on shared skb frags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43284",
"datePublished": "2026-05-08T07:21:47.524Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-07-02T12:05:24.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68362 (GCVE-0-2025-68362)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 118e12bf3e4288cf845cd3759bd9d4c99f91aab5
(git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 6a96bd0d94305fd04a6ac64446ec113bae289384 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < e2f3ea15e804607e0a4a34a2f6c331c8750b68bc (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < dc153401fb26c1640a2b279c47b65e1c416af276 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 4758770a673c60d8f615809304d72e1432fa6355 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 638d4148e166d114a4cd7becaae992ce1a815ed8 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < b647d2574e4583c2e3b0ab35568f60c88e910840 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "118e12bf3e4288cf845cd3759bd9d4c99f91aab5",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "6a96bd0d94305fd04a6ac64446ec113bae289384",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "e2f3ea15e804607e0a4a34a2f6c331c8750b68bc",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "dc153401fb26c1640a2b279c47b65e1c416af276",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "4758770a673c60d8f615809304d72e1432fa6355",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "638d4148e166d114a4cd7becaae992ce1a815ed8",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "b647d2574e4583c2e3b0ab35568f60c88e910840",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()\n\nThe rtl8187_rx_cb() calculates the rx descriptor header address\nby subtracting its size from the skb tail pointer.\nHowever, it does not validate if the received packet\n(skb-\u003elen from urb-\u003eactual_length) is large enough to contain this\nheader.\n\nIf a truncated packet is received, this will lead to a buffer\nunderflow, reading memory before the start of the skb data area,\nand causing a kernel panic.\n\nAdd length checks for both rtl8187 and rtl8187b descriptor headers\nbefore attempting to access them, dropping the packet cleanly if the\ncheck fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:44.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/118e12bf3e4288cf845cd3759bd9d4c99f91aab5"
},
{
"url": "https://git.kernel.org/stable/c/6a96bd0d94305fd04a6ac64446ec113bae289384"
},
{
"url": "https://git.kernel.org/stable/c/e2f3ea15e804607e0a4a34a2f6c331c8750b68bc"
},
{
"url": "https://git.kernel.org/stable/c/dc153401fb26c1640a2b279c47b65e1c416af276"
},
{
"url": "https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355"
},
{
"url": "https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8"
},
{
"url": "https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15"
},
{
"url": "https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840"
}
],
"title": "wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68362",
"datePublished": "2025-12-24T10:32:50.492Z",
"dateReserved": "2025-12-16T14:48:05.307Z",
"dateUpdated": "2026-05-11T21:51:44.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68809 (GCVE-0-2025-68809)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
ksmbd: vfs: fix race on m_flags in vfs_cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: vfs: fix race on m_flags in vfs_cache
ksmbd maintains delete-on-close and pending-delete state in
ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under
inconsistent locking: some paths read and modify m_flags under
ci->m_lock while others do so without taking the lock at all.
Examples:
- ksmbd_query_inode_status() and __ksmbd_inode_close() use
ci->m_lock when checking or updating m_flags.
- ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()
used to read and modify m_flags without ci->m_lock.
This creates a potential data race on m_flags when multiple threads
open, close and delete the same file concurrently. In the worst case
delete-on-close and pending-delete bits can be lost or observed in an
inconsistent state, leading to confusing delete semantics (files that
stay on disk after delete-on-close, or files that disappear while still
in use).
Fix it by:
- Making ksmbd_query_inode_status() look at m_flags under ci->m_lock
after dropping inode_hash_lock.
- Adding ci->m_lock protection to all helpers that read or modify
m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).
- Keeping the existing ci->m_lock protection in __ksmbd_inode_close(),
and moving the actual unlink/xattr removal outside the lock.
This unifies the locking around m_flags and removes the data race while
preserving the existing delete-on-close behaviour.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f44158485826c076335d6860d35872271a83791d , < 5adad9727a815c26013b0d41cfee92ffa7d4037c
(git)
Affected: f44158485826c076335d6860d35872271a83791d , < ccc78781041589ea383e61d5d7a1e9a31b210b93 (git) Affected: f44158485826c076335d6860d35872271a83791d , < ee63729760f5b61a66f345c54dc4c7514e62383d (git) Affected: f44158485826c076335d6860d35872271a83791d , < 991f8a79db99b14c48d20d2052c82d65b9186cad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5adad9727a815c26013b0d41cfee92ffa7d4037c",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "ccc78781041589ea383e61d5d7a1e9a31b210b93",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "ee63729760f5b61a66f345c54dc4c7514e62383d",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "991f8a79db99b14c48d20d2052c82d65b9186cad",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: vfs: fix race on m_flags in vfs_cache\n\nksmbd maintains delete-on-close and pending-delete state in\nksmbd_inode-\u003em_flags. In vfs_cache.c this field is accessed under\ninconsistent locking: some paths read and modify m_flags under\nci-\u003em_lock while others do so without taking the lock at all.\n\nExamples:\n\n - ksmbd_query_inode_status() and __ksmbd_inode_close() use\n ci-\u003em_lock when checking or updating m_flags.\n - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()\n used to read and modify m_flags without ci-\u003em_lock.\n\nThis creates a potential data race on m_flags when multiple threads\nopen, close and delete the same file concurrently. In the worst case\ndelete-on-close and pending-delete bits can be lost or observed in an\ninconsistent state, leading to confusing delete semantics (files that\nstay on disk after delete-on-close, or files that disappear while still\nin use).\n\nFix it by:\n\n - Making ksmbd_query_inode_status() look at m_flags under ci-\u003em_lock\n after dropping inode_hash_lock.\n - Adding ci-\u003em_lock protection to all helpers that read or modify\n m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).\n - Keeping the existing ci-\u003em_lock protection in __ksmbd_inode_close(),\n and moving the actual unlink/xattr removal outside the lock.\n\nThis unifies the locking around m_flags and removes the data race while\npreserving the existing delete-on-close behaviour."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:45.694Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c"
},
{
"url": "https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93"
},
{
"url": "https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d"
},
{
"url": "https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad"
}
],
"title": "ksmbd: vfs: fix race on m_flags in vfs_cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68809",
"datePublished": "2026-01-13T15:29:15.817Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-05-11T21:53:45.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23105 (GCVE-0-2026-23105)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-16 20:19
VLAI?
EPSS
Title
net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
This is more of a preventive patch to make the code more consistent and
to prevent possible exploits that employ child qlen manipulations on qfq.
use cl_is_active instead of relying on the child qdisc's qlen to determine
class activation.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < fac2c67bb2bb732eae4283e45fc338af7e08c254
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < b8c24cf5268fb3bfb8d16324c3dbb985f698c835 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < f27047abf7cac1b6f90c3ad60de21ef9f717c26d (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 93b8635974fb050c43d07e35e5edfe6e685ca28a (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < abd9fc26ea577561a5ef6241a1b058755ffdad0c (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 77f1afd0bb4d5da95236f6114e6d0dfcde187ff6 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < d837fbee92453fbb829f950c8e7cf76207d73f33 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:18:58.725662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:19:09.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fac2c67bb2bb732eae4283e45fc338af7e08c254",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "b8c24cf5268fb3bfb8d16324c3dbb985f698c835",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "f27047abf7cac1b6f90c3ad60de21ef9f717c26d",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "93b8635974fb050c43d07e35e5edfe6e685ca28a",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "abd9fc26ea577561a5ef6241a1b058755ffdad0c",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "77f1afd0bb4d5da95236f6114e6d0dfcde187ff6",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "d837fbee92453fbb829f950c8e7cf76207d73f33",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag\n\nThis is more of a preventive patch to make the code more consistent and\nto prevent possible exploits that employ child qlen manipulations on qfq.\nuse cl_is_active instead of relying on the child qdisc\u0027s qlen to determine\nclass activation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:13.122Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254"
},
{
"url": "https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835"
},
{
"url": "https://git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26d"
},
{
"url": "https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a"
},
{
"url": "https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c"
},
{
"url": "https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6"
},
{
"url": "https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33"
}
],
"title": "net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23105",
"datePublished": "2026-02-04T16:08:26.376Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-06-16T20:19:09.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68763 (GCVE-0-2025-68763)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
crypto: starfive - Correctly handle return of sg_nents_for_len
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: starfive - Correctly handle return of sg_nents_for_len
The return value of sg_nents_for_len was assigned to an unsigned long
in starfive_hash_digest, causing negative error codes to be converted
to large positive integers.
Add error checking for sg_nents_for_len and return immediately on
failure to prevent potential buffer overflows.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 6cd14414394b4f3d6e1ed64b8241d1fcc2271820
(git)
Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 0c3854d65cc4402cb8c52d4d773450a06efecab6 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 1af5c973dd744e29fa22121f43e8646b7a7a71a7 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 9b3f71cf02e04cfaa482155e3078707fe7f8aef4 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < e9eb52037a529fbb307c290e9951a62dd728b03d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cd14414394b4f3d6e1ed64b8241d1fcc2271820",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "0c3854d65cc4402cb8c52d4d773450a06efecab6",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "1af5c973dd744e29fa22121f43e8646b7a7a71a7",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "9b3f71cf02e04cfaa482155e3078707fe7f8aef4",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "e9eb52037a529fbb307c290e9951a62dd728b03d",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Correctly handle return of sg_nents_for_len\n\nThe return value of sg_nents_for_len was assigned to an unsigned long\nin starfive_hash_digest, causing negative error codes to be converted\nto large positive integers.\n\nAdd error checking for sg_nents_for_len and return immediately on\nfailure to prevent potential buffer overflows."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:52.779Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cd14414394b4f3d6e1ed64b8241d1fcc2271820"
},
{
"url": "https://git.kernel.org/stable/c/0c3854d65cc4402cb8c52d4d773450a06efecab6"
},
{
"url": "https://git.kernel.org/stable/c/1af5c973dd744e29fa22121f43e8646b7a7a71a7"
},
{
"url": "https://git.kernel.org/stable/c/9b3f71cf02e04cfaa482155e3078707fe7f8aef4"
},
{
"url": "https://git.kernel.org/stable/c/e9eb52037a529fbb307c290e9951a62dd728b03d"
}
],
"title": "crypto: starfive - Correctly handle return of sg_nents_for_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68763",
"datePublished": "2026-01-05T09:32:35.678Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-05-11T21:52:52.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71071 (GCVE-0-2025-71071)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
iommu/mediatek: fix use-after-free on probe deferral
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: fix use-after-free on probe deferral
The driver is dropping the references taken to the larb devices during
probe after successful lookup as well as on errors. This can
potentially lead to a use-after-free in case a larb device has not yet
been bound to its driver so that the iommu driver probe defers.
Fix this by keeping the references as expected while the iommu driver is
bound.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da , < 896ec55da3b90bdb9fc04fedc17ad8c359b2eee5
(git)
Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < 5c04217d06a1161aaf36267e9d971ab6f847d5a7 (git) Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < 1ef70a0b104ae8011811f60bcfaa55ff49385171 (git) Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a (git) Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < de83d4617f9fe059623e97acf7e1e10d209625b5 (git) Affected: 51080de72e26771f0ed9d44982974279ccbc92b8 (git) Affected: 6.1.2 , < 6.1.160 (semver) Affected: 6.0.16 , < 6.1 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "896ec55da3b90bdb9fc04fedc17ad8c359b2eee5",
"status": "affected",
"version": "8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da",
"versionType": "git"
},
{
"lessThan": "5c04217d06a1161aaf36267e9d971ab6f847d5a7",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "1ef70a0b104ae8011811f60bcfaa55ff49385171",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "de83d4617f9fe059623e97acf7e1e10d209625b5",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"status": "affected",
"version": "51080de72e26771f0ed9d44982974279ccbc92b8",
"versionType": "git"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThan": "6.1",
"status": "affected",
"version": "6.0.16",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: fix use-after-free on probe deferral\n\nThe driver is dropping the references taken to the larb devices during\nprobe after successful lookup as well as on errors. This can\npotentially lead to a use-after-free in case a larb device has not yet\nbeen bound to its driver so that the iommu driver probe defers.\n\nFix this by keeping the references as expected while the iommu driver is\nbound."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:04.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5"
},
{
"url": "https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7"
},
{
"url": "https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171"
},
{
"url": "https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a"
},
{
"url": "https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5"
}
],
"title": "iommu/mediatek: fix use-after-free on probe deferral",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71071",
"datePublished": "2026-01-13T15:31:25.400Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-05-23T16:03:04.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23085 (GCVE-0-2026-23085)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
irqchip/gic-v3-its: Avoid truncating memory addresses
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3-its: Avoid truncating memory addresses
On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem
allocations to be backed by addresses physical memory above the 32-bit
address limit, as found while experimenting with larger VMSPLIT
configurations.
This caused the qemu virt model to crash in the GICv3 driver, which
allocates the 'itt' object using GFP_KERNEL. Since all memory below
the 4GB physical address limit is in ZONE_DMA in this configuration,
kmalloc() defaults to higher addresses for ZONE_NORMAL, and the
ITS driver stores the physical address in a 32-bit 'unsigned long'
variable.
Change the itt_addr variable to the correct phys_addr_t type instead,
along with all other variables in this driver that hold a physical
address.
The gicv5 driver correctly uses u64 variables, while all other irqchip
drivers don't call virt_to_phys or similar interfaces. It's expected that
other device drivers have similar issues, but fixing this one is
sufficient for booting a virtio based guest.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < e332b3b69e5b3acf07204a4b185071bab15c2b88
(git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < e2f9c751f73a2d5bb62d94ab030aec118a811f27 (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 85215d633983233809f7d4dad163b953331b8238 (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 1b323391560354d8c515de8658b057a1daa82adb (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 084ba3b99f2dfd991ce7e84fb17117319ec3cd9f (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98 (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 8d76a7d89c12d08382b66e2f21f20d0627d14859 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:42.445145Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:04.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e332b3b69e5b3acf07204a4b185071bab15c2b88",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "e2f9c751f73a2d5bb62d94ab030aec118a811f27",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "85215d633983233809f7d4dad163b953331b8238",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "1b323391560354d8c515de8658b057a1daa82adb",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "084ba3b99f2dfd991ce7e84fb17117319ec3cd9f",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "8d76a7d89c12d08382b66e2f21f20d0627d14859",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the \u0027itt\u0027 object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit \u0027unsigned long\u0027\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don\u0027t call virt_to_phys or similar interfaces. It\u0027s expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:42.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88"
},
{
"url": "https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27"
},
{
"url": "https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238"
},
{
"url": "https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb"
},
{
"url": "https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f"
},
{
"url": "https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98"
},
{
"url": "https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859"
}
],
"title": "irqchip/gic-v3-its: Avoid truncating memory addresses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23085",
"datePublished": "2026-02-04T16:08:09.368Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-06-11T18:44:04.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40039 (GCVE-0-2025-40039)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-27 09:28
VLAI?
EPSS
Title
ksmbd: Fix race condition in RPC handle list access
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix race condition in RPC handle list access
The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd
session. Access to this list is intended to be protected by
'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was
flawed, leading to potential race conditions.
In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock
before calling xa_store() and xa_erase(). Since these operations modify
the XArray structure, a write lock is required to ensure exclusive access
and prevent data corruption from concurrent modifications.
Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load()
without holding any lock at all. This could lead to reading inconsistent
data or a potential use-after-free if an entry is concurrently removed and
the pointer is dereferenced.
Fix these issues by:
1. Using down_write() and up_write() in ksmbd_session_rpc_open()
to ensure exclusive access during XArray modification, and ensuring
the lock is correctly released on error paths.
2. Adding down_read() and up_read() in ksmbd_session_rpc_method()
to safely protect the lookup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a4348710a7267705b75692dc1a000920481d1d92 , < 69674b029002b1d90b655f014bdf64f404efa54d
(git)
Affected: b685757c7b08d5073046fb379be965fd6c06aafc , < 6b615a8fb3af0baf8126cde3d4fee97d57222ffc (git) Affected: b685757c7b08d5073046fb379be965fd6c06aafc , < 5cc679ba0f4505936124cd4179ba66bb0a4bd9f3 (git) Affected: b685757c7b08d5073046fb379be965fd6c06aafc , < 6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1 (git) Affected: b685757c7b08d5073046fb379be965fd6c06aafc , < 305853cce379407090a73b38c5de5ba748893aee (git) Affected: 1f485b54d04a920723984062c912174330a05178 (git) Affected: 052b41ef2abe274f068e892aee81406f11bd1f3a (git) Affected: 5.15.145 , < 5.16 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69674b029002b1d90b655f014bdf64f404efa54d",
"status": "affected",
"version": "a4348710a7267705b75692dc1a000920481d1d92",
"versionType": "git"
},
{
"lessThan": "6b615a8fb3af0baf8126cde3d4fee97d57222ffc",
"status": "affected",
"version": "b685757c7b08d5073046fb379be965fd6c06aafc",
"versionType": "git"
},
{
"lessThan": "5cc679ba0f4505936124cd4179ba66bb0a4bd9f3",
"status": "affected",
"version": "b685757c7b08d5073046fb379be965fd6c06aafc",
"versionType": "git"
},
{
"lessThan": "6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1",
"status": "affected",
"version": "b685757c7b08d5073046fb379be965fd6c06aafc",
"versionType": "git"
},
{
"lessThan": "305853cce379407090a73b38c5de5ba748893aee",
"status": "affected",
"version": "b685757c7b08d5073046fb379be965fd6c06aafc",
"versionType": "git"
},
{
"status": "affected",
"version": "1f485b54d04a920723984062c912174330a05178",
"versionType": "git"
},
{
"status": "affected",
"version": "052b41ef2abe274f068e892aee81406f11bd1f3a",
"versionType": "git"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.145",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.145",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix race condition in RPC handle list access\n\nThe \u0027sess-\u003erpc_handle_list\u0027 XArray manages RPC handles within a ksmbd\nsession. Access to this list is intended to be protected by\n\u0027sess-\u003erpc_lock\u0027 (an rw_semaphore). However, the locking implementation was\nflawed, leading to potential race conditions.\n\nIn ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock\nbefore calling xa_store() and xa_erase(). Since these operations modify\nthe XArray structure, a write lock is required to ensure exclusive access\nand prevent data corruption from concurrent modifications.\n\nFurthermore, ksmbd_session_rpc_method() accessed the list using xa_load()\nwithout holding any lock at all. This could lead to reading inconsistent\ndata or a potential use-after-free if an entry is concurrently removed and\nthe pointer is dereferenced.\n\nFix these issues by:\n1. Using down_write() and up_write() in ksmbd_session_rpc_open()\n to ensure exclusive access during XArray modification, and ensuring\n the lock is correctly released on error paths.\n2. Adding down_read() and up_read() in ksmbd_session_rpc_method()\n to safely protect the lookup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T09:28:11.187Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69674b029002b1d90b655f014bdf64f404efa54d"
},
{
"url": "https://git.kernel.org/stable/c/6b615a8fb3af0baf8126cde3d4fee97d57222ffc"
},
{
"url": "https://git.kernel.org/stable/c/5cc679ba0f4505936124cd4179ba66bb0a4bd9f3"
},
{
"url": "https://git.kernel.org/stable/c/6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1"
},
{
"url": "https://git.kernel.org/stable/c/305853cce379407090a73b38c5de5ba748893aee"
}
],
"title": "ksmbd: Fix race condition in RPC handle list access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40039",
"datePublished": "2025-10-28T11:48:19.781Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2026-05-27T09:28:11.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47331 (GCVE-0-2026-47331)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:28 – Updated: 2026-05-29 03:55
VLAI?
EPSS
Title
Use-after-free in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
|
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T03:55:53.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:28:08.987Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=5e5cd4759b63363373faf1ce15d1cab3606d6ec8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Use-after-free in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47331",
"datePublished": "2026-05-28T18:28:08.987Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-29T03:55:53.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71081 (GCVE-0-2025-71081)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
ASoC: stm32: sai: fix OF node leak on probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: stm32: sai: fix OF node leak on probe
The reference taken to the sync provider OF node when probing the
platform device is currently only dropped if the set_sync() callback
fails during DAI probe.
Make sure to drop the reference on platform probe failures (e.g. probe
deferral) and on driver unbind.
This also avoids a potential use-after-free in case the DAI is ever
reprobed without first rebinding the platform driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5914d285f6b782892a91d6621723fdc41a775b15 , < 7daa50a2157e41c964b745ab1dc378b5b3b626d1
(git)
Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < acda653169e180b1d860dbb6bc5aceb105858394 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 4054a3597d047f3fe87864ef87f399b5d523e6c0 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < bae74771fc5d3b2a9cf6f5aa64596083d032c4a3 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 3752afcc6d80d5525e236e329895ba2cb93bcb26 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 23261f0de09427367e99f39f588e31e2856a690e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7daa50a2157e41c964b745ab1dc378b5b3b626d1",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "acda653169e180b1d860dbb6bc5aceb105858394",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "4054a3597d047f3fe87864ef87f399b5d523e6c0",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "bae74771fc5d3b2a9cf6f5aa64596083d032c4a3",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "3752afcc6d80d5525e236e329895ba2cb93bcb26",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "23261f0de09427367e99f39f588e31e2856a690e",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: stm32: sai: fix OF node leak on probe\n\nThe reference taken to the sync provider OF node when probing the\nplatform device is currently only dropped if the set_sync() callback\nfails during DAI probe.\n\nMake sure to drop the reference on platform probe failures (e.g. probe\ndeferral) and on driver unbind.\n\nThis also avoids a potential use-after-free in case the DAI is ever\nreprobed without first rebinding the platform driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:22.607Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1"
},
{
"url": "https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394"
},
{
"url": "https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0"
},
{
"url": "https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3"
},
{
"url": "https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26"
},
{
"url": "https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e"
}
],
"title": "ASoC: stm32: sai: fix OF node leak on probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71081",
"datePublished": "2026-01-13T15:34:45.503Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-05-11T21:54:22.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68765 (GCVE-0-2025-68765)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
returns an error without freeing sskb, leading to a memory leak.
Fix this by calling dev_kfree_skb() on sskb in the error handling path
to ensure it is properly released.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
99c457d902cf90bdc0df5d57e6156ec108711068 , < d6c91fc732698642f70c688324c98551b97b412c
(git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 594ff8bb69e239678a8baa461827ce4bb90eff8f (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 1c3c234af9407256ed670c8752923a672eea4225 (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 278bfed4529a0c9c9119f5a52ddafe69db61a75c (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < fb905e69941b44e03fe1a24e95328d45442b6d6d (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49 (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 53d1548612670aa8b5d89745116cc33d9d172863 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6c91fc732698642f70c688324c98551b97b412c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "594ff8bb69e239678a8baa461827ce4bb90eff8f",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "1c3c234af9407256ed670c8752923a672eea4225",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "278bfed4529a0c9c9119f5a52ddafe69db61a75c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "fb905e69941b44e03fe1a24e95328d45442b6d6d",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "53d1548612670aa8b5d89745116cc33d9d172863",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()\n\nIn mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the\nsubsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function\nreturns an error without freeing sskb, leading to a memory leak.\n\nFix this by calling dev_kfree_skb() on sskb in the error handling path\nto ensure it is properly released."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:55.118Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6c91fc732698642f70c688324c98551b97b412c"
},
{
"url": "https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f"
},
{
"url": "https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225"
},
{
"url": "https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c"
},
{
"url": "https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d"
},
{
"url": "https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49"
},
{
"url": "https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863"
}
],
"title": "mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68765",
"datePublished": "2026-01-05T09:44:13.242Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-05-11T21:52:55.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23172 (GCVE-0-2026-23172)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
net: wwan: t7xx: fix potential skb->frags overflow in RX path
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: fix potential skb->frags overflow in RX path
When receiving data in the DPMAIF RX path,
the t7xx_dpmaif_set_frag_to_skb() function adds
page fragments to an skb without checking if the number of
fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
potentially causing kernel crashes or other undefined behavior.
This issue was identified through static code analysis by comparing with a
similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
fix array overflow on receiving too many fragments for a packet").
The vulnerability could be triggered if the modem firmware sends packets
with excessive fragments. While under normal protocol conditions (MTU 3080
bytes, BAT buffer 3584 bytes),
a single packet should not require additional
fragments, the kernel should not blindly trust firmware behavior.
Malicious, buggy, or compromised firmware could potentially craft packets
with more fragments than the kernel expects.
Fix this by adding a bounds check before calling skb_add_rx_frag() to
ensure nr_frags does not exceed MAX_SKB_FRAGS.
The check must be performed before unmapping to avoid a page leak
and double DMA unmap during device teardown.
Severity ?
8.4 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d642b012df70a76dd5723f2d426b40bffe83ac49 , < f9747a7521a48afded5bff2faf1f2dcfff48c577
(git)
Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < 2a0522f564acd34442652ea083091c329fa7c5d5 (git) Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276 (git) Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < 2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba (git) Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9747a7521a48afded5bff2faf1f2dcfff48c577",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "2a0522f564acd34442652ea083091c329fa7c5d5",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: fix potential skb-\u003efrags overflow in RX path\n\nWhen receiving data in the DPMAIF RX path,\nthe t7xx_dpmaif_set_frag_to_skb() function adds\npage fragments to an skb without checking if the number of\nfragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow\nin skb_shinfo(skb)-\u003efrags[] array, corrupting adjacent memory and\npotentially causing kernel crashes or other undefined behavior.\n\nThis issue was identified through static code analysis by comparing with a\nsimilar vulnerability fixed in the mt76 driver commit b102f0c522cf (\"mt76:\nfix array overflow on receiving too many fragments for a packet\").\n\nThe vulnerability could be triggered if the modem firmware sends packets\nwith excessive fragments. While under normal protocol conditions (MTU 3080\nbytes, BAT buffer 3584 bytes),\na single packet should not require additional\nfragments, the kernel should not blindly trust firmware behavior.\nMalicious, buggy, or compromised firmware could potentially craft packets\nwith more fragments than the kernel expects.\n\nFix this by adding a bounds check before calling skb_add_rx_frag() to\nensure nr_frags does not exceed MAX_SKB_FRAGS.\n\nThe check must be performed before unmapping to avoid a page leak\nand double DMA unmap during device teardown."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:43.036Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9747a7521a48afded5bff2faf1f2dcfff48c577"
},
{
"url": "https://git.kernel.org/stable/c/2a0522f564acd34442652ea083091c329fa7c5d5"
},
{
"url": "https://git.kernel.org/stable/c/af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276"
},
{
"url": "https://git.kernel.org/stable/c/2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba"
},
{
"url": "https://git.kernel.org/stable/c/f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6"
}
],
"title": "net: wwan: t7xx: fix potential skb-\u003efrags overflow in RX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23172",
"datePublished": "2026-02-14T16:01:34.165Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-05-11T22:01:43.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71088 (GCVE-0-2025-71088)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
mptcp: fallback earlier on simult connection
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fallback earlier on simult connection
Syzkaller reports a simult-connect race leading to inconsistent fallback
status:
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc900006cf338 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf
RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900
R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197
tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922
tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672
tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918
ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500
dst_input include/net/dst.h:471 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979
__netif_receive_skb+0x1d/0x160 net/core/dev.c:6092
process_backlog+0x442/0x15e0 net/core/dev.c:6444
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494
napi_poll net/core/dev.c:7557 [inline]
net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684
handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
run_ksoftirqd kernel/softirq.c:968 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The TCP subflow can process the simult-connect syn-ack packet after
transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,
as the sk_state_change() callback is not invoked for * -> FIN_WAIT1
transitions.
That will move the msk socket to an inconsistent status and the next
incoming data will hit the reported splat.
Close the race moving the simult-fallback check at the earliest possible
stage - that is at syn-ack generation time.
About the fixes tags: [2] was supposed to also fix this issue introduced
by [3]. [1] is required as a dependence: it was not explicitly marked as
a fix, but it is one and it has already been backported before [3]. In
other words, this commit should be backported up to [3], including [2]
and [1] if that's not already there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01b7822700f2256900089e00390e119e1ad545df , < b5f46a08269265e2f5e87d855287d6d22de0a32b
(git)
Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < c9bf315228287653522894df9d851e9b43db9516 (git) Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < 79f80a7a47849ef1b3c25a0bedcc448b9cb551c1 (git) Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < 25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86 (git) Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < 71154bbe49423128c1c8577b6576de1ed6836830 (git) Affected: 6.1.110 , < 6.1.160 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5f46a08269265e2f5e87d855287d6d22de0a32b",
"status": "affected",
"version": "01b7822700f2256900089e00390e119e1ad545df",
"versionType": "git"
},
{
"lessThan": "c9bf315228287653522894df9d851e9b43db9516",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "79f80a7a47849ef1b3c25a0bedcc448b9cb551c1",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "71154bbe49423128c1c8577b6576de1ed6836830",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.110",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fallback earlier on simult connection\n\nSyzkaller reports a simult-connect race leading to inconsistent fallback\nstatus:\n\n WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Modules linked in:\n CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 \u003c0f\u003e 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6\n RSP: 0018:ffffc900006cf338 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf\n RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005\n RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007\n R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900\n R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004\n FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0\n Call Trace:\n \u003cTASK\u003e\n tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197\n tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922\n tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672\n tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918\n ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500\n dst_input include/net/dst.h:471 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092\n process_backlog+0x442/0x15e0 net/core/dev.c:6444\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494\n napi_poll net/core/dev.c:7557 [inline]\n net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684\n handle_softirqs+0x216/0x8e0 kernel/softirq.c:579\n run_ksoftirqd kernel/softirq.c:968 [inline]\n run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960\n smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160\n kthread+0x3c2/0x780 kernel/kthread.c:463\n ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThe TCP subflow can process the simult-connect syn-ack packet after\ntransitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,\nas the sk_state_change() callback is not invoked for * -\u003e FIN_WAIT1\ntransitions.\n\nThat will move the msk socket to an inconsistent status and the next\nincoming data will hit the reported splat.\n\nClose the race moving the simult-fallback check at the earliest possible\nstage - that is at syn-ack generation time.\n\nAbout the fixes tags: [2] was supposed to also fix this issue introduced\nby [3]. [1] is required as a dependence: it was not explicitly marked as\na fix, but it is one and it has already been backported before [3]. In\nother words, this commit should be backported up to [3], including [2]\nand [1] if that\u0027s not already there."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:09.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b"
},
{
"url": "https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516"
},
{
"url": "https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1"
},
{
"url": "https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86"
},
{
"url": "https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830"
}
],
"title": "mptcp: fallback earlier on simult connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71088",
"datePublished": "2026-01-13T15:34:50.377Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-05-23T16:03:09.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71153 (GCVE-0-2025-71153)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
ksmbd: Fix memory leak in get_file_all_info()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix memory leak in get_file_all_info()
In get_file_all_info(), if vfs_getattr() fails, the function returns
immediately without freeing the allocated filename, leading to a memory
leak.
Fix this by freeing the filename before returning in this error case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c8f7ad2df083c510e640c0bf76166593cc116ff2 , < 5012b4c812230ae066902a00442708c999111183
(git)
Affected: 5614c8c487f6af627614dd2efca038e4afe0c6d7 , < 676907004256e0226c7ed3691db9f431404ca258 (git) Affected: 5614c8c487f6af627614dd2efca038e4afe0c6d7 , < d026f47db68638521df8543535ef863814fb01b1 (git) Affected: 5614c8c487f6af627614dd2efca038e4afe0c6d7 , < 0c56693b06a68476ba113db6347e7897475f9e4c (git) Affected: f9278ba4967027ad2bf001694f0e489c7bbae6d5 (git) Affected: 88779f09295d82b86601fe42595748488bf5e20c (git) Affected: 6.6.24 , < 6.6.120 (semver) Affected: 6.7.12 , < 6.8 (semver) Affected: 6.8.3 , < 6.9 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5012b4c812230ae066902a00442708c999111183",
"status": "affected",
"version": "c8f7ad2df083c510e640c0bf76166593cc116ff2",
"versionType": "git"
},
{
"lessThan": "676907004256e0226c7ed3691db9f431404ca258",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"lessThan": "d026f47db68638521df8543535ef863814fb01b1",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"lessThan": "0c56693b06a68476ba113db6347e7897475f9e4c",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"status": "affected",
"version": "f9278ba4967027ad2bf001694f0e489c7bbae6d5",
"versionType": "git"
},
{
"status": "affected",
"version": "88779f09295d82b86601fe42595748488bf5e20c",
"versionType": "git"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThan": "6.9",
"status": "affected",
"version": "6.8.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix memory leak in get_file_all_info()\n\nIn get_file_all_info(), if vfs_getattr() fails, the function returns\nimmediately without freeing the allocated filename, leading to a memory\nleak.\n\nFix this by freeing the filename before returning in this error case."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:27.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183"
},
{
"url": "https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258"
},
{
"url": "https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1"
},
{
"url": "https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c"
}
],
"title": "ksmbd: Fix memory leak in get_file_all_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71153",
"datePublished": "2026-01-23T14:25:52.988Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-05-23T16:03:27.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23164 (GCVE-0-2026-23164)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
rocker: fix memory leak in rocker_world_port_post_fini()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rocker: fix memory leak in rocker_world_port_post_fini()
In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
rocker_world_port_post_fini(), the memory is only freed when
wops->port_post_fini callback is set:
if (!wops->port_post_fini)
return;
wops->port_post_fini(rocker_port);
kfree(rocker_port->wpriv);
Since rocker_ofdpa_ops does not implement port_post_fini callback
(it is NULL), the wpriv memory allocated for each port is never freed
when ports are removed. This leads to a memory leak of
sizeof(struct ofdpa_port) bytes per port on every device removal.
Fix this by always calling kfree(rocker_port->wpriv) regardless of
whether the port_post_fini callback exists.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e420114eef4a3a5025a243b89b0dc343101e3d3c , < 2a3a64d75d2d0727da285749476761ebcad557a3
(git)
Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < b11e6f926480ab0939fec44781f28558c54be4e7 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < 8ce2e85889939c02740b4245301aa5c35fc94887 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < d448bf96889f1905e740c554780f5c9fa0440566 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < d8723917efda3b4f4c3de78d1ec1e1af015c0be1 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < dce375f4afc348c310d171abcde7ec1499a4c26a (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:35.705081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:14.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rocker/rocker_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a3a64d75d2d0727da285749476761ebcad557a3",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "b11e6f926480ab0939fec44781f28558c54be4e7",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "8ce2e85889939c02740b4245301aa5c35fc94887",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "d448bf96889f1905e740c554780f5c9fa0440566",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "d8723917efda3b4f4c3de78d1ec1e1af015c0be1",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "dce375f4afc348c310d171abcde7ec1499a4c26a",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "8d7ba71e46216b8657a82ca2ec118bc93812a4d0",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rocker/rocker_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrocker: fix memory leak in rocker_world_port_post_fini()\n\nIn rocker_world_port_pre_init(), rocker_port-\u003ewpriv is allocated with\nkzalloc(wops-\u003eport_priv_size, GFP_KERNEL). However, in\nrocker_world_port_post_fini(), the memory is only freed when\nwops-\u003eport_post_fini callback is set:\n\n if (!wops-\u003eport_post_fini)\n return;\n wops-\u003eport_post_fini(rocker_port);\n kfree(rocker_port-\u003ewpriv);\n\nSince rocker_ofdpa_ops does not implement port_post_fini callback\n(it is NULL), the wpriv memory allocated for each port is never freed\nwhen ports are removed. This leads to a memory leak of\nsizeof(struct ofdpa_port) bytes per port on every device removal.\n\nFix this by always calling kfree(rocker_port-\u003ewpriv) regardless of\nwhether the port_post_fini callback exists."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:31.474Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a3a64d75d2d0727da285749476761ebcad557a3"
},
{
"url": "https://git.kernel.org/stable/c/b11e6f926480ab0939fec44781f28558c54be4e7"
},
{
"url": "https://git.kernel.org/stable/c/8ce2e85889939c02740b4245301aa5c35fc94887"
},
{
"url": "https://git.kernel.org/stable/c/d448bf96889f1905e740c554780f5c9fa0440566"
},
{
"url": "https://git.kernel.org/stable/c/d8723917efda3b4f4c3de78d1ec1e1af015c0be1"
},
{
"url": "https://git.kernel.org/stable/c/dce375f4afc348c310d171abcde7ec1499a4c26a"
},
{
"url": "https://git.kernel.org/stable/c/8d7ba71e46216b8657a82ca2ec118bc93812a4d0"
}
],
"title": "rocker: fix memory leak in rocker_world_port_post_fini()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23164",
"datePublished": "2026-02-14T16:01:28.624Z",
"dateReserved": "2026-01-13T15:37:45.980Z",
"dateUpdated": "2026-06-11T18:44:14.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71144 (GCVE-0-2025-71144)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:08 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
mptcp: ensure context reset on disconnect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure context reset on disconnect()
After the blamed commit below, if the MPC subflow is already in TCP_CLOSE
status or has fallback to TCP at mptcp_disconnect() time,
mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later
__mptcp_close_ssk() does not reset anymore the related subflow context.
Any later connection will be created with both the `request_mptcp` flag
and the msk-level fallback status off (it is unconditionally cleared at
MPTCP disconnect time), leading to a warning in subflow_data_ready():
WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Modules linked in:
CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09
RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435
RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005
RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b
R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0
Call Trace:
<TASK>
tcp_data_ready (net/ipv4/tcp_input.c:5356)
tcp_data_queue (net/ipv4/tcp_input.c:5445)
tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)
tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
__release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))
release_sock (net/core/sock.c:3737)
mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)
inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))
__sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))
__x64_sys_sendto (net/socket.c:2247)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f883326702d
Address the issue setting an explicit `fastclosing` flag at fastclose
time, and checking such flag after mptcp_do_fastclose().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9ea05fabce31ff93a0adae8221c58bc6d7b832f3 , < 226fff52e7ed9fc8cd63327133739b3d92537ffd
(git)
Affected: 3a13454fd098ed51e733958488f8ec62859a9ed8 , < 5c7c7135468f3fc6379cde9777a2c18bfe92d82f (git) Affected: f6fb2cbc91a81178dea23d463503b4525a76825d , < 1c7c3a9314d8a7fc0e9a508606466a967c8e774a (git) Affected: ae155060247be8dcae3802a95bd1bdf93ab3215d , < f1a77dfc3b045c3dd5f6e64189b9f52b90399f07 (git) Affected: ae155060247be8dcae3802a95bd1bdf93ab3215d , < 86730ac255b0497a272704de9a1df559f5d6602e (git) Affected: c4f7b0916b95fd2226e5ab98882482b08f52e1c0 (git) Affected: 6.1.159 , < 6.1.164 (semver) Affected: 6.6.119 , < 6.6.120 (semver) Affected: 6.12.60 , < 6.12.65 (semver) Affected: 6.17.10 , < 6.18 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "226fff52e7ed9fc8cd63327133739b3d92537ffd",
"status": "affected",
"version": "9ea05fabce31ff93a0adae8221c58bc6d7b832f3",
"versionType": "git"
},
{
"lessThan": "5c7c7135468f3fc6379cde9777a2c18bfe92d82f",
"status": "affected",
"version": "3a13454fd098ed51e733958488f8ec62859a9ed8",
"versionType": "git"
},
{
"lessThan": "1c7c3a9314d8a7fc0e9a508606466a967c8e774a",
"status": "affected",
"version": "f6fb2cbc91a81178dea23d463503b4525a76825d",
"versionType": "git"
},
{
"lessThan": "f1a77dfc3b045c3dd5f6e64189b9f52b90399f07",
"status": "affected",
"version": "ae155060247be8dcae3802a95bd1bdf93ab3215d",
"versionType": "git"
},
{
"lessThan": "86730ac255b0497a272704de9a1df559f5d6602e",
"status": "affected",
"version": "ae155060247be8dcae3802a95bd1bdf93ab3215d",
"versionType": "git"
},
{
"status": "affected",
"version": "c4f7b0916b95fd2226e5ab98882482b08f52e1c0",
"versionType": "git"
},
{
"lessThan": "6.1.164",
"status": "affected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThan": "6.12.65",
"status": "affected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "6.12.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.5",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure context reset on disconnect()\n\nAfter the blamed commit below, if the MPC subflow is already in TCP_CLOSE\nstatus or has fallback to TCP at mptcp_disconnect() time,\nmptcp_do_fastclose() skips setting the `send_fastclose flag` and the later\n__mptcp_close_ssk() does not reset anymore the related subflow context.\n\nAny later connection will be created with both the `request_mptcp` flag\nand the msk-level fallback status off (it is unconditionally cleared at\nMPTCP disconnect time), leading to a warning in subflow_data_ready():\n\n WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n Modules linked in:\n CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 \u003c0f\u003e 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09\n RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435\n RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005\n RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b\n R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n tcp_data_ready (net/ipv4/tcp_input.c:5356)\n tcp_data_queue (net/ipv4/tcp_input.c:5445)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)\n __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))\n release_sock (net/core/sock.c:3737)\n mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)\n inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))\n __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))\n __x64_sys_sendto (net/socket.c:2247)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n RIP: 0033:0x7f883326702d\n\nAddress the issue setting an explicit `fastclosing` flag at fastclose\ntime, and checking such flag after mptcp_do_fastclose()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:21.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/226fff52e7ed9fc8cd63327133739b3d92537ffd"
},
{
"url": "https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f"
},
{
"url": "https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a"
},
{
"url": "https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07"
},
{
"url": "https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e"
}
],
"title": "mptcp: ensure context reset on disconnect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71144",
"datePublished": "2026-01-14T15:08:56.700Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-05-23T16:03:21.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23120 (GCVE-0-2026-23120)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
l2tp: avoid one data-race in l2tp_tunnel_del_work()
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: avoid one data-race in l2tp_tunnel_del_work()
We should read sk->sk_socket only when dealing with kernel sockets.
syzbot reported the following data-race:
BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
sk_set_socket include/net/sock.h:2092 [inline]
sock_orphan include/net/sock.h:2118 [inline]
sk_common_release+0xae/0x230 net/core/sock.c:4003
udp_lib_close+0x15/0x20 include/net/udp.h:325
inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
__sock_release net/socket.c:662 [inline]
sock_close+0x6b/0x150 net/socket.c:1455
__fput+0x29b/0x650 fs/file_table.c:468
____fput+0x1c/0x30 fs/file_table.c:496
task_work_run+0x131/0x1a0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0xffff88811b818000 -> 0x0000000000000000
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4
(git)
Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 36c40a80109f1771d59558050b1a71e13c60c759 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < eae074dab764ea181bbed5e88626889319177498 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 68e92085427c84e7679ddb53c0d68836d220b6e7 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 3d6d414b214ce31659bded2f8df50c93a3769474 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 32d417497b79efb403d75f4c185fe6fd9d64b94f (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf (git) Affected: 15df699fdc5af46a9fb15ae2d9326294852de5b5 (git) Affected: 18bdaefc715b4530b4b2fe670506bb47713664cc (git) Affected: 3.16.57 , < 3.17 (semver) Affected: 4.15.8 , < 4.16 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:40.769196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:15.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "36c40a80109f1771d59558050b1a71e13c60c759",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "eae074dab764ea181bbed5e88626889319177498",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "68e92085427c84e7679ddb53c0d68836d220b6e7",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "3d6d414b214ce31659bded2f8df50c93a3769474",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "32d417497b79efb403d75f4c185fe6fd9d64b94f",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "7a29f6bf60f2590fe5e9c4decb451e19afad2bcf",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"status": "affected",
"version": "15df699fdc5af46a9fb15ae2d9326294852de5b5",
"versionType": "git"
},
{
"status": "affected",
"version": "18bdaefc715b4530b4b2fe670506bb47713664cc",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.57",
"versionType": "semver"
},
{
"lessThan": "4.16",
"status": "affected",
"version": "4.15.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: avoid one data-race in l2tp_tunnel_del_work()\n\nWe should read sk-\u003esk_socket only when dealing with kernel sockets.\n\nsyzbot reported the following data-race:\n\nBUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release\n\nwrite to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:\n sk_set_socket include/net/sock.h:2092 [inline]\n sock_orphan include/net/sock.h:2118 [inline]\n sk_common_release+0xae/0x230 net/core/sock.c:4003\n udp_lib_close+0x15/0x20 include/net/udp.h:325\n inet_release+0xce/0xf0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:662 [inline]\n sock_close+0x6b/0x150 net/socket.c:1455\n __fput+0x29b/0x650 fs/file_table.c:468\n ____fput+0x1c/0x30 fs/file_table.c:496\n task_work_run+0x131/0x1a0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]\n exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:\n l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340\n worker_thread+0x582/0x770 kernel/workqueue.c:3421\n kthread+0x489/0x510 kernel/kthread.c:463\n ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nvalue changed: 0xffff88811b818000 -\u003e 0x0000000000000000"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:54.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4"
},
{
"url": "https://git.kernel.org/stable/c/36c40a80109f1771d59558050b1a71e13c60c759"
},
{
"url": "https://git.kernel.org/stable/c/eae074dab764ea181bbed5e88626889319177498"
},
{
"url": "https://git.kernel.org/stable/c/68e92085427c84e7679ddb53c0d68836d220b6e7"
},
{
"url": "https://git.kernel.org/stable/c/3d6d414b214ce31659bded2f8df50c93a3769474"
},
{
"url": "https://git.kernel.org/stable/c/32d417497b79efb403d75f4c185fe6fd9d64b94f"
},
{
"url": "https://git.kernel.org/stable/c/7a29f6bf60f2590fe5e9c4decb451e19afad2bcf"
}
],
"title": "l2tp: avoid one data-race in l2tp_tunnel_del_work()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23120",
"datePublished": "2026-02-14T15:09:51.223Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-06-11T18:44:15.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71096 (GCVE-0-2025-71096)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill
the nlattrs array and then directly index that array to get the data for
the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and
parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it
does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
_printk+0x17e/0x1b0 kernel/printk/printk.c:2475
ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
__sys_sendmsg+0x1aa/0x300 net/socket.c:2703
__compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 376f46c8983458ead26cac83aa897a0b78491831
(git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < bfe10318fc23e0b3f1d0a18dad387d29473a624d (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 45532638de5da24c201aa2a9b3dd4b054064de7b (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 9d85524789c2f17c0e87de8d596bcccc3683a1fc (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 0b948afc1ded88b3562c893114387f34389eeb94 (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < a7b8e876e0ef0232b8076972c57ce9a7286b47ca (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:32.937129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:24.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "376f46c8983458ead26cac83aa897a0b78491831",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "bfe10318fc23e0b3f1d0a18dad387d29473a624d",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "45532638de5da24c201aa2a9b3dd4b054064de7b",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "9d85524789c2f17c0e87de8d596bcccc3683a1fc",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "0b948afc1ded88b3562c893114387f34389eeb94",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "a7b8e876e0ef0232b8076972c57ce9a7286b47ca",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly\n\nThe netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a\nLS_NLA_TYPE_DGID attribute, it is invalid if it does not.\n\nUse the nl parsing logic properly and call nla_parse_deprecated() to fill\nthe nlattrs array and then directly index that array to get the data for\nthe DGID. Just fail if it is NULL.\n\nRemove the for loop searching for the nla, and squash the validation and\nparsing into one function.\n\nFixes an uninitialized read from the stack triggered by userspace if it\ndoes not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE\nquery.\n\n BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n hex_byte_pack include/linux/hex.h:13 [inline]\n ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n __compat_sys_sendmsg net/compat.c:346 [inline]\n __do_compat_sys_sendmsg net/compat.c:353 [inline]\n __se_compat_sys_sendmsg net/compat.c:350 [inline]\n __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:40.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831"
},
{
"url": "https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d"
},
{
"url": "https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b"
},
{
"url": "https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc"
},
{
"url": "https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec"
},
{
"url": "https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94"
},
{
"url": "https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca"
}
],
"title": "RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71096",
"datePublished": "2026-01-13T15:34:56.118Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-06-11T18:44:24.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68261 (GCVE-0-2025-68261)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-06-16 16:25
VLAI?
EPSS
Title
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Fix a race between inline data destruction and block mapping.
The function ext4_destroy_inline_data_nolock() changes the inode data
layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.
At the same time, another thread may execute ext4_map_blocks(), which
tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()
or ext4_ind_map_blocks().
Without i_data_sem protection, ext4_ind_map_blocks() may receive inode
with EXT4_INODE_EXTENTS flag and triggering assert.
kernel BUG at fs/ext4/indirect.c:546!
EXT4-fs (loop2): unmounting filesystem.
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546
Call Trace:
<TASK>
ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681
_ext4_get_block+0x242/0x590 fs/ext4/inode.c:822
ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124
ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255
ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000
generic_perform_write+0x259/0x5d0 mm/filemap.c:3846
ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285
ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679
call_write_iter include/linux/fs.h:2271 [inline]
do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735
do_iter_write+0x186/0x710 fs/read_write.c:861
vfs_iter_write+0x70/0xa0 fs/read_write.c:902
iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
do_splice_from fs/splice.c:763 [inline]
direct_splice_actor+0x10f/0x170 fs/splice.c:950
splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896
do_splice_direct+0x1a9/0x280 fs/splice.c:1002
do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c755e251357a0cee0679081f08c3f4ba797a8009 , < b322bac9f01d03190b5abc52be5d9dd9f22a2b41
(git)
Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 61e03dc3794ebf77a706b85e5a36c9c6d70be6de (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 5b266cf6851ce72b11b067fe02adf5a8687104ad (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 144c48da33a01d92995aeccd8208eb47d2a8e659 (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 22a76b0861ae61a299c8e126c1aca8c4fda820fd (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < ba8aeff294ac7ff6dfe293663d815c54c5ee218c (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 5cad18e527ba8a9ca5463cc170073eeb5a4826f4 (git) Affected: c755e251357a0cee0679081f08c3f4ba797a8009 , < 0cd8feea8777f8d9b9a862b89c688b049a5c8475 (git) Affected: 3e96c3fdcfccb321a9e1623f78cc71b44593e965 (git) Affected: 5781ac24bbd998ebb1ff30143bb06244d847af48 (git) Affected: 9b06cce3ca4d60d442c39bfa7c058b71b1cee6c2 (git) Affected: da1e40237f8f3516581b534c484c236a79ccfd14 (git) Affected: 7cf6b709b6412afd1d93b2c4b37163c3602e3b95 (git) Affected: 3.16.44 , < 3.17 (semver) Affected: 3.18.107 , < 3.19 (semver) Affected: 4.4.129 , < 4.5 (semver) Affected: 4.9.14 , < 4.10 (semver) Affected: 4.10.2 , < 4.11 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:25:03.765473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:25:14.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b322bac9f01d03190b5abc52be5d9dd9f22a2b41",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "61e03dc3794ebf77a706b85e5a36c9c6d70be6de",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "5b266cf6851ce72b11b067fe02adf5a8687104ad",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "144c48da33a01d92995aeccd8208eb47d2a8e659",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "22a76b0861ae61a299c8e126c1aca8c4fda820fd",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "ba8aeff294ac7ff6dfe293663d815c54c5ee218c",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "5cad18e527ba8a9ca5463cc170073eeb5a4826f4",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "0cd8feea8777f8d9b9a862b89c688b049a5c8475",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"status": "affected",
"version": "3e96c3fdcfccb321a9e1623f78cc71b44593e965",
"versionType": "git"
},
{
"status": "affected",
"version": "5781ac24bbd998ebb1ff30143bb06244d847af48",
"versionType": "git"
},
{
"status": "affected",
"version": "9b06cce3ca4d60d442c39bfa7c058b71b1cee6c2",
"versionType": "git"
},
{
"status": "affected",
"version": "da1e40237f8f3516581b534c484c236a79ccfd14",
"versionType": "git"
},
{
"status": "affected",
"version": "7cf6b709b6412afd1d93b2c4b37163c3602e3b95",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.44",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.107",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.129",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.14",
"versionType": "semver"
},
{
"lessThan": "4.11",
"status": "affected",
"version": "4.10.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add i_data_sem protection in ext4_destroy_inline_data_nolock()\n\nFix a race between inline data destruction and block mapping.\n\nThe function ext4_destroy_inline_data_nolock() changes the inode data\nlayout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.\nAt the same time, another thread may execute ext4_map_blocks(), which\ntests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()\nor ext4_ind_map_blocks().\n\nWithout i_data_sem protection, ext4_ind_map_blocks() may receive inode\nwith EXT4_INODE_EXTENTS flag and triggering assert.\n\nkernel BUG at fs/ext4/indirect.c:546!\nEXT4-fs (loop2): unmounting filesystem.\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546\n\nCall Trace:\n \u003cTASK\u003e\n ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681\n _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822\n ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124\n ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255\n ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000\n generic_perform_write+0x259/0x5d0 mm/filemap.c:3846\n ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285\n ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679\n call_write_iter include/linux/fs.h:2271 [inline]\n do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10f/0x170 fs/splice.c:950\n splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:30.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b322bac9f01d03190b5abc52be5d9dd9f22a2b41"
},
{
"url": "https://git.kernel.org/stable/c/61e03dc3794ebf77a706b85e5a36c9c6d70be6de"
},
{
"url": "https://git.kernel.org/stable/c/5b266cf6851ce72b11b067fe02adf5a8687104ad"
},
{
"url": "https://git.kernel.org/stable/c/144c48da33a01d92995aeccd8208eb47d2a8e659"
},
{
"url": "https://git.kernel.org/stable/c/22a76b0861ae61a299c8e126c1aca8c4fda820fd"
},
{
"url": "https://git.kernel.org/stable/c/ba8aeff294ac7ff6dfe293663d815c54c5ee218c"
},
{
"url": "https://git.kernel.org/stable/c/5cad18e527ba8a9ca5463cc170073eeb5a4826f4"
},
{
"url": "https://git.kernel.org/stable/c/0cd8feea8777f8d9b9a862b89c688b049a5c8475"
}
],
"title": "ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68261",
"datePublished": "2025-12-16T14:45:03.252Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-06-16T16:25:14.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23069 (GCVE-0-2026-23069)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
vsock/virtio: fix potential underflow in virtio_transport_get_credit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix potential underflow in virtio_transport_get_credit()
The credit calculation in virtio_transport_get_credit() uses unsigned
arithmetic:
ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);
If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes
are in flight, the subtraction can underflow and produce a large
positive value, potentially allowing more data to be queued than the
peer can handle.
Reuse virtio_transport_has_space() which already handles this case and
add a comment to make it clear why we are doing that.
[Stefano: use virtio_transport_has_space() instead of duplicating the code]
[Stefano: tweak the commit message]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
06a8fc78367d070720af960dcecec917d3ae5f3b , < d96de882d6b99955604669d962ae14e94b66a551
(git)
Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < 02f9af192b98d15883c70dd41ac76d1b0217c899 (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < d05bc313788f0684b27f0f5b60c52a844669b542 (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < ec0f1b3da8061be3173d1c39faaf9504f91942c3 (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < 3ef3d52a1a9860d094395c7a3e593f3aa26ff012 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:19.172207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:11.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d96de882d6b99955604669d962ae14e94b66a551",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "02f9af192b98d15883c70dd41ac76d1b0217c899",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "d05bc313788f0684b27f0f5b60c52a844669b542",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "ec0f1b3da8061be3173d1c39faaf9504f91942c3",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "3ef3d52a1a9860d094395c7a3e593f3aa26ff012",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix potential underflow in virtio_transport_get_credit()\n\nThe credit calculation in virtio_transport_get_credit() uses unsigned\narithmetic:\n\n ret = vvs-\u003epeer_buf_alloc - (vvs-\u003etx_cnt - vvs-\u003epeer_fwd_cnt);\n\nIf the peer shrinks its advertised buffer (peer_buf_alloc) while bytes\nare in flight, the subtraction can underflow and produce a large\npositive value, potentially allowing more data to be queued than the\npeer can handle.\n\nReuse virtio_transport_has_space() which already handles this case and\nadd a comment to make it clear why we are doing that.\n\n[Stefano: use virtio_transport_has_space() instead of duplicating the code]\n[Stefano: tweak the commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:23.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551"
},
{
"url": "https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899"
},
{
"url": "https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542"
},
{
"url": "https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3"
},
{
"url": "https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012"
}
],
"title": "vsock/virtio: fix potential underflow in virtio_transport_get_credit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23069",
"datePublished": "2026-02-04T16:07:49.911Z",
"dateReserved": "2026-01-13T15:37:45.954Z",
"dateUpdated": "2026-06-11T18:44:11.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71078 (GCVE-0-2025-71078)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary cont
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5434ae74629af58ad0fc27143a9ea435f7734410 , < 01324c0328181b94cf390bda22ff91c75126ea57
(git)
Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 2e9a95d60f1df7b57618fd5ef057aef331575bd2 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < c9f865022a1823d814032a09906e91e4701a35fc (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < b13a3dbfa196af68eae2031f209743735ad416bf (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 895123c309a34d2cfccf7812b41e17261a3a6f37 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 4ae1e46d8a290319f33f71a2710a1382ba5431e8 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 00312419f0863964625d6dcda8183f96849412c6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01324c0328181b94cf390bda22ff91c75126ea57",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "2e9a95d60f1df7b57618fd5ef057aef331575bd2",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "c9f865022a1823d814032a09906e91e4701a35fc",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "b13a3dbfa196af68eae2031f209743735ad416bf",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "895123c309a34d2cfccf7812b41e17261a3a6f37",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "4ae1e46d8a290319f33f71a2710a1382ba5431e8",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "00312419f0863964625d6dcda8183f96849412c6",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\n\nOn systems using the hash MMU, there is a software SLB preload cache that\nmirrors the entries loaded into the hardware SLB buffer. This preload\ncache is subject to periodic eviction \u2014 typically after every 256 context\nswitches \u2014 to remove old entry.\n\nTo optimize performance, the kernel skips switch_mmu_context() in\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\nHowever, on hash MMU systems, this can lead to inconsistencies between\nthe hardware SLB and the software preload cache.\n\nIf an SLB entry for a process is evicted from the software cache on one\nCPU, and the same process later runs on another CPU without executing\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\nkernel then attempts to reload that entry, it can trigger an SLB\nmulti-hit error.\n\nThe following timeline shows how stale SLB entries are created and can\ncause a multi-hit error when a process moves between CPUs without a\nMMU context switch.\n\nCPU 0 CPU 1\n----- -----\nProcess P\nexec swapper/1\n load_elf_binary\n begin_new_exc\n activate_mm\n switch_mm_irqs_off\n switch_mmu_context\n switch_slb\n /*\n * This invalidates all\n * the entries in the HW\n * and setup the new HW\n * SLB entries as per the\n * preload cache.\n */\ncontext_switch\nsched_migrate_task migrates process P to cpu-1\n\nProcess swapper/0 context switch (to process P)\n(uses mm_struct of Process P) switch_mm_irqs_off()\n switch_slb\n load_slb++\n /*\n * load_slb becomes 0 here\n * and we evict an entry from\n * the preload cache with\n * preload_age(). We still\n * keep HW SLB and preload\n * cache in sync, that is\n * because all HW SLB entries\n * anyways gets evicted in\n * switch_slb during SLBIA.\n * We then only add those\n * entries back in HW SLB,\n * which are currently\n * present in preload_cache\n * (after eviction).\n */\n load_elf_binary continues...\n setup_new_exec()\n slb_setup_new_exec()\n\n sched_switch event\n sched_migrate_task migrates\n process P to cpu-0\n\ncontext_switch from swapper/0 to Process P\n switch_mm_irqs_off()\n /*\n * Since both prev and next mm struct are same we don\u0027t call\n * switch_mmu_context(). This will cause the HW SLB and SW preload\n * cache to go out of sync in preload_new_slb_context. Because there\n * was an SLB entry which was evicted from both HW and preload cache\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\n * to add the same preload entry again, we will add this to the SW\n * preload cache and then will add it to the HW SLB. Since on cpu-0\n * this entry was never invalidated, hence adding this entry to the HW\n * SLB will cause a SLB multi-hit error.\n */\nload_elf_binary cont\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:18.759Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57"
},
{
"url": "https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2"
},
{
"url": "https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc"
},
{
"url": "https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf"
},
{
"url": "https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37"
},
{
"url": "https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8"
},
{
"url": "https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6"
}
],
"title": "powerpc/64s/slb: Fix SLB multihit issue during SLB preload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71078",
"datePublished": "2026-01-13T15:34:43.437Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-05-11T21:54:18.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23037 (GCVE-0-2026-23037)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
can: etas_es58x: allow partial RX URB allocation to succeed
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: allow partial RX URB allocation to succeed
When es58x_alloc_rx_urbs() fails to allocate the requested number of
URBs but succeeds in allocating some, it returns an error code.
This causes es58x_open() to return early, skipping the cleanup label
'free_urbs', which leads to the anchored URBs being leaked.
As pointed out by maintainer Vincent Mailhol, the driver is designed
to handle partial URB allocation gracefully. Therefore, partial
allocation should not be treated as a fatal error.
Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
allocated, restoring the intended behavior and preventing the leak
in es58x_open().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8537257874e949a59c834cecfd5a063e11b64b0b , < 97250eb05e4b6afe787290e8fd97d0675116c61b
(git)
Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < aec888f44853584b5a7cd01249806030cf94a73d (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < 611e839d2d552416b498ed5593e10670f61fcd4d (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < ba45e3d6b02c97dbb4578fbae7027fd66f3caa10 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < 6c5124a60989051799037834f0a1a4b428718157 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < b1979778e98569c1e78c2c7f16bb24d76541ab00 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:55.620Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97250eb05e4b6afe787290e8fd97d0675116c61b",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "aec888f44853584b5a7cd01249806030cf94a73d",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "611e839d2d552416b498ed5593e10670f61fcd4d",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "ba45e3d6b02c97dbb4578fbae7027fd66f3caa10",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "6c5124a60989051799037834f0a1a4b428718157",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b1979778e98569c1e78c2c7f16bb24d76541ab00",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: allow partial RX URB allocation to succeed\n\nWhen es58x_alloc_rx_urbs() fails to allocate the requested number of\nURBs but succeeds in allocating some, it returns an error code.\nThis causes es58x_open() to return early, skipping the cleanup label\n\u0027free_urbs\u0027, which leads to the anchored URBs being leaked.\n\nAs pointed out by maintainer Vincent Mailhol, the driver is designed\nto handle partial URB allocation gracefully. Therefore, partial\nallocation should not be treated as a fatal error.\n\nModify es58x_alloc_rx_urbs() to return 0 if at least one URB has been\nallocated, restoring the intended behavior and preventing the leak\nin es58x_open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:46.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97250eb05e4b6afe787290e8fd97d0675116c61b"
},
{
"url": "https://git.kernel.org/stable/c/aec888f44853584b5a7cd01249806030cf94a73d"
},
{
"url": "https://git.kernel.org/stable/c/611e839d2d552416b498ed5593e10670f61fcd4d"
},
{
"url": "https://git.kernel.org/stable/c/ba45e3d6b02c97dbb4578fbae7027fd66f3caa10"
},
{
"url": "https://git.kernel.org/stable/c/6c5124a60989051799037834f0a1a4b428718157"
},
{
"url": "https://git.kernel.org/stable/c/b1979778e98569c1e78c2c7f16bb24d76541ab00"
}
],
"title": "can: etas_es58x: allow partial RX URB allocation to succeed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23037",
"datePublished": "2026-01-31T11:42:31.689Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-06-02T13:00:55.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71118 (GCVE-0-2025-71118)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ACPICA: Avoid walking the Namespace if start_node is NULL
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Avoid walking the Namespace if start_node is NULL
Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace
if it is not there") fixed the situation when both start_node and
acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed
on Honor Magicbook 14 Pro [1].
That happens due to the access to the member of parent_node in
acpi_ns_get_next_node(). The NULL pointer dereference will always
happen, no matter whether or not the start_node is equal to
ACPI_ROOT_OBJECT, so move the check of start_node being NULL
out of the if block.
Unfortunately, all the attempts to contact Honor have failed, they
refused to provide any technical support for Linux.
The bad DSDT table's dump could be found on GitHub [2].
DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025
[ rjw: Subject adjustment, changelog edits ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b84edef48cc8afb41150949a87dcfa81bc95b53e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ecb296286c8787895625bd4c53e9478db4ae139c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7f9b951ed11842373851dd3c91860778356d62d3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1bc34293dfbd266c29875206849b4f8e8177e6df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0d8bb08126920fd4b12dbf32d9250757c9064b36 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f91dad0a3b381244183ffbea4cec5a7a69d6f41e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9d6c58dae8f6590c746ac5d0012ffe14a77539f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:25.331984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:12.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b84edef48cc8afb41150949a87dcfa81bc95b53e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ecb296286c8787895625bd4c53e9478db4ae139c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f9b951ed11842373851dd3c91860778356d62d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bc34293dfbd266c29875206849b4f8e8177e6df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0d8bb08126920fd4b12dbf32d9250757c9064b36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f91dad0a3b381244183ffbea4cec5a7a69d6f41e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d6c58dae8f6590c746ac5d0012ffe14a77539f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid walking the Namespace if start_node is NULL\n\nAlthough commit 0c9992315e73 (\"ACPICA: Avoid walking the ACPI Namespace\nif it is not there\") fixed the situation when both start_node and\nacpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed\non Honor Magicbook 14 Pro [1].\n\nThat happens due to the access to the member of parent_node in\nacpi_ns_get_next_node(). The NULL pointer dereference will always\nhappen, no matter whether or not the start_node is equal to\nACPI_ROOT_OBJECT, so move the check of start_node being NULL\nout of the if block.\n\nUnfortunately, all the attempts to contact Honor have failed, they\nrefused to provide any technical support for Linux.\n\nThe bad DSDT table\u0027s dump could be found on GitHub [2].\n\nDMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025\n\n[ rjw: Subject adjustment, changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:12.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e"
},
{
"url": "https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c"
},
{
"url": "https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3"
},
{
"url": "https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df"
},
{
"url": "https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36"
},
{
"url": "https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e"
},
{
"url": "https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0"
}
],
"title": "ACPICA: Avoid walking the Namespace if start_node is NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71118",
"datePublished": "2026-01-14T15:06:05.861Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-06-11T18:44:12.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71141 (GCVE-0-2025-71141)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
drm/tilcdc: Fix removal actions in case of failed probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tilcdc: Fix removal actions in case of failed probe
The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers
should only be called when the device has been successfully registered.
Currently, these functions are called unconditionally in tilcdc_fini(),
which causes warnings during probe deferral scenarios.
[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68
...
[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108
[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8
[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144
[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]
[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]
Fix this by rewriting the failed probe cleanup path using the standard
goto error handling pattern, which ensures that cleanup functions are
only called on successfully initialized resources. Additionally, remove
the now-unnecessary is_registered flag.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
69f03be1fa08a66735d53d92d3429c052540e3bf , < 21e52dc7762908c3d499cfb493d1b8281fc1d3ab
(git)
Affected: 3c4babae3c4a1ae05f8f3f5f3d50c440ead7ca6a , < 71be8825e83c90c1e020feb77b29e6a99629e642 (git) Affected: 3c4babae3c4a1ae05f8f3f5f3d50c440ead7ca6a , < a585c7ef9cabda58088916baedc6573e9a5cd2a7 (git) Affected: 84021fa4cf190e257ae8b66d284cdb92e3fabe33 (git) Affected: 6.6.2 , < 6.6.120 (semver) Affected: 6.5.12 , < 6.6 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tilcdc/tilcdc_crtc.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21e52dc7762908c3d499cfb493d1b8281fc1d3ab",
"status": "affected",
"version": "69f03be1fa08a66735d53d92d3429c052540e3bf",
"versionType": "git"
},
{
"lessThan": "71be8825e83c90c1e020feb77b29e6a99629e642",
"status": "affected",
"version": "3c4babae3c4a1ae05f8f3f5f3d50c440ead7ca6a",
"versionType": "git"
},
{
"lessThan": "a585c7ef9cabda58088916baedc6573e9a5cd2a7",
"status": "affected",
"version": "3c4babae3c4a1ae05f8f3f5f3d50c440ead7ca6a",
"versionType": "git"
},
{
"status": "affected",
"version": "84021fa4cf190e257ae8b66d284cdb92e3fabe33",
"versionType": "git"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.2",
"versionType": "semver"
},
{
"lessThan": "6.6",
"status": "affected",
"version": "6.5.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tilcdc/tilcdc_crtc.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tilcdc: Fix removal actions in case of failed probe\n\nThe drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers\nshould only be called when the device has been successfully registered.\nCurrently, these functions are called unconditionally in tilcdc_fini(),\nwhich causes warnings during probe deferral scenarios.\n\n[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68\n...\n[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108\n[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8\n[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144\n[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]\n[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]\n\nFix this by rewriting the failed probe cleanup path using the standard\ngoto error handling pattern, which ensures that cleanup functions are\nonly called on successfully initialized resources. Additionally, remove\nthe now-unnecessary is_registered flag."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:20.982Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21e52dc7762908c3d499cfb493d1b8281fc1d3ab"
},
{
"url": "https://git.kernel.org/stable/c/71be8825e83c90c1e020feb77b29e6a99629e642"
},
{
"url": "https://git.kernel.org/stable/c/a585c7ef9cabda58088916baedc6573e9a5cd2a7"
}
],
"title": "drm/tilcdc: Fix removal actions in case of failed probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71141",
"datePublished": "2026-01-14T15:07:54.456Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-05-23T16:03:20.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71195 (GCVE-0-2025-71195)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
dmaengine: xilinx: xdma: Fix regmap max_register
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: xilinx: xdma: Fix regmap max_register
The max_register field is assigned the size of the register memory
region instead of the offset of the last register.
The result is that reading from the regmap via debugfs can cause
a segmentation fault:
tail /sys/kernel/debug/regmap/xdma.1.auto/registers
Unable to handle kernel paging request at virtual address ffff800082f70000
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
[...]
Call trace:
regmap_mmio_read32le+0x10/0x30
_regmap_bus_reg_read+0x74/0xc0
_regmap_read+0x68/0x198
regmap_read+0x54/0x88
regmap_read_debugfs+0x140/0x380
regmap_map_read_file+0x30/0x48
full_proxy_read+0x68/0xc8
vfs_read+0xcc/0x310
ksys_read+0x7c/0x120
__arm64_sys_read+0x24/0x40
invoke_syscall.constprop.0+0x64/0x108
do_el0_svc+0xb0/0xd8
el0_svc+0x38/0x130
el0t_64_sync_handler+0x120/0x138
el0t_64_sync+0x194/0x198
Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000)
---[ end trace 0000000000000000 ]---
note: tail[1217] exited with irqs disabled
note: tail[1217] exited with preempt_count 1
Segmentation fault
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
17ce252266c7f016ece026492c45838f852ddc79 , < df8a131a41ff6202d47f59452735787f2b71dd2d
(git)
Affected: 17ce252266c7f016ece026492c45838f852ddc79 , < 606ea969e78295407f4bf06aa0e272fe59897184 (git) Affected: 17ce252266c7f016ece026492c45838f852ddc79 , < 5e7ad329d259cf5bed7530d6d2525bcf7cb487a1 (git) Affected: 17ce252266c7f016ece026492c45838f852ddc79 , < c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/xilinx/xdma-regs.h",
"drivers/dma/xilinx/xdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df8a131a41ff6202d47f59452735787f2b71dd2d",
"status": "affected",
"version": "17ce252266c7f016ece026492c45838f852ddc79",
"versionType": "git"
},
{
"lessThan": "606ea969e78295407f4bf06aa0e272fe59897184",
"status": "affected",
"version": "17ce252266c7f016ece026492c45838f852ddc79",
"versionType": "git"
},
{
"lessThan": "5e7ad329d259cf5bed7530d6d2525bcf7cb487a1",
"status": "affected",
"version": "17ce252266c7f016ece026492c45838f852ddc79",
"versionType": "git"
},
{
"lessThan": "c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10",
"status": "affected",
"version": "17ce252266c7f016ece026492c45838f852ddc79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/xilinx/xdma-regs.h",
"drivers/dma/xilinx/xdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: xilinx: xdma: Fix regmap max_register\n\nThe max_register field is assigned the size of the register memory\nregion instead of the offset of the last register.\nThe result is that reading from the regmap via debugfs can cause\na segmentation fault:\n\ntail /sys/kernel/debug/regmap/xdma.1.auto/registers\nUnable to handle kernel paging request at virtual address ffff800082f70000\nMem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n[...]\nCall trace:\n regmap_mmio_read32le+0x10/0x30\n _regmap_bus_reg_read+0x74/0xc0\n _regmap_read+0x68/0x198\n regmap_read+0x54/0x88\n regmap_read_debugfs+0x140/0x380\n regmap_map_read_file+0x30/0x48\n full_proxy_read+0x68/0xc8\n vfs_read+0xcc/0x310\n ksys_read+0x7c/0x120\n __arm64_sys_read+0x24/0x40\n invoke_syscall.constprop.0+0x64/0x108\n do_el0_svc+0xb0/0xd8\n el0_svc+0x38/0x130\n el0t_64_sync_handler+0x120/0x138\n el0t_64_sync+0x194/0x198\nCode: aa1e03e9 d503201f f9400000 8b214000 (b9400000)\n---[ end trace 0000000000000000 ]---\nnote: tail[1217] exited with irqs disabled\nnote: tail[1217] exited with preempt_count 1\nSegmentation fault"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:30.054Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df8a131a41ff6202d47f59452735787f2b71dd2d"
},
{
"url": "https://git.kernel.org/stable/c/606ea969e78295407f4bf06aa0e272fe59897184"
},
{
"url": "https://git.kernel.org/stable/c/5e7ad329d259cf5bed7530d6d2525bcf7cb487a1"
},
{
"url": "https://git.kernel.org/stable/c/c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10"
}
],
"title": "dmaengine: xilinx: xdma: Fix regmap max_register",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71195",
"datePublished": "2026-02-04T16:04:16.323Z",
"dateReserved": "2026-01-31T11:36:51.191Z",
"dateUpdated": "2026-05-11T21:56:30.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71196 (GCVE-0-2025-71196)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
phy: stm32-usphyc: Fix off by one in probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: stm32-usphyc: Fix off by one in probe()
The "index" variable is used as an index into the usbphyc->phys[] array
which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
then it is one element out of bounds. The "index" comes from the
device tree so it's data that we trust and it's unlikely to be wrong,
however it's obviously still worth fixing the bug. Change the > to >=.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
94c358da3a0545205c6c6a50ae26141f1c73acfa , < a9eec890879731c280697fdf1c50699e905b2fa7
(git)
Affected: 94c358da3a0545205c6c6a50ae26141f1c73acfa , < fb9d513cdf1614bf0f0e785816afb1faae3f81af (git) Affected: 94c358da3a0545205c6c6a50ae26141f1c73acfa , < c06f13876cbad702582cd67fc77356e5524d02cd (git) Affected: 94c358da3a0545205c6c6a50ae26141f1c73acfa , < 76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c (git) Affected: 94c358da3a0545205c6c6a50ae26141f1c73acfa , < b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad (git) Affected: 94c358da3a0545205c6c6a50ae26141f1c73acfa , < 7c27eaf183563b86d815ff6e9cca0210b4cfa051 (git) Affected: 94c358da3a0545205c6c6a50ae26141f1c73acfa , < cabd25b57216ddc132efbcc31f972baa03aad15a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/st/phy-stm32-usbphyc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9eec890879731c280697fdf1c50699e905b2fa7",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "fb9d513cdf1614bf0f0e785816afb1faae3f81af",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "c06f13876cbad702582cd67fc77356e5524d02cd",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "7c27eaf183563b86d815ff6e9cca0210b4cfa051",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "cabd25b57216ddc132efbcc31f972baa03aad15a",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/st/phy-stm32-usbphyc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: stm32-usphyc: Fix off by one in probe()\n\nThe \"index\" variable is used as an index into the usbphyc-\u003ephys[] array\nwhich has usbphyc-\u003enphys elements. So if it is equal to usbphyc-\u003enphys\nthen it is one element out of bounds. The \"index\" comes from the\ndevice tree so it\u0027s data that we trust and it\u0027s unlikely to be wrong,\nhowever it\u0027s obviously still worth fixing the bug. Change the \u003e to \u003e=."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:31.172Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9eec890879731c280697fdf1c50699e905b2fa7"
},
{
"url": "https://git.kernel.org/stable/c/fb9d513cdf1614bf0f0e785816afb1faae3f81af"
},
{
"url": "https://git.kernel.org/stable/c/c06f13876cbad702582cd67fc77356e5524d02cd"
},
{
"url": "https://git.kernel.org/stable/c/76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c"
},
{
"url": "https://git.kernel.org/stable/c/b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad"
},
{
"url": "https://git.kernel.org/stable/c/7c27eaf183563b86d815ff6e9cca0210b4cfa051"
},
{
"url": "https://git.kernel.org/stable/c/cabd25b57216ddc132efbcc31f972baa03aad15a"
}
],
"title": "phy: stm32-usphyc: Fix off by one in probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71196",
"datePublished": "2026-02-04T16:04:17.141Z",
"dateReserved": "2026-01-31T11:36:51.191Z",
"dateUpdated": "2026-05-11T21:56:31.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68814 (GCVE-0-2025-68814)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
io_uring: fix filename leak in __io_openat_prep()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix filename leak in __io_openat_prep()
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.
Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b9445598d8c60a1379887b957024b71343965f74 , < 2420ef01b2e836fbc05a0a8c73a1016504eb0458
(git)
Affected: b9445598d8c60a1379887b957024b71343965f74 , < 8f44c4a550570cd5903625133f938c6b51310c9b (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < 18b99fa603d0df5e1c898699c17d3b92ddc80746 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < e232269d511566b1f80872256a48593acc1becf4 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < 7fbfb85b05bc960cc50e09d03e5e562131e48d45 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < b14fad555302a2104948feaff70503b64c80ac01 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2420ef01b2e836fbc05a0a8c73a1016504eb0458",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "8f44c4a550570cd5903625133f938c6b51310c9b",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "18b99fa603d0df5e1c898699c17d3b92ddc80746",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "e232269d511566b1f80872256a48593acc1becf4",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "7fbfb85b05bc960cc50e09d03e5e562131e48d45",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "b14fad555302a2104948feaff70503b64c80ac01",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix filename leak in __io_openat_prep()\n\n __io_openat_prep() allocates a struct filename using getname(). However,\nfor the condition of the file being installed in the fixed file table as\nwell as having O_CLOEXEC flag set, the function returns early. At that\npoint, the request doesn\u0027t have REQ_F_NEED_CLEANUP flag set. Due to this,\nthe memory for the newly allocated struct filename is not cleaned up,\ncausing a memory leak.\n\nFix this by setting the REQ_F_NEED_CLEANUP for the request just after the\nsuccessful getname() call, so that when the request is torn down, the\nfilename will be cleaned up, along with other resources needing cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:50.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458"
},
{
"url": "https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b"
},
{
"url": "https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746"
},
{
"url": "https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4"
},
{
"url": "https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45"
},
{
"url": "https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01"
}
],
"title": "io_uring: fix filename leak in __io_openat_prep()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68814",
"datePublished": "2026-01-13T15:29:19.129Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-05-11T21:53:50.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58096 (GCVE-0-2024-58096)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2026-05-11 21:03
VLAI?
EPSS
Title
wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode
ath11k_hal_srng_* should be used with srng->lock to protect srng data.
For ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx(),
they use ath11k_hal_srng_* for many times but never call srng->lock.
So when running (full) monitor mode, warning will occur:
RIP: 0010:ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]
Call Trace:
? ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]
ath11k_dp_rx_process_mon_status+0xc45/0x1190 [ath11k]
? idr_alloc_u32+0x97/0xd0
ath11k_dp_rx_process_mon_rings+0x32a/0x550 [ath11k]
ath11k_dp_service_srng+0x289/0x5a0 [ath11k]
ath11k_pcic_ext_grp_napi_poll+0x30/0xd0 [ath11k]
__napi_poll+0x30/0x1f0
net_rx_action+0x198/0x320
__do_softirq+0xdd/0x319
So add srng->lock for them to avoid such warnings.
Inorder to fetch the srng->lock, should change srng's definition from
'void' to 'struct hal_srng'. And initialize them elsewhere to prevent
one line of code from being too long. This is consistent with other ring
process functions, such as ath11k_dp_process_rx().
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d5c65159f2895379e11ca13f62feabe93278985d , < 27ca8004ba93a0665faa6d477eaeb551e03de6c8
(git)
Affected: d5c65159f2895379e11ca13f62feabe93278985d , < 1d2178918efc928e11bed9631469ef79ff0a862a (git) Affected: d5c65159f2895379e11ca13f62feabe93278985d , < b85758e76b6452740fc2a08ced6759af64c0d59a (git) Affected: d5c65159f2895379e11ca13f62feabe93278985d , < 63b7af49496d0e32f7a748b6af3361ec138b1bd3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27ca8004ba93a0665faa6d477eaeb551e03de6c8",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "1d2178918efc928e11bed9631469ef79ff0a862a",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "b85758e76b6452740fc2a08ced6759af64c0d59a",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "63b7af49496d0e32f7a748b6af3361ec138b1bd3",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: add srng-\u003elock for ath11k_hal_srng_* in monitor mode\n\nath11k_hal_srng_* should be used with srng-\u003elock to protect srng data.\n\nFor ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx(),\nthey use ath11k_hal_srng_* for many times but never call srng-\u003elock.\n\nSo when running (full) monitor mode, warning will occur:\nRIP: 0010:ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]\nCall Trace:\n ? ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]\n ath11k_dp_rx_process_mon_status+0xc45/0x1190 [ath11k]\n ? idr_alloc_u32+0x97/0xd0\n ath11k_dp_rx_process_mon_rings+0x32a/0x550 [ath11k]\n ath11k_dp_service_srng+0x289/0x5a0 [ath11k]\n ath11k_pcic_ext_grp_napi_poll+0x30/0xd0 [ath11k]\n __napi_poll+0x30/0x1f0\n net_rx_action+0x198/0x320\n __do_softirq+0xdd/0x319\n\nSo add srng-\u003elock for them to avoid such warnings.\n\nInorder to fetch the srng-\u003elock, should change srng\u0027s definition from\n\u0027void\u0027 to \u0027struct hal_srng\u0027. And initialize them elsewhere to prevent\none line of code from being too long. This is consistent with other ring\nprocess functions, such as ath11k_dp_process_rx().\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:03:13.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27ca8004ba93a0665faa6d477eaeb551e03de6c8"
},
{
"url": "https://git.kernel.org/stable/c/1d2178918efc928e11bed9631469ef79ff0a862a"
},
{
"url": "https://git.kernel.org/stable/c/b85758e76b6452740fc2a08ced6759af64c0d59a"
},
{
"url": "https://git.kernel.org/stable/c/63b7af49496d0e32f7a748b6af3361ec138b1bd3"
}
],
"title": "wifi: ath11k: add srng-\u003elock for ath11k_hal_srng_* in monitor mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58096",
"datePublished": "2025-04-16T14:11:44.587Z",
"dateReserved": "2025-03-06T15:52:09.189Z",
"dateUpdated": "2026-05-11T21:03:13.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71102 (GCVE-0-2025-71102)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
scs: fix a wrong parameter in __scs_magic
Summary
In the Linux kernel, the following vulnerability has been resolved:
scs: fix a wrong parameter in __scs_magic
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is
given. 'task_scs(tsk)' is the starting address of the task's shadow call
stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's
shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE
is enabled, the shadow call stack usage checking function
(scs_check_usage) would scan an incorrect memory range. This could lead
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may
access unmapped memory, potentially causing a kernel panic. However,
this scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are actively
debugging stack usage with this configuration enabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 1727e8bd69103a68963a5613a0ddb6d8d37df5d3
(git)
Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 57ba40b001be27786d0570dd292289df748b306b (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 062774439d442882b44f5eab8c256ad3423ef284 (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 9ef28943471a16e4f9646bc3e8e2de148e7d8d7b (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 (git) Affected: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 , < 08bd4c46d5e63b78e77f2605283874bbe868ab19 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/scs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1727e8bd69103a68963a5613a0ddb6d8d37df5d3",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "57ba40b001be27786d0570dd292289df748b306b",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "062774439d442882b44f5eab8c256ad3423ef284",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "9ef28943471a16e4f9646bc3e8e2de148e7d8d7b",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "a19fb3611e4c06624fc0f83ef19f4fb8d57d4751",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "08bd4c46d5e63b78e77f2605283874bbe868ab19",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/scs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscs: fix a wrong parameter in __scs_magic\n\n__scs_magic() needs a \u0027void *\u0027 variable, but a \u0027struct task_struct *\u0027 is\ngiven. \u0027task_scs(tsk)\u0027 is the starting address of the task\u0027s shadow call\nstack, and \u0027__scs_magic(task_scs(tsk))\u0027 is the end address of the task\u0027s\nshadow call stack. Here should be \u0027__scs_magic(task_scs(tsk))\u0027.\n\nThe user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE\nis enabled, the shadow call stack usage checking function\n(scs_check_usage) would scan an incorrect memory range. This could lead\n\n1. **Inaccurate stack usage reporting**: The function would calculate\n wrong usage statistics for the shadow call stack, potentially showing\n incorrect value in kmsg.\n\n2. **Potential kernel crash**: If the value of __scs_magic(tsk)is\n greater than that of __scs_magic(task_scs(tsk)), the for loop may\n access unmapped memory, potentially causing a kernel panic. However,\n this scenario is unlikely because task_struct is allocated via the slab\n allocator (which typically returns lower addresses), while the shadow\n call stack returned by task_scs(tsk) is allocated via vmalloc(which\n typically returns higher addresses).\n\nHowever, since this is purely a debugging feature\n(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not\nunaffected. The bug only impacts developers and testers who are actively\ndebugging stack usage with this configuration enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:47.227Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3"
},
{
"url": "https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c"
},
{
"url": "https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b"
},
{
"url": "https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284"
},
{
"url": "https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b"
},
{
"url": "https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751"
},
{
"url": "https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19"
}
],
"title": "scs: fix a wrong parameter in __scs_magic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71102",
"datePublished": "2026-01-14T15:05:52.389Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-05-11T21:54:47.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71200 (GCVE-0-2025-71200)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode
When operating in HS200 or HS400 timing modes, reducing the clock frequency
below 52MHz will lead to link broken as the Rockchip DWC MSHC controller
requires maintaining a minimum clock of 52MHz in these modes.
Add a check to prevent illegal clock reduction through debugfs:
root@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clock
root@debian:/# [ 30.090146] mmc0: running CQE recovery
mmc0: cqhci: Failed to halt
mmc0: cqhci: spurious TCN for tag 0
WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24
Modules linked in:
CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT
Hardware name: Rockchip RK3588 EVB1 V10 Board (DT)
Workqueue: kblockd blk_mq_run_work_fn
pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : cqhci_irq+0x254/0x818
lr : cqhci_irq+0x254/0x818
...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < 59b8a1ca6df4db2ca250e9eeab74e2b0068d69e9
(git)
Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < f2677d6e2bbc5ba2030825522d2afd0542b038a3 (git) Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < de0ad7156036a50982bcb75a080e4af284502be2 (git) Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < 36be050f21dea7a3a76dff5a031da6274e8ee468 (git) Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < 3009738a855cf938bbfc9078bec725031ae623a4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sdhci-of-dwcmshc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59b8a1ca6df4db2ca250e9eeab74e2b0068d69e9",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "f2677d6e2bbc5ba2030825522d2afd0542b038a3",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "de0ad7156036a50982bcb75a080e4af284502be2",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "36be050f21dea7a3a76dff5a031da6274e8ee468",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "3009738a855cf938bbfc9078bec725031ae623a4",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sdhci-of-dwcmshc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode\n\nWhen operating in HS200 or HS400 timing modes, reducing the clock frequency\nbelow 52MHz will lead to link broken as the Rockchip DWC MSHC controller\nrequires maintaining a minimum clock of 52MHz in these modes.\n\nAdd a check to prevent illegal clock reduction through debugfs:\n\nroot@debian:/# echo 50000000 \u003e /sys/kernel/debug/mmc0/clock\nroot@debian:/# [ 30.090146] mmc0: running CQE recovery\nmmc0: cqhci: Failed to halt\nmmc0: cqhci: spurious TCN for tag 0\nWARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24\nModules linked in:\nCPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT\nHardware name: Rockchip RK3588 EVB1 V10 Board (DT)\nWorkqueue: kblockd blk_mq_run_work_fn\npstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : cqhci_irq+0x254/0x818\nlr : cqhci_irq+0x254/0x818\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:35.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59b8a1ca6df4db2ca250e9eeab74e2b0068d69e9"
},
{
"url": "https://git.kernel.org/stable/c/f2677d6e2bbc5ba2030825522d2afd0542b038a3"
},
{
"url": "https://git.kernel.org/stable/c/de0ad7156036a50982bcb75a080e4af284502be2"
},
{
"url": "https://git.kernel.org/stable/c/36be050f21dea7a3a76dff5a031da6274e8ee468"
},
{
"url": "https://git.kernel.org/stable/c/3009738a855cf938bbfc9078bec725031ae623a4"
}
],
"title": "mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71200",
"datePublished": "2026-02-14T15:09:45.689Z",
"dateReserved": "2026-01-31T11:36:51.193Z",
"dateUpdated": "2026-05-11T21:56:35.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46028 (GCVE-0-2026-46028)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-06-14 17:49
VLAI?
EPSS
Title
crypto: algif_aead - snapshot IV for async AEAD requests
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - snapshot IV for async AEAD requests
AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during
request processing. For async requests, later socket activity can
update that shared state before the original request has fully
completed, which can lead to inconsistent IV handling.
Snapshot the IV into per-request storage when preparing the AEAD
request, so in-flight operations no longer depend on mutable socket
state.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 08ea39a556ecd39b33c2b4888861001c6706a62e
(git)
Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < a920cabdb0b7cf1f4e11a20524253ae5bd09092b (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < fa0fcec9b49d58e71df7ede91ecd86855f608e85 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < c2138c9bd02af19e0b407376140cd5435b0d81da (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 46fdb39e83227b5d39f7c934a0947ea913f13c18 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < ebc235675f24b0e3f8bc92b8419471d42f837d8f (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 3d72f8c6490dc79210b64270740cb2a8619361a4 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 5aa58c3a572b3e3b6c786953339f7978b845cc52 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/algif_aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08ea39a556ecd39b33c2b4888861001c6706a62e",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "a920cabdb0b7cf1f4e11a20524253ae5bd09092b",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "fa0fcec9b49d58e71df7ede91ecd86855f608e85",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "c2138c9bd02af19e0b407376140cd5435b0d81da",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "46fdb39e83227b5d39f7c934a0947ea913f13c18",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "ebc235675f24b0e3f8bc92b8419471d42f837d8f",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "3d72f8c6490dc79210b64270740cb2a8619361a4",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "5aa58c3a572b3e3b6c786953339f7978b845cc52",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/algif_aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - snapshot IV for async AEAD requests\n\nAF_ALG AEAD AIO requests currently use the socket-wide IV buffer during\nrequest processing. For async requests, later socket activity can\nupdate that shared state before the original request has fully\ncompleted, which can lead to inconsistent IV handling.\n\nSnapshot the IV into per-request storage when preparing the AEAD\nrequest, so in-flight operations no longer depend on mutable socket\nstate."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:49:01.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08ea39a556ecd39b33c2b4888861001c6706a62e"
},
{
"url": "https://git.kernel.org/stable/c/a920cabdb0b7cf1f4e11a20524253ae5bd09092b"
},
{
"url": "https://git.kernel.org/stable/c/fa0fcec9b49d58e71df7ede91ecd86855f608e85"
},
{
"url": "https://git.kernel.org/stable/c/c2138c9bd02af19e0b407376140cd5435b0d81da"
},
{
"url": "https://git.kernel.org/stable/c/46fdb39e83227b5d39f7c934a0947ea913f13c18"
},
{
"url": "https://git.kernel.org/stable/c/ebc235675f24b0e3f8bc92b8419471d42f837d8f"
},
{
"url": "https://git.kernel.org/stable/c/3d72f8c6490dc79210b64270740cb2a8619361a4"
},
{
"url": "https://git.kernel.org/stable/c/5aa58c3a572b3e3b6c786953339f7978b845cc52"
}
],
"title": "crypto: algif_aead - snapshot IV for async AEAD requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46028",
"datePublished": "2026-05-27T12:56:36.847Z",
"dateReserved": "2026-05-13T15:03:33.093Z",
"dateUpdated": "2026-06-14T17:49:01.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68346 (GCVE-0-2025-68346)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
ALSA: dice: fix buffer overflow in detect_stream_formats()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: dice: fix buffer overflow in detect_stream_formats()
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < d6280a5b00cad37d9a9a875849e5bf7ed2fe4950
(git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 3cf854cec0eb371da47ff5fe56eab189d7fa623a (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 932aa1e80b022419cf9710e970739b7a8794f27c (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 324f3e03e8a85931ce0880654e3c3eb38b0f0bba (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6280a5b00cad37d9a9a875849e5bf7ed2fe4950",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "3cf854cec0eb371da47ff5fe56eab189d7fa623a",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "932aa1e80b022419cf9710e970739b7a8794f27c",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "324f3e03e8a85931ce0880654e3c3eb38b0f0bba",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: dice: fix buffer overflow in detect_stream_formats()\n\nThe function detect_stream_formats() reads the stream_count value directly\nfrom a FireWire device without validating it. This can lead to\nout-of-bounds writes when a malicious device provides a stream_count value\ngreater than MAX_STREAMS.\n\nFix by applying the same validation to both TX and RX stream counts in\ndetect_stream_formats()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:25.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6280a5b00cad37d9a9a875849e5bf7ed2fe4950"
},
{
"url": "https://git.kernel.org/stable/c/3cf854cec0eb371da47ff5fe56eab189d7fa623a"
},
{
"url": "https://git.kernel.org/stable/c/4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4"
},
{
"url": "https://git.kernel.org/stable/c/dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0"
},
{
"url": "https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6"
},
{
"url": "https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c"
},
{
"url": "https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9"
},
{
"url": "https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba"
}
],
"title": "ALSA: dice: fix buffer overflow in detect_stream_formats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68346",
"datePublished": "2025-12-24T10:32:39.101Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-05-11T21:51:25.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71116 (GCVE-0-2025-71116)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
libceph: make decode_pool() more resilient against corrupted osdmaps
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make decode_pool() more resilient against corrupted osdmaps
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < d061be4c8040ffb1110d537654a038b8b6ad39d2
(git)
Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 145d140abda80e33331c5781d6603014fa75d258 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < c82e39ff67353a5a6cbc07b786b8690bd2c45aaa (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < e927ab132b87ba3f076705fc2684d94b24201ed1 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 5d0d8c292531fe356c4e94dcfdf7d7212aca9957 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 2acb8517429ab42146c6c0ac1daed1f03d2fd125 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 8c738512714e8c0aa18f8a10c072d5b01c83db39 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:27.725166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:23.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d061be4c8040ffb1110d537654a038b8b6ad39d2",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "145d140abda80e33331c5781d6603014fa75d258",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "c82e39ff67353a5a6cbc07b786b8690bd2c45aaa",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "e927ab132b87ba3f076705fc2684d94b24201ed1",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "5d0d8c292531fe356c4e94dcfdf7d7212aca9957",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "2acb8517429ab42146c6c0ac1daed1f03d2fd125",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "8c738512714e8c0aa18f8a10c072d5b01c83db39",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make decode_pool() more resilient against corrupted osdmaps\n\nIf the osdmap is (maliciously) corrupted such that the encoded length\nof ceph_pg_pool envelope is less than what is expected for a particular\nencoding version, out-of-bounds reads may ensue because the only bounds\ncheck that is there is based on that length value.\n\nThis patch adds explicit bounds checks for each field that is decoded\nor skipped."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:10.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2"
},
{
"url": "https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258"
},
{
"url": "https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa"
},
{
"url": "https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1"
},
{
"url": "https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957"
},
{
"url": "https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125"
},
{
"url": "https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39"
}
],
"title": "libceph: make decode_pool() more resilient against corrupted osdmaps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71116",
"datePublished": "2026-01-14T15:06:04.476Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-06-11T18:44:23.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38201 (GCVE-0-2025-38201)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23
VLAI?
EPSS
Title
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()
when resizing hashtable because __GFP_NOWARN is unset.
Similar to:
b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3c4287f62044a90e73a561aa05fc46e62da173da , < 1fe27f97944017a9d3c5af4d6d95282bff0f1147
(git)
Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 4abccfb61f422300be014b8e734c63344306f009 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 80417057ac60dd80f4816eb426e4e4a5bf696534 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < df524a68d9021c1401965d610bb6e42ee5d9611e (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 0ab3de047808f375a36cd345225572eb3366f3c6 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < d2768016f091f8a5264076b433fd7c3fabb6eb97 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < b85e3367a5716ed3662a4fe266525190d2af76df (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1fe27f97944017a9d3c5af4d6d95282bff0f1147",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "4abccfb61f422300be014b8e734c63344306f009",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "80417057ac60dd80f4816eb426e4e4a5bf696534",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "df524a68d9021c1401965d610bb6e42ee5d9611e",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "0ab3de047808f375a36cd345225572eb3366f3c6",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "d2768016f091f8a5264076b433fd7c3fabb6eb97",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "b85e3367a5716ed3662a4fe266525190d2af76df",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX\n\nOtherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()\nwhen resizing hashtable because __GFP_NOWARN is unset.\n\nSimilar to:\n\n b541ba7d1f5a (\"netfilter: conntrack: clamp maximum hashtable size to INT_MAX\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:23:12.582Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1fe27f97944017a9d3c5af4d6d95282bff0f1147"
},
{
"url": "https://git.kernel.org/stable/c/4abccfb61f422300be014b8e734c63344306f009"
},
{
"url": "https://git.kernel.org/stable/c/80417057ac60dd80f4816eb426e4e4a5bf696534"
},
{
"url": "https://git.kernel.org/stable/c/df524a68d9021c1401965d610bb6e42ee5d9611e"
},
{
"url": "https://git.kernel.org/stable/c/0ab3de047808f375a36cd345225572eb3366f3c6"
},
{
"url": "https://git.kernel.org/stable/c/d2768016f091f8a5264076b433fd7c3fabb6eb97"
},
{
"url": "https://git.kernel.org/stable/c/b85e3367a5716ed3662a4fe266525190d2af76df"
}
],
"title": "netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38201",
"datePublished": "2025-07-04T13:37:22.732Z",
"dateReserved": "2025-04-16T04:51:23.993Z",
"dateUpdated": "2026-05-11T21:23:12.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23108 (GCVE-0-2026-23108)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback usb_8dev_read_bulk_callback(), the URBs are processed and
resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0024d8ad1639e32d717445c69ca813fd19c2a91c , < feb8243eaea7efd5279b19667d7189fd8654c87a
(git)
Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < ef6e608e5ee71eca0cd3475c737e684cef24f240 (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < 60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9 (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < 59ff56992bba28051ad67cd8cc7b0edfe7280796 (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < ea4a98e924164586066b39f29bfcc7cc9da108cd (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < 07e9373739c6388af9d99797cdb2e79dbbcbe92b (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < f7a980b3b8f80fe367f679da376cf76e800f9480 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:19.985708Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:21.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/usb_8dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feb8243eaea7efd5279b19667d7189fd8654c87a",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "ef6e608e5ee71eca0cd3475c737e684cef24f240",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "59ff56992bba28051ad67cd8cc7b0edfe7280796",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "ea4a98e924164586066b39f29bfcc7cc9da108cd",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "07e9373739c6388af9d99797cdb2e79dbbcbe92b",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "f7a980b3b8f80fe367f679da376cf76e800f9480",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/usb_8dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn usb_8dev_open() -\u003e usb_8dev_start(), the URBs for USB-in transfers are\nallocated, added to the priv-\u003erx_submitted anchor and submitted. In the\ncomplete callback usb_8dev_read_bulk_callback(), the URBs are processed and\nresubmitted. In usb_8dev_close() -\u003e unlink_all_urbs() the URBs are freed by\ncalling usb_kill_anchored_urbs(\u0026priv-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nusb_8dev_read_bulk_callback() to the priv-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:16.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a"
},
{
"url": "https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240"
},
{
"url": "https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9"
},
{
"url": "https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796"
},
{
"url": "https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd"
},
{
"url": "https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b"
},
{
"url": "https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480"
}
],
"title": "can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23108",
"datePublished": "2026-02-04T16:08:28.650Z",
"dateReserved": "2026-01-13T15:37:45.967Z",
"dateUpdated": "2026-06-11T18:44:21.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23351 (GCVE-0-2026-23351)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-05-11 22:05
VLAI?
EPSS
Title
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
Yiming Qian reports Use-after-free in the pipapo set type:
Under a large number of expired elements, commit-time GC can run for a very
long time in a non-preemptible context, triggering soft lockup warnings and
RCU stall reports (local denial of service).
We must split GC in an unlink and a reclaim phase.
We cannot queue elements for freeing until pointers have been swapped.
Expired elements are still exposed to both the packet path and userspace
dumpers via the live copy of the data structure.
call_rcu() does not protect us: dump operations or element lookups starting
after call_rcu has fired can still observe the free'd element, unless the
commit phase has made enough progress to swap the clone and live pointers
before any new reader has picked up the old version.
This a similar approach as done recently for the rbtree backend in commit
35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3c4287f62044a90e73a561aa05fc46e62da173da , < 65ca51b9fb85477ab92a04295aed34b38f7c062e
(git)
Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < c0f1f85097ac2b6e7d750fe4d05807985cd3fd3a (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 16f3595c0441d87dfa005c47d8f95be213afaa9e (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 7864c667aed01a58b87ca518a631322cd0ac34c0 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < c12d570d71920903a1a0468b7d13b085203d0c93 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 500a50a301ce962b019ab95053ac70264fec2c21 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < aff13667708dfa0dce136b8efd81baa9fa6ef261 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 9df95785d3d8302f7c066050117b04cd3c2048c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_pipapo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65ca51b9fb85477ab92a04295aed34b38f7c062e",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "c0f1f85097ac2b6e7d750fe4d05807985cd3fd3a",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "16f3595c0441d87dfa005c47d8f95be213afaa9e",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "7864c667aed01a58b87ca518a631322cd0ac34c0",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "c12d570d71920903a1a0468b7d13b085203d0c93",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "500a50a301ce962b019ab95053ac70264fec2c21",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "aff13667708dfa0dce136b8efd81baa9fa6ef261",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "9df95785d3d8302f7c066050117b04cd3c2048c2",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_pipapo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n\nYiming Qian reports Use-after-free in the pipapo set type:\n Under a large number of expired elements, commit-time GC can run for a very\n long time in a non-preemptible context, triggering soft lockup warnings and\n RCU stall reports (local denial of service).\n\nWe must split GC in an unlink and a reclaim phase.\n\nWe cannot queue elements for freeing until pointers have been swapped.\nExpired elements are still exposed to both the packet path and userspace\ndumpers via the live copy of the data structure.\n\ncall_rcu() does not protect us: dump operations or element lookups starting\nafter call_rcu has fired can still observe the free\u0027d element, unless the\ncommit phase has made enough progress to swap the clone and live pointers\nbefore any new reader has picked up the old version.\n\nThis a similar approach as done recently for the rbtree backend in commit\n35f83a75529a (\"netfilter: nft_set_rbtree: don\u0027t gc elements on insert\")."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:05:11.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65ca51b9fb85477ab92a04295aed34b38f7c062e"
},
{
"url": "https://git.kernel.org/stable/c/c0f1f85097ac2b6e7d750fe4d05807985cd3fd3a"
},
{
"url": "https://git.kernel.org/stable/c/16f3595c0441d87dfa005c47d8f95be213afaa9e"
},
{
"url": "https://git.kernel.org/stable/c/7864c667aed01a58b87ca518a631322cd0ac34c0"
},
{
"url": "https://git.kernel.org/stable/c/c12d570d71920903a1a0468b7d13b085203d0c93"
},
{
"url": "https://git.kernel.org/stable/c/500a50a301ce962b019ab95053ac70264fec2c21"
},
{
"url": "https://git.kernel.org/stable/c/aff13667708dfa0dce136b8efd81baa9fa6ef261"
},
{
"url": "https://git.kernel.org/stable/c/9df95785d3d8302f7c066050117b04cd3c2048c2"
}
],
"title": "netfilter: nft_set_pipapo: split gc into unlink and reclaim phase",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23351",
"datePublished": "2026-03-25T10:27:36.854Z",
"dateReserved": "2026-01-13T15:37:45.999Z",
"dateUpdated": "2026-05-11T22:05:11.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71182 (GCVE-0-2025-71182)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:38 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
can: j1939: make j1939_session_activate() fail if device is no longer registered
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: make j1939_session_activate() fail if device is no longer registered
syzbot is still reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
even after commit 93a27b5891b8 ("can: j1939: add missing calls in
NETDEV_UNREGISTER notification handler") was added. A debug printk() patch
found that j1939_session_activate() can succeed even after
j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)
has completed.
Since j1939_cancel_active_session() is processed with the session list lock
held, checking ndev->reg_state in j1939_session_activate() with the session
list lock held can reliably close the race window.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d71dd0c70099914fcd063135da3c580865e924c , < ebb0dfd718dd31c8d3600612ca4b7207ec3d923a
(git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < c3a4316e3c746af415c0fd6c6d489ad13f53714d (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 46ca9dc978923c5e1247a9e9519240ba7ace413c (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 78d87b72cebe2a993fd5b017e9f14fb6278f2eae (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 79dd3f1d9dd310c2af89b09c71f34d93973b200f (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 5d5602236f5db19e8b337a2cd87a90ace5ea776d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:04.625425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:19.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebb0dfd718dd31c8d3600612ca4b7207ec3d923a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "c3a4316e3c746af415c0fd6c6d489ad13f53714d",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "46ca9dc978923c5e1247a9e9519240ba7ace413c",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "78d87b72cebe2a993fd5b017e9f14fb6278f2eae",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "79dd3f1d9dd310c2af89b09c71f34d93973b200f",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "5d5602236f5db19e8b337a2cd87a90ace5ea776d",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: make j1939_session_activate() fail if device is no longer registered\n\nsyzbot is still reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\neven after commit 93a27b5891b8 (\"can: j1939: add missing calls in\nNETDEV_UNREGISTER notification handler\") was added. A debug printk() patch\nfound that j1939_session_activate() can succeed even after\nj1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)\nhas completed.\n\nSince j1939_cancel_active_session() is processed with the session list lock\nheld, checking ndev-\u003ereg_state in j1939_session_activate() with the session\nlist lock held can reliably close the race window."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:15.065Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a"
},
{
"url": "https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d"
},
{
"url": "https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c"
},
{
"url": "https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae"
},
{
"url": "https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536"
},
{
"url": "https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f"
},
{
"url": "https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d"
}
],
"title": "can: j1939: make j1939_session_activate() fail if device is no longer registered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71182",
"datePublished": "2026-01-31T11:38:55.157Z",
"dateReserved": "2026-01-31T11:36:51.185Z",
"dateUpdated": "2026-06-11T18:44:19.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71186 (GCVE-0-2025-71186)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:41 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
dmaengine: stm32: dmamux: fix device leak on route allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: stm32: dmamux: fix device leak on route allocation
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 3b42020e6790a5e19b36c187ed5b488a5716f97f
(git)
Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 6393da54dcb3488c080a183c4182ddec71ba8d7f (git) Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 1dda2a32303df0091896b01a9d09070d61fa344c (git) Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 1a179ac01ff3993ab97e33cc77c316ed7415cda1 (git) Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 2fb10259d4efb4367787b5ae9c94192e8a91c648 (git) Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < 3ef52d31cce8ba816739085a61efe07b63c6cf27 (git) Affected: df7e762db5f6c8dbd9e480f1c9ef9851de346657 , < dd6e4943889fb354efa3f700e42739da9bddb6ef (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:35.407Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/stm32/stm32-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b42020e6790a5e19b36c187ed5b488a5716f97f",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "6393da54dcb3488c080a183c4182ddec71ba8d7f",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "1dda2a32303df0091896b01a9d09070d61fa344c",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "1a179ac01ff3993ab97e33cc77c316ed7415cda1",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "2fb10259d4efb4367787b5ae9c94192e8a91c648",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "3ef52d31cce8ba816739085a61efe07b63c6cf27",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "dd6e4943889fb354efa3f700e42739da9bddb6ef",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/stm32/stm32-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: stm32: dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:19.720Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b42020e6790a5e19b36c187ed5b488a5716f97f"
},
{
"url": "https://git.kernel.org/stable/c/6393da54dcb3488c080a183c4182ddec71ba8d7f"
},
{
"url": "https://git.kernel.org/stable/c/1dda2a32303df0091896b01a9d09070d61fa344c"
},
{
"url": "https://git.kernel.org/stable/c/1a179ac01ff3993ab97e33cc77c316ed7415cda1"
},
{
"url": "https://git.kernel.org/stable/c/2fb10259d4efb4367787b5ae9c94192e8a91c648"
},
{
"url": "https://git.kernel.org/stable/c/3ef52d31cce8ba816739085a61efe07b63c6cf27"
},
{
"url": "https://git.kernel.org/stable/c/dd6e4943889fb354efa3f700e42739da9bddb6ef"
}
],
"title": "dmaengine: stm32: dmamux: fix device leak on route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71186",
"datePublished": "2026-01-31T11:41:57.921Z",
"dateReserved": "2026-01-31T11:36:51.187Z",
"dateUpdated": "2026-06-02T13:00:35.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71191 (GCVE-0-2025-71191)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
Make sure to drop the reference taken when looking up the DMA platform
device during of_dma_xlate() when releasing channel resources.
Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing
put_device() call in at_dma_xlate()") fixed the leak in a couple of
error paths but the reference is still leaking on successful allocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < 49d964cde422dc66fea514b7ab24aa729df7081d
(git)
Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < 4c67b4f45c8540ee4e62e24ca4608c6a9a81ee0f (git) Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < 48b2d7f530b83cb149dbf0e48f95ccadb2d90da9 (git) Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < 987c71671367f42460689b78244d7b894c50999a (git) Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < 6a86cf2c09e149d5718a5b7090545f7566da9334 (git) Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < f3c23b7e941349505c3d40de2cc0acd93d9ac057 (git) Affected: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 , < b9074b2d7a230b6e28caa23165e9d8bc0677d333 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:40.178Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_hdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49d964cde422dc66fea514b7ab24aa729df7081d",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "4c67b4f45c8540ee4e62e24ca4608c6a9a81ee0f",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "48b2d7f530b83cb149dbf0e48f95ccadb2d90da9",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "987c71671367f42460689b78244d7b894c50999a",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "6a86cf2c09e149d5718a5b7090545f7566da9334",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "f3c23b7e941349505c3d40de2cc0acd93d9ac057",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "b9074b2d7a230b6e28caa23165e9d8bc0677d333",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_hdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: at_hdmac: fix device leak on of_dma_xlate()\n\nMake sure to drop the reference taken when looking up the DMA platform\ndevice during of_dma_xlate() when releasing channel resources.\n\nNote that commit 3832b78b3ec2 (\"dmaengine: at_hdmac: add missing\nput_device() call in at_dma_xlate()\") fixed the leak in a couple of\nerror paths but the reference is still leaking on successful allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:25.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49d964cde422dc66fea514b7ab24aa729df7081d"
},
{
"url": "https://git.kernel.org/stable/c/4c67b4f45c8540ee4e62e24ca4608c6a9a81ee0f"
},
{
"url": "https://git.kernel.org/stable/c/48b2d7f530b83cb149dbf0e48f95ccadb2d90da9"
},
{
"url": "https://git.kernel.org/stable/c/987c71671367f42460689b78244d7b894c50999a"
},
{
"url": "https://git.kernel.org/stable/c/6a86cf2c09e149d5718a5b7090545f7566da9334"
},
{
"url": "https://git.kernel.org/stable/c/f3c23b7e941349505c3d40de2cc0acd93d9ac057"
},
{
"url": "https://git.kernel.org/stable/c/b9074b2d7a230b6e28caa23165e9d8bc0677d333"
}
],
"title": "dmaengine: at_hdmac: fix device leak on of_dma_xlate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71191",
"datePublished": "2026-01-31T11:42:03.545Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-06-02T13:00:40.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46300 (GCVE-0-2026-46300)
Vulnerability from cvelistv5 – Published: 2026-05-23 11:44 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
net: skbuff: preserve shared-frag marker during coalescing
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.
Severity ?
7.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 3599e6b3cc1ada96883d496a50a210d3afbb6987
(git)
Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 78bf6b6bb19541d19fbda6242e7cfe2c682763c0 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 3bd9e113d50034db99d7ef69fd8e5242d15e414a (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 3884358a9286b17f389a72b1426fc4547c23c111 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < f84eca5817390257cef78013d0112481c503b4a3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-23T12:24:19.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/13/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/13"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el10",
"cpe:/a:redhat:openshift:4.21::el8",
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-13T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s XFRM ESP-in-TCP subsystem. Unsafe in-place cryptographic processing allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, including sensitive system files. An attacker can exploit this to overwrite privileged binaries and gain root privileges."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:08.415Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46300"
},
{
"name": "RHBZ#2477015",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477015"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46300.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19540"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHBA-2026:20032"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21695"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21690"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21656"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21702"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23240"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20299"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19705"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20593"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20054"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19666"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23470"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20130"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20051"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19521"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23471"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23469"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24814"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23468"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19664"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19711"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19875"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:19540: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHBA-2026:20032: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:21695: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:21690: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:20087: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:21656: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:21702: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:23240: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:20299: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19705: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:20593: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:20054: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20129: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19666: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:23470: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:20130: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20051: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19521: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23471: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23469: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:24814: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:23468: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19664: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:19711: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19875: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T13:28:21.270Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-13T12:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: \"Fragnesia\" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3599e6b3cc1ada96883d496a50a210d3afbb6987",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "9d3e5fd19fe1063bf607219e8562fbd567b8e8d5",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "78bf6b6bb19541d19fbda6242e7cfe2c682763c0",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "3bd9e113d50034db99d7ef69fd8e5242d15e414a",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "3884358a9286b17f389a72b1426fc4547c23c111",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "f84eca5817390257cef78013d0112481c503b4a3",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.257",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.208",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.174",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to. If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers. In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data(). If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags. The tailroom copy path does not need the marker because it copies\nbytes into @to\u0027s linear data rather than transferring frag descriptors."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:34.359Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987"
},
{
"url": "https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c"
},
{
"url": "https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5"
},
{
"url": "https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0"
},
{
"url": "https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e"
},
{
"url": "https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a"
},
{
"url": "https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111"
},
{
"url": "https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3"
}
],
"title": "net: skbuff: preserve shared-frag marker during coalescing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46300",
"datePublished": "2026-05-23T11:44:02.231Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-07-02T12:05:08.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68266 (GCVE-0-2025-68266)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:47 – Updated: 2026-05-11 21:50
VLAI?
EPSS
Title
bfs: Reconstruct file type when loading from disk
Summary
In the Linux kernel, the following vulnerability has been resolved:
bfs: Reconstruct file type when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted
or when the 32bits "attributes" field loaded from disk are corrupted.
A documentation says that BFS uses only lower 9 bits of the "mode" field.
But I can't find an explicit explanation that the unused upper 23 bits
(especially, the S_IFMT bits) are initialized with 0.
Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk.
Also, verify that the value of the "attributes" field loaded from disk is
either BFS_VREG or BFS_VDIR (because BFS supports only regular files and
the root directory).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8f73336b75bd3457b6f9410f2a0601a238f32238 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a9f626396bfe66f49b743601e862767928237cc0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 77899444d46162aeb65f229590c26ba266864223 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a8cb796e7e2cb7971311ba236922f5e7e1be77e6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 34ab4c75588c07cca12884f2bf6b0347c7a13872 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/bfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f73336b75bd3457b6f9410f2a0601a238f32238",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9f626396bfe66f49b743601e862767928237cc0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "77899444d46162aeb65f229590c26ba266864223",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8cb796e7e2cb7971311ba236922f5e7e1be77e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34ab4c75588c07cca12884f2bf6b0347c7a13872",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/bfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfs: Reconstruct file type when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 32bits \"mode\" field loaded from disk are corrupted\nor when the 32bits \"attributes\" field loaded from disk are corrupted.\n\nA documentation says that BFS uses only lower 9 bits of the \"mode\" field.\nBut I can\u0027t find an explicit explanation that the unused upper 23 bits\n(especially, the S_IFMT bits) are initialized with 0.\n\nTherefore, ignore the S_IFMT bits of the \"mode\" field loaded from disk.\nAlso, verify that the value of the \"attributes\" field loaded from disk is\neither BFS_VREG or BFS_VDIR (because BFS supports only regular files and\nthe root directory)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:50:06.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4"
},
{
"url": "https://git.kernel.org/stable/c/aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d"
},
{
"url": "https://git.kernel.org/stable/c/8f73336b75bd3457b6f9410f2a0601a238f32238"
},
{
"url": "https://git.kernel.org/stable/c/a9f626396bfe66f49b743601e862767928237cc0"
},
{
"url": "https://git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223"
},
{
"url": "https://git.kernel.org/stable/c/a8cb796e7e2cb7971311ba236922f5e7e1be77e6"
},
{
"url": "https://git.kernel.org/stable/c/34ab4c75588c07cca12884f2bf6b0347c7a13872"
}
],
"title": "bfs: Reconstruct file type when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68266",
"datePublished": "2025-12-16T14:47:06.240Z",
"dateReserved": "2025-12-16T13:41:40.268Z",
"dateUpdated": "2026-05-11T21:50:06.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71108 (GCVE-0-2025-71108)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
usb: typec: ucsi: Handle incorrect num_connectors capability
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: Handle incorrect num_connectors capability
The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.
Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 07c8d2a109d847775b3b4e2c3294c8e1eea75432
(git)
Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 58941bbb0050e365a98c64f1fc4a9a0ac127dba6 (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < f72f97d0aee4a993a35f2496bca5efd24827235d (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 914605b0de8128434eafc9582445306830748b93 (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 3042a57a8e8bce4a3100c3f6f03dc372aab24943 (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 132fe187e0d940f388f839fe2cde9b84106ad20d (git) Affected: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f , < 30cd2cb1abf4c4acdb1ddb468c946f68939819fb (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:26.190531Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:12.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07c8d2a109d847775b3b4e2c3294c8e1eea75432",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "58941bbb0050e365a98c64f1fc4a9a0ac127dba6",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "f72f97d0aee4a993a35f2496bca5efd24827235d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "914605b0de8128434eafc9582445306830748b93",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "3042a57a8e8bce4a3100c3f6f03dc372aab24943",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "132fe187e0d940f388f839fe2cde9b84106ad20d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "30cd2cb1abf4c4acdb1ddb468c946f68939819fb",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Handle incorrect num_connectors capability\n\nThe UCSI spec states that the num_connectors field is 7 bits, and the\n8th bit is reserved and should be set to zero.\nSome buggy FW has been known to set this bit, and it can lead to a\nsystem not booting.\nFlag that the FW is not behaving correctly, and auto-fix the value\nso that the system boots correctly.\n\nFound on Lenovo P1 G8 during Linux enablement program. The FW will\nbe fixed, but seemed worth addressing in case it hit platforms that\naren\u0027t officially Linux supported."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:58.410Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432"
},
{
"url": "https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6"
},
{
"url": "https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d"
},
{
"url": "https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93"
},
{
"url": "https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943"
},
{
"url": "https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d"
},
{
"url": "https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb"
}
],
"title": "usb: typec: ucsi: Handle incorrect num_connectors capability",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71108",
"datePublished": "2026-01-14T15:05:56.553Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-06-11T18:44:12.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71098 (GCVE-0-2025-71098)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ip6_gre: make ip6gre_header() robust
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: make ip6gre_header() robust
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c12b395a46646bab69089ce7016ac78177f6001f , < 17e7386234f740f3e7d5e58a47b5847ea34c3bc2
(git)
Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 41a1a3140aff295dee8063906f70a514548105e8 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < adee129db814474f2f81207bd182bf343832a52e (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 1717357007db150c2d703f13f5695460e960f26c (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 5fe210533e3459197eabfdbf97327dacbdc04d60 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 91a2b25be07ce1a7549ceebbe82017551d2eec92 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < db5b4e39c4e63700c68a7e65fc4e1f1375273476 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:13.938305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:10.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17e7386234f740f3e7d5e58a47b5847ea34c3bc2",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "41a1a3140aff295dee8063906f70a514548105e8",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "adee129db814474f2f81207bd182bf343832a52e",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "1717357007db150c2d703f13f5695460e960f26c",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "5fe210533e3459197eabfdbf97327dacbdc04d60",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "91a2b25be07ce1a7549ceebbe82017551d2eec92",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "db5b4e39c4e63700c68a7e65fc4e1f1375273476",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: make ip6gre_header() robust\n\nOver the years, syzbot found many ways to crash the kernel\nin ip6gre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ip6gre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:213 !\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n neigh_output include/net/neighbour.h:556 [inline]\n ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:42.469Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2"
},
{
"url": "https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8"
},
{
"url": "https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e"
},
{
"url": "https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c"
},
{
"url": "https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60"
},
{
"url": "https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92"
},
{
"url": "https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476"
}
],
"title": "ip6_gre: make ip6gre_header() robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71098",
"datePublished": "2026-01-13T15:34:57.536Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-06-11T18:44:10.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68367 (GCVE-0-2025-68367)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
Summary
In the Linux kernel, the following vulnerability has been resolved:
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
The following warning appears when running syzkaller, and this issue also
exists in the mainline code.
------------[ cut here ]------------
list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.
WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130
Modules linked in:
CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xf7/0x130
RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817
RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001
RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c
R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100
R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48
FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
input_register_handler+0xb3/0x210
mac_hid_start_emulation+0x1c5/0x290
mac_hid_toggle_emumouse+0x20a/0x240
proc_sys_call_handler+0x4c2/0x6e0
new_sync_write+0x1b1/0x2d0
vfs_write+0x709/0x950
ksys_write+0x12a/0x250
do_syscall_64+0x5a/0x110
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid
emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().
Both processes read old_val=0, then both try to register the input handler,
leading to a double list_add of the same handler.
CPU0 CPU1
------------------------- -------------------------
vfs_write() //write 1 vfs_write() //write 1
proc_sys_write() proc_sys_write()
mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()
old_val = *valp // old_val=0
old_val = *valp // old_val=0
mutex_lock_killable()
proc_dointvec() // *valp=1
mac_hid_start_emulation()
input_register_handler()
mutex_unlock()
mutex_lock_killable()
proc_dointvec()
mac_hid_start_emulation()
input_register_handler() //Trigger Warning
mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
99b089c3c38a83ebaeb1cc4584ddcde841626467 , < d5f1d40fd342b589420de7508b4c748fcf28122e
(git)
Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 14c209835e47a87e6da94bb9401e570dcc14f31f (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 583d36523f56d8e9ddfa0bec20743a6faefc9b74 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 61abf8c3162d155b4fd0fb251f08557093363a0a (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 230621ffdb361d15cd3ef92d8b4fa8d314f4fad4 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 388391dd1cc567fcf0b372b63d414c119d23e911 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 48a7d427eb65922b3f17fbe00e2bbc7cb9eac381 (git) Affected: 99b089c3c38a83ebaeb1cc4584ddcde841626467 , < 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5f1d40fd342b589420de7508b4c748fcf28122e",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "14c209835e47a87e6da94bb9401e570dcc14f31f",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "583d36523f56d8e9ddfa0bec20743a6faefc9b74",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "61abf8c3162d155b4fd0fb251f08557093363a0a",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "230621ffdb361d15cd3ef92d8b4fa8d314f4fad4",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "388391dd1cc567fcf0b372b63d414c119d23e911",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "48a7d427eb65922b3f17fbe00e2bbc7cb9eac381",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse\n\nThe following warning appears when running syzkaller, and this issue also\nexists in the mainline code.\n\n ------------[ cut here ]------------\n list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.\n WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130\n Modules linked in:\n CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__list_add_valid_or_report+0xf7/0x130\n RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817\n RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001\n RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c\n R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100\n R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48\n FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 80000000\n Call Trace:\n \u003cTASK\u003e\n input_register_handler+0xb3/0x210\n mac_hid_start_emulation+0x1c5/0x290\n mac_hid_toggle_emumouse+0x20a/0x240\n proc_sys_call_handler+0x4c2/0x6e0\n new_sync_write+0x1b1/0x2d0\n vfs_write+0x709/0x950\n ksys_write+0x12a/0x250\n do_syscall_64+0x5a/0x110\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe WARNING occurs when two processes concurrently write to the mac-hid\nemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().\nBoth processes read old_val=0, then both try to register the input handler,\nleading to a double list_add of the same handler.\n\n CPU0 CPU1\n ------------------------- -------------------------\n vfs_write() //write 1 vfs_write() //write 1\n proc_sys_write() proc_sys_write()\n mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()\n old_val = *valp // old_val=0\n old_val = *valp // old_val=0\n mutex_lock_killable()\n proc_dointvec() // *valp=1\n mac_hid_start_emulation()\n input_register_handler()\n mutex_unlock()\n mutex_lock_killable()\n proc_dointvec()\n mac_hid_start_emulation()\n input_register_handler() //Trigger Warning\n mutex_unlock()\n\nFix this by moving the old_val read inside the mutex lock region."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:50.117Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5f1d40fd342b589420de7508b4c748fcf28122e"
},
{
"url": "https://git.kernel.org/stable/c/14c209835e47a87e6da94bb9401e570dcc14f31f"
},
{
"url": "https://git.kernel.org/stable/c/583d36523f56d8e9ddfa0bec20743a6faefc9b74"
},
{
"url": "https://git.kernel.org/stable/c/61abf8c3162d155b4fd0fb251f08557093363a0a"
},
{
"url": "https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4"
},
{
"url": "https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911"
},
{
"url": "https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381"
},
{
"url": "https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f"
}
],
"title": "macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68367",
"datePublished": "2025-12-24T10:32:54.084Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-05-11T21:51:50.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71192 (GCVE-0-2025-71192)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:00 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
ALSA: ac97: fix a double free in snd_ac97_controller_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ac97: fix a double free in snd_ac97_controller_register()
If ac97_add_adapter() fails, put_device() is the correct way to drop
the device reference. kfree() is not required.
Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do
the cleanup.
Found by code review.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
74426fbff66eea8e8d1f42c8238c268d1e63a832 , < c80f9b3349a99a9d5b295f5bbc23f544c5995ad7
(git)
Affected: 74426fbff66eea8e8d1f42c8238c268d1e63a832 , < 21f8bc5179bed91c3f946adb5e55d717b891960c (git) Affected: 74426fbff66eea8e8d1f42c8238c268d1e63a832 , < fcc04c92cbb5497ce67c58dd2f0001bb87f40396 (git) Affected: 74426fbff66eea8e8d1f42c8238c268d1e63a832 , < cb73d37ac18bc1716690ff5255a0ef1952827e9e (git) Affected: 74426fbff66eea8e8d1f42c8238c268d1e63a832 , < 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/ac97/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c80f9b3349a99a9d5b295f5bbc23f544c5995ad7",
"status": "affected",
"version": "74426fbff66eea8e8d1f42c8238c268d1e63a832",
"versionType": "git"
},
{
"lessThan": "21f8bc5179bed91c3f946adb5e55d717b891960c",
"status": "affected",
"version": "74426fbff66eea8e8d1f42c8238c268d1e63a832",
"versionType": "git"
},
{
"lessThan": "fcc04c92cbb5497ce67c58dd2f0001bb87f40396",
"status": "affected",
"version": "74426fbff66eea8e8d1f42c8238c268d1e63a832",
"versionType": "git"
},
{
"lessThan": "cb73d37ac18bc1716690ff5255a0ef1952827e9e",
"status": "affected",
"version": "74426fbff66eea8e8d1f42c8238c268d1e63a832",
"versionType": "git"
},
{
"lessThan": "830988b6cf197e6dcffdfe2008c5738e6c6c3c0f",
"status": "affected",
"version": "74426fbff66eea8e8d1f42c8238c268d1e63a832",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/ac97/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: fix a double free in snd_ac97_controller_register()\n\nIf ac97_add_adapter() fails, put_device() is the correct way to drop\nthe device reference. kfree() is not required.\nAdd kfree() if idr_alloc() fails and in ac97_adapter_release() to do\nthe cleanup.\n\nFound by code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:26.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c80f9b3349a99a9d5b295f5bbc23f544c5995ad7"
},
{
"url": "https://git.kernel.org/stable/c/21f8bc5179bed91c3f946adb5e55d717b891960c"
},
{
"url": "https://git.kernel.org/stable/c/fcc04c92cbb5497ce67c58dd2f0001bb87f40396"
},
{
"url": "https://git.kernel.org/stable/c/cb73d37ac18bc1716690ff5255a0ef1952827e9e"
},
{
"url": "https://git.kernel.org/stable/c/830988b6cf197e6dcffdfe2008c5738e6c6c3c0f"
}
],
"title": "ALSA: ac97: fix a double free in snd_ac97_controller_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71192",
"datePublished": "2026-02-04T16:00:23.044Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-05-11T21:56:26.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23129 (GCVE-0-2026-23129)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
dpll: Prevent duplicate registrations
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpll: Prevent duplicate registrations
Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()
to reject duplicate registration attempts.
Previously, if a caller attempted to register the same pin multiple
times (with the same ops, priv, and cookie) on the same device, the core
silently increments the reference count and return success. This behavior
is incorrect because if the caller makes these duplicate registrations
then for the first one dpll_pin_registration is allocated and for others
the associated dpll_pin_ref.refcount is incremented. During the first
unregistration the associated dpll_pin_registration is freed and for
others WARN is fired.
Fix this by updating the logic to return `-EEXIST` if a matching
registration is found to enforce a strict "register once" policy.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9431063ad323ac864750aeba4d304389bc42ca4e , < dfec0501dba8f4711ef142a6a890e4812b7af88c
(git)
Affected: 9431063ad323ac864750aeba4d304389bc42ca4e , < 236a657422a564859dcd0db7bdb486abb21a721a (git) Affected: 9431063ad323ac864750aeba4d304389bc42ca4e , < f3ddbaaaaf4d0633b40482f471753f9c71294a4a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dpll/dpll_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfec0501dba8f4711ef142a6a890e4812b7af88c",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
},
{
"lessThan": "236a657422a564859dcd0db7bdb486abb21a721a",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
},
{
"lessThan": "f3ddbaaaaf4d0633b40482f471753f9c71294a4a",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dpll/dpll_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: Prevent duplicate registrations\n\nModify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()\nto reject duplicate registration attempts.\n\nPreviously, if a caller attempted to register the same pin multiple\ntimes (with the same ops, priv, and cookie) on the same device, the core\nsilently increments the reference count and return success. This behavior\nis incorrect because if the caller makes these duplicate registrations\nthen for the first one dpll_pin_registration is allocated and for others\nthe associated dpll_pin_ref.refcount is incremented. During the first\nunregistration the associated dpll_pin_registration is freed and for\nothers WARN is fired.\n\nFix this by updating the logic to return `-EEXIST` if a matching\nregistration is found to enforce a strict \"register once\" policy."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:41.442Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfec0501dba8f4711ef142a6a890e4812b7af88c"
},
{
"url": "https://git.kernel.org/stable/c/236a657422a564859dcd0db7bdb486abb21a721a"
},
{
"url": "https://git.kernel.org/stable/c/f3ddbaaaaf4d0633b40482f471753f9c71294a4a"
}
],
"title": "dpll: Prevent duplicate registrations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23129",
"datePublished": "2026-02-14T15:09:57.574Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-05-11T22:00:41.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23003 (GCVE-0-2026-23003)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-16 20:18
VLAI?
EPSS
Title
ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
Blamed commit did not take care of VLAN encapsulations
as spotted by syzbot [1].
Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
[1]
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
__INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
__ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:318 [inline]
ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core net/core/dev.c:6139 [inline]
__netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
netif_receive_skb_internal net/core/dev.c:6338 [inline]
netif_receive_skb+0x57/0x630 net/core/dev.c:6397
tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4960 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
__alloc_skb+0x805/0x1040 net/core/skbuff.c:690
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
tun_alloc_skb drivers/net/tun.c:1461 [inline]
tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a9bc32879a08f23cdb80a48c738017e39aea1080 , < f9c5c5b791d3850570796f9e067629474e613796
(git)
Affected: af6b5c50d47ab43e5272ad61935d0ed2e264d3f0 , < 64c71d60a21a9ed0a802483dcd422b5b24eb1abe (git) Affected: d54e4da98bbfa8c257bdca94c49652d81d18a4d8 , < 9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af (git) Affected: 350a6640fac4b53564ec20aa3f4a0922cb0ba5e6 , < 2f03dafea0a8096a2eb60f551218b360e5bab9a3 (git) Affected: 8d975c15c0cd744000ca386247432d57b21f9df0 , < df5ffde9669314500809bc498ae73d6d3d9519ac (git) Affected: 8d975c15c0cd744000ca386247432d57b21f9df0 , < b9f915340f25cae1562f18e1eb52deafca328414 (git) Affected: 8d975c15c0cd744000ca386247432d57b21f9df0 , < 81c734dae203757fb3c9eee6f9896386940776bd (git) Affected: c835df3bcc14858ae9b27315dd7de76370b94f3a (git) Affected: 5.10.210 , < 5.10.249 (semver) Affected: 5.15.149 , < 5.15.199 (semver) Affected: 6.1.77 , < 6.1.162 (semver) Affected: 6.6.16 , < 6.6.122 (semver) Affected: 6.7.4 , < 6.8 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:17:50.477974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:18:00.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9c5c5b791d3850570796f9e067629474e613796",
"status": "affected",
"version": "a9bc32879a08f23cdb80a48c738017e39aea1080",
"versionType": "git"
},
{
"lessThan": "64c71d60a21a9ed0a802483dcd422b5b24eb1abe",
"status": "affected",
"version": "af6b5c50d47ab43e5272ad61935d0ed2e264d3f0",
"versionType": "git"
},
{
"lessThan": "9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af",
"status": "affected",
"version": "d54e4da98bbfa8c257bdca94c49652d81d18a4d8",
"versionType": "git"
},
{
"lessThan": "2f03dafea0a8096a2eb60f551218b360e5bab9a3",
"status": "affected",
"version": "350a6640fac4b53564ec20aa3f4a0922cb0ba5e6",
"versionType": "git"
},
{
"lessThan": "df5ffde9669314500809bc498ae73d6d3d9519ac",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"lessThan": "b9f915340f25cae1562f18e1eb52deafca328414",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"lessThan": "81c734dae203757fb3c9eee6f9896386940776bd",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"status": "affected",
"version": "c835df3bcc14858ae9b27315dd7de76370b94f3a",
"versionType": "git"
},
{
"lessThan": "5.10.249",
"status": "affected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThan": "5.15.199",
"status": "affected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.77",
"versionType": "semver"
},
{
"lessThan": "6.6.122",
"status": "affected",
"version": "6.6.16",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4960 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [inline]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:39.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9c5c5b791d3850570796f9e067629474e613796"
},
{
"url": "https://git.kernel.org/stable/c/64c71d60a21a9ed0a802483dcd422b5b24eb1abe"
},
{
"url": "https://git.kernel.org/stable/c/9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af"
},
{
"url": "https://git.kernel.org/stable/c/2f03dafea0a8096a2eb60f551218b360e5bab9a3"
},
{
"url": "https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac"
},
{
"url": "https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414"
},
{
"url": "https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd"
}
],
"title": "ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23003",
"datePublished": "2026-01-25T14:36:17.491Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-06-16T20:18:00.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68265 (GCVE-0-2025-68265)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:47 – Updated: 2026-05-11 21:50
VLAI?
EPSS
Title
nvme: fix admin request_queue lifetime
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix admin request_queue lifetime
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fe60e8c534118a288cd251a59d747cbf5c03e160 , < 4896491c497226022626c3acc46044fd182f943c
(git)
Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < a505f0ba36ab24176c300d7ff56aff85c2977e6c (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < e8061d02b49c5c901980f58d91e96580e9a14acf (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < e7dac681790556c131854b97551337aa8042215b (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < 03b3bcd319b3ab5182bc9aaa0421351572c78ac0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4896491c497226022626c3acc46044fd182f943c",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "a505f0ba36ab24176c300d7ff56aff85c2977e6c",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e8061d02b49c5c901980f58d91e96580e9a14acf",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e7dac681790556c131854b97551337aa8042215b",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "03b3bcd319b3ab5182bc9aaa0421351572c78ac0",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin request_queue lifetime\n\nThe namespaces can access the controller\u0027s admin request_queue, and\nstale references on the namespaces may exist after tearing down the\ncontroller. Ensure the admin request_queue is active by moving the\ncontroller\u0027s \u0027put\u0027 to after all controller references have been released\nto ensure no one is can access the request_queue. This fixes a reported\nuse-after-free bug:\n\n BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0\n Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287\n CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x60\n print_report+0xc4/0x620\n ? _raw_spin_lock_irqsave+0x70/0xb0\n ? _raw_read_unlock_irqrestore+0x30/0x30\n ? blk_queue_enter+0x41c/0x4a0\n kasan_report+0xab/0xe0\n ? blk_queue_enter+0x41c/0x4a0\n blk_queue_enter+0x41c/0x4a0\n ? __irq_work_queue_local+0x75/0x1d0\n ? blk_queue_start_drain+0x70/0x70\n ? irq_work_queue+0x18/0x20\n ? vprintk_emit.part.0+0x1cc/0x350\n ? wake_up_klogd_work_func+0x60/0x60\n blk_mq_alloc_request+0x2b7/0x6b0\n ? __blk_mq_alloc_requests+0x1060/0x1060\n ? __switch_to+0x5b7/0x1060\n nvme_submit_user_cmd+0xa9/0x330\n nvme_user_cmd.isra.0+0x240/0x3f0\n ? force_sigsegv+0xe0/0xe0\n ? nvme_user_cmd64+0x400/0x400\n ? vfs_fileattr_set+0x9b0/0x9b0\n ? cgroup_update_frozen_flag+0x24/0x1c0\n ? cgroup_leave_frozen+0x204/0x330\n ? nvme_ioctl+0x7c/0x2c0\n blkdev_ioctl+0x1a8/0x4d0\n ? blkdev_common_ioctl+0x1930/0x1930\n ? fdget+0x54/0x380\n __x64_sys_ioctl+0x129/0x190\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f765f703b0b\n Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b\n RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003\n R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:50:02.899Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4896491c497226022626c3acc46044fd182f943c"
},
{
"url": "https://git.kernel.org/stable/c/a505f0ba36ab24176c300d7ff56aff85c2977e6c"
},
{
"url": "https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf"
},
{
"url": "https://git.kernel.org/stable/c/e7dac681790556c131854b97551337aa8042215b"
},
{
"url": "https://git.kernel.org/stable/c/03b3bcd319b3ab5182bc9aaa0421351572c78ac0"
}
],
"title": "nvme: fix admin request_queue lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68265",
"datePublished": "2025-12-16T14:47:05.303Z",
"dateReserved": "2025-12-16T13:41:40.268Z",
"dateUpdated": "2026-05-11T21:50:02.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46323 (GCVE-0-2026-46323)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
net: gro: don't merge zcopy skbs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gro: don't merge zcopy skbs
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
Severity ?
7.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d
(git)
Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 1f9c828556416fbe3f49386708ce999fc4d4da06 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 479084ae0e1d9cb7929cb4298d35623de189f80a (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < e334cbf3388fd9334503a778a82d9e9f14dd2f71 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 44bea2032af0425e4ce6d26a8af0ede79db49ec1 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 4db79a322db8c97f7b73b8a347395ef4d685eb40 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux for NVIDIA 26",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Generic Receive Offload (GRO) networking subsystem. This vulnerability occurs when `skb_gro_receive()` attempts to merge zerocopy socket buffers (skbs) without properly managing page reference counts, specifically when the `SKBFL_MANAGED_FRAG_REFS` flag is set. An attacker could potentially exploit this to trigger a Use-After-Free (UAF) condition, which is a memory corruption vulnerability that can lead to system instability or potentially arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:06.631Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46323"
},
{
"name": "RHBZ#2479832",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479832"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46323.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T11:49:44.372Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "1f9c828556416fbe3f49386708ce999fc4d4da06",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "479084ae0e1d9cb7929cb4298d35623de189f80a",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "e334cbf3388fd9334503a778a82d9e9f14dd2f71",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "44bea2032af0425e4ce6d26a8af0ede79db49ec1",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "4db79a322db8c97f7b73b8a347395ef4d685eb40",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: don\u0027t merge zcopy skbs\n\nskb_gro_receive() can currently copy frags between the source and GRO\nskb, without checking the zerocopy status, and in particular the\nSKBFL_MANAGED_FRAG_REFS flag.\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, the skb doesn\u0027t hold a reference\non the pages in shinfo-\u003efrags. Appending those frags to another skb\u0027s\nfrags without fixing up the page refcount can lead to UAF.\n\nWhen either the last skb in the GRO chain (the one we would append\nfrags to) or the source skb is zerocopy, don\u0027t merge the skbs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:26.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d"
},
{
"url": "https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06"
},
{
"url": "https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a"
},
{
"url": "https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71"
},
{
"url": "https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1"
},
{
"url": "https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40"
}
],
"title": "net: gro: don\u0027t merge zcopy skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46323",
"datePublished": "2026-06-09T12:11:15.562Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-30T12:10:06.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40149 (GCVE-0-2025-40149)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2026-05-11 21:43
VLAI?
EPSS
Title
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
get_netdev_for_sock() is called during setsockopt(),
so not under RCU.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the only ->ndo_sk_get_lower_dev() user is
bond_sk_get_lower_dev(), which uses RCU.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e8f69799810c32dd40c6724d829eccc70baad07f , < 2b1bef126bbb8d0da51491357559126d567c1dee
(git)
Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < e37ca0092ddace60833790b4ad7a390408fb1be9 (git) Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < 13159c7125636371543a82cb7bbae00ab36730cc (git) Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < f09cd209359a23f88d4f3fa3d2379d057027e53c (git) Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < feb474ddbf26b51f462ae2e60a12013bdcfc5407 (git) Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < c65f27b9c3be2269918e1cbad6d8884741f835c5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b1bef126bbb8d0da51491357559126d567c1dee",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "e37ca0092ddace60833790b4ad7a390408fb1be9",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "13159c7125636371543a82cb7bbae00ab36730cc",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "f09cd209359a23f88d4f3fa3d2379d057027e53c",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "feb474ddbf26b51f462ae2e60a12013bdcfc5407",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "c65f27b9c3be2269918e1cbad6d8884741f835c5",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().\n\nget_netdev_for_sock() is called during setsockopt(),\nso not under RCU.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu().\n\nNote that the only -\u003endo_sk_get_lower_dev() user is\nbond_sk_get_lower_dev(), which uses RCU."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:43:41.092Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b1bef126bbb8d0da51491357559126d567c1dee"
},
{
"url": "https://git.kernel.org/stable/c/e37ca0092ddace60833790b4ad7a390408fb1be9"
},
{
"url": "https://git.kernel.org/stable/c/13159c7125636371543a82cb7bbae00ab36730cc"
},
{
"url": "https://git.kernel.org/stable/c/f09cd209359a23f88d4f3fa3d2379d057027e53c"
},
{
"url": "https://git.kernel.org/stable/c/feb474ddbf26b51f462ae2e60a12013bdcfc5407"
},
{
"url": "https://git.kernel.org/stable/c/c65f27b9c3be2269918e1cbad6d8884741f835c5"
}
],
"title": "tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40149",
"datePublished": "2025-11-12T10:23:27.122Z",
"dateReserved": "2025-04-16T07:20:57.175Z",
"dateUpdated": "2026-05-11T21:43:41.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71163 (GCVE-0-2025-71163)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
dmaengine: idxd: fix device leaks on compat bind and unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: fix device leaks on compat bind and unbind
Make sure to drop the reference taken when looking up the idxd device as
part of the compat bind and unbind sysfs interface.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < b7bd948f89271c92d9ca9b2b682bfba56896e959
(git)
Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < b2d077180a56e3b7c97b7517d0465b584adc693b (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99 (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < 0c97ff108f825a70c3bb29d65ddf0a013d231bb9 (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < a7226fd61def74b60dd8e47ec84cabafc39d575b (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < 799900f01792cf8b525a44764f065f83fcafd468 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7bd948f89271c92d9ca9b2b682bfba56896e959",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "b2d077180a56e3b7c97b7517d0465b584adc693b",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "0c97ff108f825a70c3bb29d65ddf0a013d231bb9",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "a7226fd61def74b60dd8e47ec84cabafc39d575b",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "799900f01792cf8b525a44764f065f83fcafd468",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix device leaks on compat bind and unbind\n\nMake sure to drop the reference taken when looking up the idxd device as\npart of the compat bind and unbind sysfs interface."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:11.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7bd948f89271c92d9ca9b2b682bfba56896e959"
},
{
"url": "https://git.kernel.org/stable/c/b2d077180a56e3b7c97b7517d0465b584adc693b"
},
{
"url": "https://git.kernel.org/stable/c/c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99"
},
{
"url": "https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9"
},
{
"url": "https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b"
},
{
"url": "https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468"
}
],
"title": "dmaengine: idxd: fix device leaks on compat bind and unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71163",
"datePublished": "2026-01-25T14:36:10.142Z",
"dateReserved": "2026-01-13T15:30:19.666Z",
"dateUpdated": "2026-05-11T21:56:11.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31419 (GCVE-0-2026-31419)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-06-30 12:07
VLAI?
EPSS
Title
net: bonding: fix use-after-free in bond_xmit_broadcast()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix use-after-free in bond_xmit_broadcast()
bond_xmit_broadcast() reuses the original skb for the last slave
(determined by bond_is_last_slave()) and clones it for others.
Concurrent slave enslave/release can mutate the slave list during
RCU-protected iteration, changing which slave is "last" mid-loop.
This causes the original skb to be double-consumed (double-freed).
Replace the racy bond_is_last_slave() check with a simple index
comparison (i + 1 == slaves_count) against the pre-snapshot slave
count taken via READ_ONCE() before the loop. This preserves the
zero-copy optimization for the last slave while making the "last"
determination stable against concurrent list mutations.
The UAF can trigger the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in skb_clone
Read of size 8 at addr ffff888100ef8d40 by task exploit/147
CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:123)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:597)
skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)
bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)
dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)
__dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)
ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)
ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)
ip6_output (net/ipv6/ip6_output.c:250)
ip6_send_skb (net/ipv6/ip6_output.c:1985)
udp_v6_send_skb (net/ipv6/udp.c:1442)
udpv6_sendmsg (net/ipv6/udp.c:1733)
__sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Allocated by task 147:
Freed by task 147:
The buggy address belongs to the object at ffff888100ef8c80
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 192 bytes inside of
freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)
Memory state around the buggy address:
ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4e5bd03ae34652cd932ab4c91c71c511793df75c , < 2de5c8eea0a9db99dae7c36f4b541b74b41d3a04
(git)
Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < 3453882f36c40d2339267093676585a89808a73d (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < d4cc7e4c80b1634c7b1497574a2fdb18df6c026c (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < f5b94654a4a19891a8108d66ef166de6c028c6cd (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < 2884bf72fb8f03409e423397319205de48adca16 (git) Affected: 20949c3816463e97c6f8fe84c0280c7e5ae83a8d (git) Affected: f1d206181f19b00b275b258fea1418718a2f4173 (git) Affected: c1f1691ef84fa6d38fa5e5148eca073145e97ffa (git) Affected: 5.10.94 , < 5.11 (semver) Affected: 5.15.17 , < 5.16 (semver) Affected: 5.16.3 , < 5.17 (semver) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s bonding driver. A local attacker with low privileges could exploit a use-after-free vulnerability in the `bond_xmit_broadcast()` function. This occurs due to a race condition during concurrent slave enslave/release operations, which can lead to the original socket buffer (skb) being double-freed. Successful exploitation of this flaw can result in a system crash, leading to a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:50.755Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-31419"
},
{
"name": "RHBZ#2457829",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457829"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31419.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22334"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13566"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25191"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22940"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21209"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23224"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25217"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27353"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19521"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27354"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22900"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:22334: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13566: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:25191: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:22940: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:21209: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:23224: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:25217: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:27353: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:19521: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:27354: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:22900: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2de5c8eea0a9db99dae7c36f4b541b74b41d3a04",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "3453882f36c40d2339267093676585a89808a73d",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "d4cc7e4c80b1634c7b1497574a2fdb18df6c026c",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "f5b94654a4a19891a8108d66ef166de6c028c6cd",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "2884bf72fb8f03409e423397319205de48adca16",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"status": "affected",
"version": "20949c3816463e97c6f8fe84c0280c7e5ae83a8d",
"versionType": "git"
},
{
"status": "affected",
"version": "f1d206181f19b00b275b258fea1418718a2f4173",
"versionType": "git"
},
{
"status": "affected",
"version": "c1f1691ef84fa6d38fa5e5148eca073145e97ffa",
"versionType": "git"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.94",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.17",
"versionType": "semver"
},
{
"lessThan": "5.17",
"status": "affected",
"version": "5.16.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop. This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \u003c/TASK\u003e\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n=================================================================="
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:40.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2de5c8eea0a9db99dae7c36f4b541b74b41d3a04"
},
{
"url": "https://git.kernel.org/stable/c/3453882f36c40d2339267093676585a89808a73d"
},
{
"url": "https://git.kernel.org/stable/c/d4cc7e4c80b1634c7b1497574a2fdb18df6c026c"
},
{
"url": "https://git.kernel.org/stable/c/f5b94654a4a19891a8108d66ef166de6c028c6cd"
},
{
"url": "https://git.kernel.org/stable/c/2884bf72fb8f03409e423397319205de48adca16"
}
],
"title": "net: bonding: fix use-after-free in bond_xmit_broadcast()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31419",
"datePublished": "2026-04-13T13:40:23.279Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-06-30T12:07:50.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35862 (GCVE-0-2024-35862)
Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2026-05-11 20:12
VLAI?
EPSS
Title
smb: client: fix potential UAF in smb2_is_network_name_deleted()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF in smb2_is_network_name_deleted()
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9e550b085206544bd03a8b1dd58a5414e9508351 , < f9414004798d9742c1af23a1d839fe6a9503751c
(git)
Affected: 9e550b085206544bd03a8b1dd58a5414e9508351 , < aa582b33f94453fdeaff1e7d0aa252c505975e01 (git) Affected: 9e550b085206544bd03a8b1dd58a5414e9508351 , < d919b6ea15ffa56fbafef4a1d92f47aeda9af645 (git) Affected: 9e550b085206544bd03a8b1dd58a5414e9508351 , < 63981561ffd2d4987807df4126f96a11e18b0c1d (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:41:27.598442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:17.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9414004798d9742c1af23a1d839fe6a9503751c",
"status": "affected",
"version": "9e550b085206544bd03a8b1dd58a5414e9508351",
"versionType": "git"
},
{
"lessThan": "aa582b33f94453fdeaff1e7d0aa252c505975e01",
"status": "affected",
"version": "9e550b085206544bd03a8b1dd58a5414e9508351",
"versionType": "git"
},
{
"lessThan": "d919b6ea15ffa56fbafef4a1d92f47aeda9af645",
"status": "affected",
"version": "9e550b085206544bd03a8b1dd58a5414e9508351",
"versionType": "git"
},
{
"lessThan": "63981561ffd2d4987807df4126f96a11e18b0c1d",
"status": "affected",
"version": "9e550b085206544bd03a8b1dd58a5414e9508351",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:12:42.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c"
},
{
"url": "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01"
},
{
"url": "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645"
},
{
"url": "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d"
}
],
"title": "smb: client: fix potential UAF in smb2_is_network_name_deleted()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35862",
"datePublished": "2024-05-19T08:34:21.173Z",
"dateReserved": "2024-05-17T13:50:33.107Z",
"dateUpdated": "2026-05-11T20:12:42.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23050 (GCVE-0-2026-23050)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
pNFS: Fix a deadlock when returning a delegation during open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pNFS: Fix a deadlock when returning a delegation during open()
Ben Coddington reports seeing a hang in the following stack trace:
0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415
1 [ffffd0b50e177548] schedule at ffffffff9ca05717
2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1
3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb
4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5
5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4]
6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4]
7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4]
8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4]
9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4]
10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4]
11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4]
12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4]
13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4]
14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4]
15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4]
16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4]
17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea
18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e
19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935
The issue is that the delegreturn is being asked to wait for a layout
return that cannot complete because a state recovery was initiated. The
state recovery cannot complete until the open() finishes processing the
delegations it was given.
The solution is to propagate the existing flags that indicate a
non-blocking call to the function pnfs_roc(), so that it knows not to
wait in this situation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
29ade5db12930ec60133f6a02791f4b1a4af2943 , < c57387d447a2bcbaea009ba5f9497adf3de5edeb
(git)
Affected: 29ade5db12930ec60133f6a02791f4b1a4af2943 , < a316fd9d3065b753b03d802530004aea481512cc (git) Affected: 29ade5db12930ec60133f6a02791f4b1a4af2943 , < d6c75aa9d607044d1e5c8498eff0259eed356c32 (git) Affected: 29ade5db12930ec60133f6a02791f4b1a4af2943 , < 857bf9056291a16785ae3be1d291026b2437fc48 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c",
"fs/nfs/pnfs.c",
"fs/nfs/pnfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c57387d447a2bcbaea009ba5f9497adf3de5edeb",
"status": "affected",
"version": "29ade5db12930ec60133f6a02791f4b1a4af2943",
"versionType": "git"
},
{
"lessThan": "a316fd9d3065b753b03d802530004aea481512cc",
"status": "affected",
"version": "29ade5db12930ec60133f6a02791f4b1a4af2943",
"versionType": "git"
},
{
"lessThan": "d6c75aa9d607044d1e5c8498eff0259eed356c32",
"status": "affected",
"version": "29ade5db12930ec60133f6a02791f4b1a4af2943",
"versionType": "git"
},
{
"lessThan": "857bf9056291a16785ae3be1d291026b2437fc48",
"status": "affected",
"version": "29ade5db12930ec60133f6a02791f4b1a4af2943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c",
"fs/nfs/pnfs.c",
"fs/nfs/pnfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npNFS: Fix a deadlock when returning a delegation during open()\n\nBen Coddington reports seeing a hang in the following stack trace:\n 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415\n 1 [ffffd0b50e177548] schedule at ffffffff9ca05717\n 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1\n 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb\n 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5\n 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4]\n 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4]\n 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4]\n 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4]\n 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4]\n 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4]\n 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4]\n 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4]\n 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4]\n 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4]\n 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4]\n 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4]\n 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea\n 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e\n 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935\n\nThe issue is that the delegreturn is being asked to wait for a layout\nreturn that cannot complete because a state recovery was initiated. The\nstate recovery cannot complete until the open() finishes processing the\ndelegations it was given.\n\nThe solution is to propagate the existing flags that indicate a\nnon-blocking call to the function pnfs_roc(), so that it knows not to\nwait in this situation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:02.007Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c57387d447a2bcbaea009ba5f9497adf3de5edeb"
},
{
"url": "https://git.kernel.org/stable/c/a316fd9d3065b753b03d802530004aea481512cc"
},
{
"url": "https://git.kernel.org/stable/c/d6c75aa9d607044d1e5c8498eff0259eed356c32"
},
{
"url": "https://git.kernel.org/stable/c/857bf9056291a16785ae3be1d291026b2437fc48"
}
],
"title": "pNFS: Fix a deadlock when returning a delegation during open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23050",
"datePublished": "2026-02-04T16:04:19.279Z",
"dateReserved": "2026-01-13T15:37:45.950Z",
"dateUpdated": "2026-05-11T21:59:02.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71093 (GCVE-0-2025-71093)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
e1000: fix OOB in e1000_tbi_should_accept()
Summary
In the Linux kernel, the following vulnerability has been resolved:
e1000: fix OOB in e1000_tbi_should_accept()
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
==================================================================
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x5a/0x74
print_address_description+0x7b/0x440
print_report+0x101/0x200
kasan_report+0xc1/0xf0
e1000_tbi_should_accept+0x610/0x790
e1000_clean_rx_irq+0xa8c/0x1110
e1000_clean+0xde2/0x3c10
__napi_poll+0x98/0x380
net_rx_action+0x491/0xa20
__do_softirq+0x2c9/0x61d
do_softirq+0xd1/0x120
</IRQ>
<TASK>
__local_bh_enable_ip+0xfe/0x130
ip_finish_output2+0x7d5/0xb00
__ip_queue_xmit+0xe24/0x1ab0
__tcp_transmit_skb+0x1bcb/0x3340
tcp_write_xmit+0x175d/0x6bd0
__tcp_push_pending_frames+0x7b/0x280
tcp_sendmsg_locked+0x2e4f/0x32d0
tcp_sendmsg+0x24/0x40
sock_write_iter+0x322/0x430
vfs_write+0x56c/0xa60
ksys_write+0xd1/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f511b476b10
Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
</TASK>
Allocated by task 1:
__kasan_krealloc+0x131/0x1c0
krealloc+0x90/0xc0
add_sysfs_param+0xcb/0x8a0
kernel_add_sysfs_param+0x81/0xd4
param_sysfs_builtin+0x138/0x1a6
param_sysfs_init+0x57/0x5b
do_one_initcall+0x104/0x250
do_initcall_level+0x102/0x132
do_initcalls+0x46/0x74
kernel_init_freeable+0x28f/0x393
kernel_init+0x14/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888014114000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1620 bytes to the right of
2048-byte region [ffff888014114000, ffff888014114800]
The buggy address belongs to the physical page:
page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
==================================================================
This happens because the TBI check unconditionally dereferences the last
byte without validating the reported length first:
u8 last_byte = *(data + length - 1);
Fix by rejecting the frame early if the length is zero, or if it exceeds
adapter->rx_buffer_len. This preserves the TBI workaround semantics for
valid frames and prevents touching memory beyond the RX buffer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2037110c96d5f1dd71453fcd0d54e79be12a352b , < 4ccfa56f272241e8d8e2c38191fdbb03df489d80
(git)
Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 278b7cfe0d4da7502c7fd679b15032f014c92892 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < ad7a2a45e2417ac54089926b520924f8f0d91aea (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 2c4c0c09f9648ba766d399917d420d03e7b3e1f8 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 26c8bebc2f25288c2bcac7bc0a7662279a0e817c (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < ee7c125fb3e8b04dd46510130b9fc92380e5d578 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 9c72a5182ed92904d01057f208c390a303f00a0f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:11.366490Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:20.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ccfa56f272241e8d8e2c38191fdbb03df489d80",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "278b7cfe0d4da7502c7fd679b15032f014c92892",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ad7a2a45e2417ac54089926b520924f8f0d91aea",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "2c4c0c09f9648ba766d399917d420d03e7b3e1f8",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "26c8bebc2f25288c2bcac7bc0a7662279a0e817c",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ee7c125fb3e8b04dd46510130b9fc92380e5d578",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "9c72a5182ed92904d01057f208c390a303f00a0f",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000: fix OOB in e1000_tbi_should_accept()\n\nIn e1000_tbi_should_accept() we read the last byte of the frame via\n\u0027data[length - 1]\u0027 to evaluate the TBI workaround. If the descriptor-\nreported length is zero or larger than the actual RX buffer size, this\nread goes out of bounds and can hit unrelated slab objects. The issue\nis observed from the NAPI receive path (e1000_clean_rx_irq):\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790\nRead of size 1 at addr ffff888014114e54 by task sshd/363\n\nCPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x5a/0x74\n print_address_description+0x7b/0x440\n print_report+0x101/0x200\n kasan_report+0xc1/0xf0\n e1000_tbi_should_accept+0x610/0x790\n e1000_clean_rx_irq+0xa8c/0x1110\n e1000_clean+0xde2/0x3c10\n __napi_poll+0x98/0x380\n net_rx_action+0x491/0xa20\n __do_softirq+0x2c9/0x61d\n do_softirq+0xd1/0x120\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xfe/0x130\n ip_finish_output2+0x7d5/0xb00\n __ip_queue_xmit+0xe24/0x1ab0\n __tcp_transmit_skb+0x1bcb/0x3340\n tcp_write_xmit+0x175d/0x6bd0\n __tcp_push_pending_frames+0x7b/0x280\n tcp_sendmsg_locked+0x2e4f/0x32d0\n tcp_sendmsg+0x24/0x40\n sock_write_iter+0x322/0x430\n vfs_write+0x56c/0xa60\n ksys_write+0xd1/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f511b476b10\nCode: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24\nRSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10\nRDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003\nRBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00\nR10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003\n \u003c/TASK\u003e\nAllocated by task 1:\n __kasan_krealloc+0x131/0x1c0\n krealloc+0x90/0xc0\n add_sysfs_param+0xcb/0x8a0\n kernel_add_sysfs_param+0x81/0xd4\n param_sysfs_builtin+0x138/0x1a6\n param_sysfs_init+0x57/0x5b\n do_one_initcall+0x104/0x250\n do_initcall_level+0x102/0x132\n do_initcalls+0x46/0x74\n kernel_init_freeable+0x28f/0x393\n kernel_init+0x14/0x1a0\n ret_from_fork+0x22/0x30\nThe buggy address belongs to the object at ffff888014114000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1620 bytes to the right of\n 2048-byte region [ffff888014114000, ffff888014114800]\nThe buggy address belongs to the physical page:\npage:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110\nhead:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x100000000010200(slab|head|node=0|zone=1)\nraw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000\nraw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n==================================================================\n\nThis happens because the TBI check unconditionally dereferences the last\nbyte without validating the reported length first:\n\n\tu8 last_byte = *(data + length - 1);\n\nFix by rejecting the frame early if the length is zero, or if it exceeds\nadapter-\u003erx_buffer_len. This preserves the TBI workaround semantics for\nvalid frames and prevents touching memory beyond the RX buffer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:36.655Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80"
},
{
"url": "https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892"
},
{
"url": "https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea"
},
{
"url": "https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8"
},
{
"url": "https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c"
},
{
"url": "https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578"
},
{
"url": "https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f"
}
],
"title": "e1000: fix OOB in e1000_tbi_should_accept()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71093",
"datePublished": "2026-01-13T15:34:53.803Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-06-11T18:44:20.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23136 (GCVE-0-2026-23136)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
libceph: reset sparse-read state in osd_fault()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: reset sparse-read state in osd_fault()
When a fault occurs, the connection is abandoned, reestablished, and any
pending operations are retried. The OSD client tracks the progress of a
sparse-read reply using a separate state machine, largely independent of
the messenger's state.
If a connection is lost mid-payload or the sparse-read state machine
returns an error, the sparse-read state is not reset. The OSD client
will then interpret the beginning of a new reply as the continuation of
the old one. If this makes the sparse-read machinery enter a failure
state, it may never recover, producing loops like:
libceph: [0] got 0 extents
libceph: data len 142248331 != extent len 0
libceph: osd0 (1)...:6801 socket error on read
libceph: data len 142248331 != extent len 0
libceph: osd0 (1)...:6801 socket error on read
Therefore, reset the sparse-read state in osd_fault(), ensuring retries
start from a clean state.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f628d799972799023d32c2542bb2639eb8c4f84e , < 90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff
(git)
Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < e94075e950a6598e710b9f7dffea5aa388f40313 (git) Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < 10b7c72810364226f7b27916ea3e2a4f870bc04b (git) Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < 11194b416ef95012c2cfe5f546d71af07b639e93 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
},
{
"lessThan": "e94075e950a6598e710b9f7dffea5aa388f40313",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
},
{
"lessThan": "10b7c72810364226f7b27916ea3e2a4f870bc04b",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
},
{
"lessThan": "11194b416ef95012c2cfe5f546d71af07b639e93",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: reset sparse-read state in osd_fault()\n\nWhen a fault occurs, the connection is abandoned, reestablished, and any\npending operations are retried. The OSD client tracks the progress of a\nsparse-read reply using a separate state machine, largely independent of\nthe messenger\u0027s state.\n\nIf a connection is lost mid-payload or the sparse-read state machine\nreturns an error, the sparse-read state is not reset. The OSD client\nwill then interpret the beginning of a new reply as the continuation of\nthe old one. If this makes the sparse-read machinery enter a failure\nstate, it may never recover, producing loops like:\n\n libceph: [0] got 0 extents\n libceph: data len 142248331 != extent len 0\n libceph: osd0 (1)...:6801 socket error on read\n libceph: data len 142248331 != extent len 0\n libceph: osd0 (1)...:6801 socket error on read\n\nTherefore, reset the sparse-read state in osd_fault(), ensuring retries\nstart from a clean state."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:49.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff"
},
{
"url": "https://git.kernel.org/stable/c/e94075e950a6598e710b9f7dffea5aa388f40313"
},
{
"url": "https://git.kernel.org/stable/c/10b7c72810364226f7b27916ea3e2a4f870bc04b"
},
{
"url": "https://git.kernel.org/stable/c/11194b416ef95012c2cfe5f546d71af07b639e93"
}
],
"title": "libceph: reset sparse-read state in osd_fault()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23136",
"datePublished": "2026-02-14T15:22:21.952Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-05-11T22:00:49.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40164 (GCVE-0-2025-40164)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2026-06-19 11:57
VLAI?
EPSS
Title
usbnet: Fix using smp_processor_id() in preemptible code warnings
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix using smp_processor_id() in preemptible code warnings
Syzbot reported the following warning:
BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
__dev_set_mtu net/core/dev.c:9443 [inline]
netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
sock_do_ioctl+0x19d/0x280 net/socket.c:1204
sock_ioctl+0x42f/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
For historical and portability reasons, the netif_rx() is usually
run in the softirq or interrupt context, this commit therefore add
local_bh_disable/enable() protection in the usbnet_resume_rx().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 6635e52bc4165793aefd686962d912d73d323afe
(git)
Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 65d04291adf7c59338f87aab9c6fe0bfa9993e64 (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < f45fffae5e2549bd0a4670cc52a15ad54c9f121e (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 17fbad93879e87a334062882b45fa727ba1b3dd7 (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < d1944bab8e0c1511f0cbf364aa06547735bb0ddb (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 0134c7bff14bd50314a4f92b182850ddfc38e255 (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:05.458823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:19.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6635e52bc4165793aefd686962d912d73d323afe",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "65d04291adf7c59338f87aab9c6fe0bfa9993e64",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "f45fffae5e2549bd0a4670cc52a15ad54c9f121e",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "17fbad93879e87a334062882b45fa727ba1b3dd7",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "d1944bab8e0c1511f0cbf364aa06547735bb0ddb",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "0134c7bff14bd50314a4f92b182850ddfc38e255",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "327cd4b68b4398b6c24f10eb2b2533ffbfc10185",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible code warnings\n\nSyzbot reported the following warning:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879\ncaller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\nCPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49\n usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\n usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708\n usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417\n __dev_set_mtu net/core/dev.c:9443 [inline]\n netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496\n netif_set_mtu+0xb0/0x160 net/core/dev.c:9520\n dev_set_mtu+0xae/0x170 net/core/dev_api.c:247\n dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572\n dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821\n sock_do_ioctl+0x19d/0x280 net/socket.c:1204\n sock_ioctl+0x42f/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFor historical and portability reasons, the netif_rx() is usually\nrun in the softirq or interrupt context, this commit therefore add\nlocal_bh_disable/enable() protection in the usbnet_resume_rx()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:22.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6635e52bc4165793aefd686962d912d73d323afe"
},
{
"url": "https://git.kernel.org/stable/c/65d04291adf7c59338f87aab9c6fe0bfa9993e64"
},
{
"url": "https://git.kernel.org/stable/c/f45fffae5e2549bd0a4670cc52a15ad54c9f121e"
},
{
"url": "https://git.kernel.org/stable/c/17fbad93879e87a334062882b45fa727ba1b3dd7"
},
{
"url": "https://git.kernel.org/stable/c/d1944bab8e0c1511f0cbf364aa06547735bb0ddb"
},
{
"url": "https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255"
},
{
"url": "https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185"
}
],
"title": "usbnet: Fix using smp_processor_id() in preemptible code warnings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40164",
"datePublished": "2025-11-12T10:26:23.482Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-06-19T11:57:22.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71121 (GCVE-0-2025-71121)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
parisc: Do not reprogram affinitiy on ASP chip
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Do not reprogram affinitiy on ASP chip
The ASP chip is a very old variant of the GSP chip and is used e.g. in
HP 730 workstations. When trying to reprogram the affinity it will crash
with a HPMC as the relevant registers don't seem to be at the usual
location. Let's avoid the crash by checking the sversion. Also note,
that reprogramming isn't necessary either, as the HP730 is a just a
single-CPU machine.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7c35220305f273bddc0bdaf1e453b4ca280f145 , < 845a92b74cf7a730200532ecb4482981cec9d006
(git)
Affected: f77f482ec31a1f38eb38079622ca367b4b7d7442 , < 7a146f34e5be96330467397c9fd9d3d851b2cbbe (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < 4d0858bbeea12a50bfb32137f74d4b74917ebadd (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < e09fd2eb6d4c993ee9eaae556cb51e30ec1042df (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < 60560d13ff368415c96a0c1247bea16d427c0641 (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < c8f810e20f4bbe50b49f73429d9fa6efad00623e (git) Affected: 939fc856676c266c3bc347c1c1661872a3725c0f , < dca7da244349eef4d78527cafc0bf80816b261f5 (git) Affected: 52b66c46bb9f5fb270673327c41dec50171939c1 (git) Affected: 3940ecfccfffec8385b64551fd73a12c02049437 (git) Affected: bab8e3b4f68ac393c42da73d0bce891d281ded55 (git) Affected: ff342de194ad311f905ce0b6b73db48db802e224 (git) Affected: ef24e0a68b59ea8f59fedf5a9881fd9cf9f27370 (git) Affected: 5.10.111 , < 5.10.248 (semver) Affected: 5.15.34 , < 5.15.198 (semver) Affected: 4.14.276 , < 4.15 (semver) Affected: 4.19.238 , < 4.20 (semver) Affected: 5.4.189 , < 5.5 (semver) Affected: 5.16.20 , < 5.17 (semver) Affected: 5.17.3 , < 5.18 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/parisc/gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "845a92b74cf7a730200532ecb4482981cec9d006",
"status": "affected",
"version": "f7c35220305f273bddc0bdaf1e453b4ca280f145",
"versionType": "git"
},
{
"lessThan": "7a146f34e5be96330467397c9fd9d3d851b2cbbe",
"status": "affected",
"version": "f77f482ec31a1f38eb38079622ca367b4b7d7442",
"versionType": "git"
},
{
"lessThan": "4d0858bbeea12a50bfb32137f74d4b74917ebadd",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "e09fd2eb6d4c993ee9eaae556cb51e30ec1042df",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "60560d13ff368415c96a0c1247bea16d427c0641",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "c8f810e20f4bbe50b49f73429d9fa6efad00623e",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "dca7da244349eef4d78527cafc0bf80816b261f5",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"status": "affected",
"version": "52b66c46bb9f5fb270673327c41dec50171939c1",
"versionType": "git"
},
{
"status": "affected",
"version": "3940ecfccfffec8385b64551fd73a12c02049437",
"versionType": "git"
},
{
"status": "affected",
"version": "bab8e3b4f68ac393c42da73d0bce891d281ded55",
"versionType": "git"
},
{
"status": "affected",
"version": "ff342de194ad311f905ce0b6b73db48db802e224",
"versionType": "git"
},
{
"status": "affected",
"version": "ef24e0a68b59ea8f59fedf5a9881fd9cf9f27370",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThan": "5.17",
"status": "affected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/parisc/gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Do not reprogram affinitiy on ASP chip\n\nThe ASP chip is a very old variant of the GSP chip and is used e.g. in\nHP 730 workstations. When trying to reprogram the affinity it will crash\nwith a HPMC as the relevant registers don\u0027t seem to be at the usual\nlocation. Let\u0027s avoid the crash by checking the sversion. Also note,\nthat reprogramming isn\u0027t necessary either, as the HP730 is a just a\nsingle-CPU machine."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:15.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006"
},
{
"url": "https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe"
},
{
"url": "https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd"
},
{
"url": "https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df"
},
{
"url": "https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641"
},
{
"url": "https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e"
},
{
"url": "https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5"
}
],
"title": "parisc: Do not reprogram affinitiy on ASP chip",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71121",
"datePublished": "2026-01-14T15:06:07.871Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-05-23T16:03:15.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23215 (GCVE-0-2026-23215)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:21 – Updated: 2026-05-11 22:02
VLAI?
EPSS
Title
x86/vmware: Fix hypercall clobbers
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/vmware: Fix hypercall clobbers
Fedora QA reported the following panic:
BUG: unable to handle page fault for address: 0000000040003e54
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43 11/19/2025
RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90
..
Call Trace:
vmmouse_report_events+0x13e/0x1b0
psmouse_handle_byte+0x15/0x60
ps2_interrupt+0x8a/0xd0
...
because the QEMU VMware mouse emulation is buggy, and clears the top 32
bits of %rdi that the kernel kept a pointer in.
The QEMU vmmouse driver saves and restores the register state in a
"uint32_t data[6];" and as a result restores the state with the high
bits all cleared.
RDI originally contained the value of a valid kernel stack address
(0xff5eeb3240003e54). After the vmware hypercall it now contains
0x40003e54, and we get a page fault as a result when it is dereferenced.
The proper fix would be in QEMU, but this works around the issue in the
kernel to keep old setups working, when old kernels had not happened to
keep any state in %rdi over the hypercall.
In theory this same issue exists for all the hypercalls in the vmmouse
driver; in practice it has only been seen with vmware_hypercall3() and
vmware_hypercall4(). For now, just mark RDI/RSI as clobbered for those
two calls. This should have a minimal effect on code generation overall
as it should be rare for the compiler to want to make RDI/RSI live
across hypercalls.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
34bf25e820ae1ab38f9cd88834843ba76678a2fd , < 2f467a92df61eb516a4ec36ee16234dd4e5ccf00
(git)
Affected: 34bf25e820ae1ab38f9cd88834843ba76678a2fd , < feb603a69f830acb58f78d604f0c29e63cd38f87 (git) Affected: 34bf25e820ae1ab38f9cd88834843ba76678a2fd , < 2687c848e57820651b9f69d30c4710f4219f7dbf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/vmware.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f467a92df61eb516a4ec36ee16234dd4e5ccf00",
"status": "affected",
"version": "34bf25e820ae1ab38f9cd88834843ba76678a2fd",
"versionType": "git"
},
{
"lessThan": "feb603a69f830acb58f78d604f0c29e63cd38f87",
"status": "affected",
"version": "34bf25e820ae1ab38f9cd88834843ba76678a2fd",
"versionType": "git"
},
{
"lessThan": "2687c848e57820651b9f69d30c4710f4219f7dbf",
"status": "affected",
"version": "34bf25e820ae1ab38f9cd88834843ba76678a2fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/vmware.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmware: Fix hypercall clobbers\n\nFedora QA reported the following panic:\n\n BUG: unable to handle page fault for address: 0000000040003e54\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43 11/19/2025\n RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90\n ..\n Call Trace:\n vmmouse_report_events+0x13e/0x1b0\n psmouse_handle_byte+0x15/0x60\n ps2_interrupt+0x8a/0xd0\n ...\n\nbecause the QEMU VMware mouse emulation is buggy, and clears the top 32\nbits of %rdi that the kernel kept a pointer in.\n\nThe QEMU vmmouse driver saves and restores the register state in a\n\"uint32_t data[6];\" and as a result restores the state with the high\nbits all cleared.\n\nRDI originally contained the value of a valid kernel stack address\n(0xff5eeb3240003e54). After the vmware hypercall it now contains\n0x40003e54, and we get a page fault as a result when it is dereferenced.\n\nThe proper fix would be in QEMU, but this works around the issue in the\nkernel to keep old setups working, when old kernels had not happened to\nkeep any state in %rdi over the hypercall.\n\nIn theory this same issue exists for all the hypercalls in the vmmouse\ndriver; in practice it has only been seen with vmware_hypercall3() and\nvmware_hypercall4(). For now, just mark RDI/RSI as clobbered for those\ntwo calls. This should have a minimal effect on code generation overall\nas it should be rare for the compiler to want to make RDI/RSI live\nacross hypercalls."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:32.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f467a92df61eb516a4ec36ee16234dd4e5ccf00"
},
{
"url": "https://git.kernel.org/stable/c/feb603a69f830acb58f78d604f0c29e63cd38f87"
},
{
"url": "https://git.kernel.org/stable/c/2687c848e57820651b9f69d30c4710f4219f7dbf"
}
],
"title": "x86/vmware: Fix hypercall clobbers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23215",
"datePublished": "2026-02-18T14:21:52.515Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-05-11T22:02:32.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68379 (GCVE-0-2025-68379)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
A NULL pointer dereference can occur in rxe_srq_chk_attr() when
ibv_modify_srq() is invoked twice in succession under certain error
conditions. The first call may fail in rxe_queue_resize(), which leads
rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then
triggers a crash (null deref) when accessing
srq->rq.queue->buf->index_mask.
Call Trace:
<TASK>
rxe_modify_srq+0x170/0x480 [rdma_rxe]
? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
? tryinc_node_nr_active+0xe6/0x150
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
? __pfx___raw_spin_lock_irqsave+0x10/0x10
? __pfx_do_vfs_ioctl+0x10/0x10
? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0
? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
__x64_sys_ioctl+0x138/0x1c0
do_syscall_64+0x82/0x250
? fdget_pos+0x58/0x4c0
? ksys_write+0xf3/0x1c0
? __pfx_ksys_write+0x10/0x10
? do_syscall_64+0xc8/0x250
? __pfx_vm_mmap_pgoff+0x10/0x10
? fget+0x173/0x230
? fput+0x2a/0x80
? ksys_mmap_pgoff+0x224/0x4c0
? do_syscall_64+0xc8/0x250
? do_user_addr_fault+0x37b/0xfe0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 58aca869babd48cb9c3d6ee9e1452c4b9f5266a6
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 5dbeb421e137824aa9bd8358bdfc926a3965fc0d (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bc4c14a3863cc0e03698caec9a0cdabd779776ee (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 503a5e4690ae14c18570141bc0dcf7501a8419b0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58aca869babd48cb9c3d6ee9e1452c4b9f5266a6",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "5dbeb421e137824aa9bd8358bdfc926a3965fc0d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bc4c14a3863cc0e03698caec9a0cdabd779776ee",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "503a5e4690ae14c18570141bc0dcf7501a8419b0",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure\n\nA NULL pointer dereference can occur in rxe_srq_chk_attr() when\nibv_modify_srq() is invoked twice in succession under certain error\nconditions. The first call may fail in rxe_queue_resize(), which leads\nrxe_srq_from_attr() to set srq-\u003erq.queue = NULL. The second call then\ntriggers a crash (null deref) when accessing\nsrq-\u003erq.queue-\u003ebuf-\u003eindex_mask.\n\nCall Trace:\n\u003cTASK\u003e\nrxe_modify_srq+0x170/0x480 [rdma_rxe]\n? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]\n? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]\n? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]\nib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]\n? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]\n? tryinc_node_nr_active+0xe6/0x150\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\nib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]\n? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]\n? __pfx___raw_spin_lock_irqsave+0x10/0x10\n? __pfx_do_vfs_ioctl+0x10/0x10\n? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0\n? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10\nib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]\n? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]\n__x64_sys_ioctl+0x138/0x1c0\ndo_syscall_64+0x82/0x250\n? fdget_pos+0x58/0x4c0\n? ksys_write+0xf3/0x1c0\n? __pfx_ksys_write+0x10/0x10\n? do_syscall_64+0xc8/0x250\n? __pfx_vm_mmap_pgoff+0x10/0x10\n? fget+0x173/0x230\n? fput+0x2a/0x80\n? ksys_mmap_pgoff+0x224/0x4c0\n? do_syscall_64+0xc8/0x250\n? do_user_addr_fault+0x37b/0xfe0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:04.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58aca869babd48cb9c3d6ee9e1452c4b9f5266a6"
},
{
"url": "https://git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7"
},
{
"url": "https://git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0d"
},
{
"url": "https://git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776ee"
},
{
"url": "https://git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0"
}
],
"title": "RDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68379",
"datePublished": "2025-12-24T10:33:07.538Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-05-11T21:52:04.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71151 (GCVE-0-2025-71151)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
cifs: Fix memory and information leak in smb3_reconfigure()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix memory and information leak in smb3_reconfigure()
In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
function returns immediately without freeing and erasing the newly
allocated new_password and new_password2. This causes both a memory leak
and a potential information leak.
Fix this by calling kfree_sensitive() on both password buffers before
returning in this error case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
880a661e67648a3ffe85405e8de5f50650a3c0b2 , < bc390b2737205163e48cc1655f6a0c8cd55b02fc
(git)
Affected: 0e4145774c016530bf99afb3675a1a0593c35642 , < 5679cc90bb5415801fa29041da0319d9e15d295d (git) Affected: 0f0e357902957fba28ed31bde0d6921c6bd1485d , < bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6 (git) Affected: 0f0e357902957fba28ed31bde0d6921c6bd1485d , < cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d (git) Affected: 674ba43944dab8e8f87434e25d9d10c5152584bc (git) Affected: 6.6.64 , < 6.6.120 (semver) Affected: 6.12.2 , < 6.12.64 (semver) Affected: 6.11.11 , < 6.12 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc390b2737205163e48cc1655f6a0c8cd55b02fc",
"status": "affected",
"version": "880a661e67648a3ffe85405e8de5f50650a3c0b2",
"versionType": "git"
},
{
"lessThan": "5679cc90bb5415801fa29041da0319d9e15d295d",
"status": "affected",
"version": "0e4145774c016530bf99afb3675a1a0593c35642",
"versionType": "git"
},
{
"lessThan": "bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6",
"status": "affected",
"version": "0f0e357902957fba28ed31bde0d6921c6bd1485d",
"versionType": "git"
},
{
"lessThan": "cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d",
"status": "affected",
"version": "0f0e357902957fba28ed31bde0d6921c6bd1485d",
"versionType": "git"
},
{
"status": "affected",
"version": "674ba43944dab8e8f87434e25d9d10c5152584bc",
"versionType": "git"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThan": "6.12",
"status": "affected",
"version": "6.11.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory and information leak in smb3_reconfigure()\n\nIn smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the\nfunction returns immediately without freeing and erasing the newly\nallocated new_password and new_password2. This causes both a memory leak\nand a potential information leak.\n\nFix this by calling kfree_sensitive() on both password buffers before\nreturning in this error case."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:26.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc"
},
{
"url": "https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d"
},
{
"url": "https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6"
},
{
"url": "https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d"
}
],
"title": "cifs: Fix memory and information leak in smb3_reconfigure()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71151",
"datePublished": "2026-01-23T14:15:17.916Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-05-23T16:03:26.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68775 (GCVE-0-2025-68775)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
net/handshake: duplicate handshake cancellations leak socket
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: duplicate handshake cancellations leak socket
When a handshake request is cancelled it is removed from the
handshake_net->hn_requests list, but it is still present in the
handshake_rhashtbl until it is destroyed.
If a second cancellation request arrives for the same handshake request,
then remove_pending() will return false... and assuming
HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue
processing through the out_true label, where we put another reference on
the sock and a refcount underflow occurs.
This can happen for example if a handshake times out - particularly if
the SUNRPC client sends the AUTH_TLS probe to the server but doesn't
follow it up with the ClientHello due to a problem with tlshd. When the
timeout is hit on the server, the server will send a FIN, which triggers
a cancellation request via xs_reset_transport(). When the timeout is
hit on the client, another cancellation request happens via
xs_tls_handshake_sync().
Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel
path so duplicate cancels can be detected.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 011ae80c49d9bfa5b4336f8bd387cd25c7593663
(git)
Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < e1641177e7fb48a0a5a06658d4aab51da6656659 (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 3c330f1dee3cd92b57e19b9d21dc8ce5970b09be (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 15564bd67e2975002f2a8e9defee33e321d3183f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "011ae80c49d9bfa5b4336f8bd387cd25c7593663",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "e1641177e7fb48a0a5a06658d4aab51da6656659",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "3c330f1dee3cd92b57e19b9d21dc8ce5970b09be",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "15564bd67e2975002f2a8e9defee33e321d3183f",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: duplicate handshake cancellations leak socket\n\nWhen a handshake request is cancelled it is removed from the\nhandshake_net-\u003ehn_requests list, but it is still present in the\nhandshake_rhashtbl until it is destroyed.\n\nIf a second cancellation request arrives for the same handshake request,\nthen remove_pending() will return false... and assuming\nHANDSHAKE_F_REQ_COMPLETED isn\u0027t set in req-\u003ehr_flags, we\u0027ll continue\nprocessing through the out_true label, where we put another reference on\nthe sock and a refcount underflow occurs.\n\nThis can happen for example if a handshake times out - particularly if\nthe SUNRPC client sends the AUTH_TLS probe to the server but doesn\u0027t\nfollow it up with the ClientHello due to a problem with tlshd. When the\ntimeout is hit on the server, the server will send a FIN, which triggers\na cancellation request via xs_reset_transport(). When the timeout is\nhit on the client, another cancellation request happens via\nxs_tls_handshake_sync().\n\nAdd a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel\npath so duplicate cancels can be detected."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:06.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663"
},
{
"url": "https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659"
},
{
"url": "https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be"
},
{
"url": "https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f"
}
],
"title": "net/handshake: duplicate handshake cancellations leak socket",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68775",
"datePublished": "2026-01-13T15:28:52.069Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:06.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71126 (GCVE-0-2025-71126)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
mptcp: avoid deadlock on fallback while reinjecting
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: avoid deadlock on fallback while reinjecting
Jakub reported an MPTCP deadlock at fallback time:
WARNING: possible recursive locking detected
6.18.0-rc7-virtme #1 Not tainted
--------------------------------------------
mptcp_connect/20858 is trying to acquire lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280
but task is already holding lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&msk->fallback_lock);
lock(&msk->fallback_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by mptcp_connect/20858:
#0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0
#1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0
#2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
stack backtrace:
CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)
Hardware name: Bochs, BIOS Bochs 01/01/2011
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_deadlock_bug.cold+0xc0/0xcd
validate_chain+0x2ff/0x5f0
__lock_acquire+0x34c/0x740
lock_acquire.part.0+0xbc/0x260
_raw_spin_lock_bh+0x38/0x50
__mptcp_try_fallback+0xd8/0x280
mptcp_sendmsg_frag+0x16c2/0x3050
__mptcp_retrans+0x421/0xaa0
mptcp_release_cb+0x5aa/0xa70
release_sock+0xab/0x1d0
mptcp_sendmsg+0xd5b/0x1bc0
sock_write_iter+0x281/0x4d0
new_sync_write+0x3c5/0x6f0
vfs_write+0x65e/0xbb0
ksys_write+0x17e/0x200
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fa5627cbc5e
Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e
RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005
RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920
R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c
The packet scheduler could attempt a reinjection after receiving an
MP_FAIL and before the infinite map has been transmitted, causing a
deadlock since MPTCP needs to do the reinjection atomically from WRT
fallback.
Address the issue explicitly avoiding the reinjection in the critical
scenario. Note that this is the only fallback critical section that
could potentially send packets and hit the double-lock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5586518bec27666c747cd52aabb62d485686d0bf , < 0107442e82c0f8d6010e07e6030741c59c520d6e
(git)
Affected: 75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2 , < 252892d5a6a2f163ce18f32716e46fa4da7d4e79 (git) Affected: 54999dea879fecb761225e28f274b40662918c30 , < 0ca9fb4335e726dab4f23b3bfe87271d8f005f41 (git) Affected: f8a1d9b18c5efc76784f5a326e905f641f839894 , < 50f47c02be419bf0a3ae94c118addf67beef359f (git) Affected: f8a1d9b18c5efc76784f5a326e905f641f839894 , < ffb8c27b0539dd90262d1021488e7817fae57c42 (git) Affected: 1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5 (git) Affected: 6.1.149 , < 6.1.160 (semver) Affected: 6.6.101 , < 6.6.120 (semver) Affected: 6.12.40 , < 6.12.64 (semver) Affected: 6.15.8 , < 6.16 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0107442e82c0f8d6010e07e6030741c59c520d6e",
"status": "affected",
"version": "5586518bec27666c747cd52aabb62d485686d0bf",
"versionType": "git"
},
{
"lessThan": "252892d5a6a2f163ce18f32716e46fa4da7d4e79",
"status": "affected",
"version": "75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2",
"versionType": "git"
},
{
"lessThan": "0ca9fb4335e726dab4f23b3bfe87271d8f005f41",
"status": "affected",
"version": "54999dea879fecb761225e28f274b40662918c30",
"versionType": "git"
},
{
"lessThan": "50f47c02be419bf0a3ae94c118addf67beef359f",
"status": "affected",
"version": "f8a1d9b18c5efc76784f5a326e905f641f839894",
"versionType": "git"
},
{
"lessThan": "ffb8c27b0539dd90262d1021488e7817fae57c42",
"status": "affected",
"version": "f8a1d9b18c5efc76784f5a326e905f641f839894",
"versionType": "git"
},
{
"status": "affected",
"version": "1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5",
"versionType": "git"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: avoid deadlock on fallback while reinjecting\n\nJakub reported an MPTCP deadlock at fallback time:\n\n WARNING: possible recursive locking detected\n 6.18.0-rc7-virtme #1 Not tainted\n --------------------------------------------\n mptcp_connect/20858 is trying to acquire lock:\n ff1100001da18b60 (\u0026msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280\n\n but task is already holding lock:\n ff1100001da18b60 (\u0026msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(\u0026msk-\u003efallback_lock);\n lock(\u0026msk-\u003efallback_lock);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 3 locks held by mptcp_connect/20858:\n #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0\n #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0\n #2: ff1100001da18b60 (\u0026msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n stack backtrace:\n CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)\n Hardware name: Bochs, BIOS Bochs 01/01/2011\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xa0\n print_deadlock_bug.cold+0xc0/0xcd\n validate_chain+0x2ff/0x5f0\n __lock_acquire+0x34c/0x740\n lock_acquire.part.0+0xbc/0x260\n _raw_spin_lock_bh+0x38/0x50\n __mptcp_try_fallback+0xd8/0x280\n mptcp_sendmsg_frag+0x16c2/0x3050\n __mptcp_retrans+0x421/0xaa0\n mptcp_release_cb+0x5aa/0xa70\n release_sock+0xab/0x1d0\n mptcp_sendmsg+0xd5b/0x1bc0\n sock_write_iter+0x281/0x4d0\n new_sync_write+0x3c5/0x6f0\n vfs_write+0x65e/0xbb0\n ksys_write+0x17e/0x200\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7fa5627cbc5e\n Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 \u003cc9\u003e c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e\n RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005\n RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920\n R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c\n\nThe packet scheduler could attempt a reinjection after receiving an\nMP_FAIL and before the infinite map has been transmitted, causing a\ndeadlock since MPTCP needs to do the reinjection atomically from WRT\nfallback.\n\nAddress the issue explicitly avoiding the reinjection in the critical\nscenario. Note that this is the only fallback critical section that\ncould potentially send packets and hit the double-lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:17.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e"
},
{
"url": "https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79"
},
{
"url": "https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41"
},
{
"url": "https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f"
},
{
"url": "https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42"
}
],
"title": "mptcp: avoid deadlock on fallback while reinjecting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71126",
"datePublished": "2026-01-14T15:06:11.417Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-05-23T16:03:17.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71101 (GCVE-0-2025-71101)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
The hp_populate_*_elements_from_package() functions in the hp-bioscfg
driver contain out-of-bounds array access vulnerabilities.
These functions parse ACPI packages into internal data structures using
a for loop with index variable 'elem' that iterates through
enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
When processing multi-element fields like PREREQUISITES and
ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
elements using expressions like 'enum_obj[elem + reqs]' and
'enum_obj[elem + pos_values]' within nested loops.
The bug is that the bounds check only validated elem, but did not consider
the additional offset when accessing elem + reqs or elem + pos_values.
The fix changes the bounds check to validate the actual accessed index.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e6c7b3e15559699a30646dd45195549c7db447bd , < cf7ae870560b988247a4bbbe5399edd326632680
(git)
Affected: e6c7b3e15559699a30646dd45195549c7db447bd , < db4c26adf7117b1a4431d1197ae7109fee3230ad (git) Affected: e6c7b3e15559699a30646dd45195549c7db447bd , < 79cab730dbaaac03b946c7f5681bd08c986e2abd (git) Affected: e6c7b3e15559699a30646dd45195549c7db447bd , < e44c42c830b7ab36e3a3a86321c619f24def5206 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/int-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/string-attributes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf7ae870560b988247a4bbbe5399edd326632680",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "db4c26adf7117b1a4431d1197ae7109fee3230ad",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "79cab730dbaaac03b946c7f5681bd08c986e2abd",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "e44c42c830b7ab36e3a3a86321c619f24def5206",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/int-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/string-attributes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing\n\nThe hp_populate_*_elements_from_package() functions in the hp-bioscfg\ndriver contain out-of-bounds array access vulnerabilities.\n\nThese functions parse ACPI packages into internal data structures using\na for loop with index variable \u0027elem\u0027 that iterates through\nenum_obj/integer_obj/order_obj/password_obj/string_obj arrays.\n\nWhen processing multi-element fields like PREREQUISITES and\nENUM_POSSIBLE_VALUES, these functions read multiple consecutive array\nelements using expressions like \u0027enum_obj[elem + reqs]\u0027 and\n\u0027enum_obj[elem + pos_values]\u0027 within nested loops.\n\nThe bug is that the bounds check only validated elem, but did not consider\nthe additional offset when accessing elem + reqs or elem + pos_values.\n\nThe fix changes the bounds check to validate the actual accessed index."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:45.989Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680"
},
{
"url": "https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad"
},
{
"url": "https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd"
},
{
"url": "https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206"
}
],
"title": "platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71101",
"datePublished": "2026-01-13T15:34:59.717Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-05-11T21:54:45.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68369 (GCVE-0-2025-68369)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
ntfs3: init run lock for extend inode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: init run lock for extend inode
After setting the inode mode of $Extend to a regular file, executing the
truncate system call will enter the do_truncate() routine, causing the
run_lock uninitialized error reported by syzbot.
Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
a regular file, the do_truncate() routine would not be entered.
Add the run_lock initialization when loading $Extend.
syzbot reported:
INFO: trying to register non-static key.
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
__lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
63eb6730ce0604d3eacf036c2f68ea70b068317c , < 79c8a77b1782e2ace96d063be3c41ba540d1e20a
(git)
Affected: 78d46f5276ed3589aaaa435580068c5b62efc921 , < 433d1f7c628c3cbdd7efce064d6c7acd072cf6c4 (git) Affected: 17249b2a65274f73ed68bcd1604e08a60fd8a278 , < 907bf69c6b6ce5d038eec7a599d67b45b62624bc (git) Affected: 37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7 , < 6e17555728bc469d484c59db4a0abc65c19bc315 (git) Affected: 57534db1bbc4ca772393bb7d92e69d5e7b9051cf , < 19164d8228317f3f1fe2662a9ba587cfe3b2d29e (git) Affected: 4e8011ffec79717e5fdac43a7e79faf811a384b7 , < ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076 (git) Affected: 4e8011ffec79717e5fdac43a7e79faf811a384b7 , < be99c62ac7e7af514e4b13f83c891a3cccefaa48 (git) Affected: 5.15.197 , < 5.15.198 (semver) Affected: 6.1.159 , < 6.1.160 (semver) Affected: 6.6.117 , < 6.6.120 (semver) Affected: 6.12.58 , < 6.12.63 (semver) Affected: 6.17.8 , < 6.17.13 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79c8a77b1782e2ace96d063be3c41ba540d1e20a",
"status": "affected",
"version": "63eb6730ce0604d3eacf036c2f68ea70b068317c",
"versionType": "git"
},
{
"lessThan": "433d1f7c628c3cbdd7efce064d6c7acd072cf6c4",
"status": "affected",
"version": "78d46f5276ed3589aaaa435580068c5b62efc921",
"versionType": "git"
},
{
"lessThan": "907bf69c6b6ce5d038eec7a599d67b45b62624bc",
"status": "affected",
"version": "17249b2a65274f73ed68bcd1604e08a60fd8a278",
"versionType": "git"
},
{
"lessThan": "6e17555728bc469d484c59db4a0abc65c19bc315",
"status": "affected",
"version": "37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7",
"versionType": "git"
},
{
"lessThan": "19164d8228317f3f1fe2662a9ba587cfe3b2d29e",
"status": "affected",
"version": "57534db1bbc4ca772393bb7d92e69d5e7b9051cf",
"versionType": "git"
},
{
"lessThan": "ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
},
{
"lessThan": "be99c62ac7e7af514e4b13f83c891a3cccefaa48",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThan": "6.12.63",
"status": "affected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThan": "6.17.13",
"status": "affected",
"version": "6.17.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: init run lock for extend inode\n\nAfter setting the inode mode of $Extend to a regular file, executing the\ntruncate system call will enter the do_truncate() routine, causing the\nrun_lock uninitialized error reported by syzbot.\n\nPrior to patch 4e8011ffec79, if the inode mode of $Extend was not set to\na regular file, the do_truncate() routine would not be entered.\n\nAdd the run_lock initialization when loading $Extend.\n\nsyzbot reported:\nINFO: trying to register non-static key.\nCall Trace:\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984\n register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299\n __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590\n ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860\n ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387\n ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:45.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79c8a77b1782e2ace96d063be3c41ba540d1e20a"
},
{
"url": "https://git.kernel.org/stable/c/433d1f7c628c3cbdd7efce064d6c7acd072cf6c4"
},
{
"url": "https://git.kernel.org/stable/c/907bf69c6b6ce5d038eec7a599d67b45b62624bc"
},
{
"url": "https://git.kernel.org/stable/c/6e17555728bc469d484c59db4a0abc65c19bc315"
},
{
"url": "https://git.kernel.org/stable/c/19164d8228317f3f1fe2662a9ba587cfe3b2d29e"
},
{
"url": "https://git.kernel.org/stable/c/ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076"
},
{
"url": "https://git.kernel.org/stable/c/be99c62ac7e7af514e4b13f83c891a3cccefaa48"
}
],
"title": "ntfs3: init run lock for extend inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68369",
"datePublished": "2025-12-24T10:32:55.440Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-05-23T16:02:45.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23095 (GCVE-0-2026-23095)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-16 20:20
VLAI?
EPSS
Title
gue: Fix skb memleak with inner IP protocol 0.
Summary
In the Linux kernel, the following vulnerability has been resolved:
gue: Fix skb memleak with inner IP protocol 0.
syzbot reported skb memleak below. [0]
The repro generated a GUE packet with its inner protocol 0.
gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
in ip_protocol_deliver_rcu(), but this only works with
non-zero protocol number.
Let's drop such packets.
Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
I think it is not practical to encap HOPOPT in GUE, so once
someone starts to complain, we could pass down a resubmit
flag pointer to distinguish two zeros from the upper layer:
* no error
* resubmit HOPOPT
[0]
BUG: memory leak
unreferenced object 0xffff888109695a00 (size 240):
comm "syz.0.17", pid 6088, jiffies 4294943096
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
backtrace (crc a84b336f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
__build_skb+0x23/0x60 net/core/skbuff.c:474
build_skb+0x20/0x190 net/core/skbuff.c:490
__tun_build_skb drivers/net/tun.c:1541 [inline]
tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0xa7/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 886f186328b718400dbf79e1bc8cbcbd710ab766
(git)
Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 380a82d36e37db49fd41ecc378c22fd29392e96a (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 536f5bbc322eb1e175bdd1ced22b236a951c4d8f (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < f87b9b7a618c82e7465e872eb10e14c803871892 (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < ce569b389a5c78d64788a5ea94560e17fa574b35 (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 5437a279804ced8088cabb945dba88a26d828f8c (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 9a56796ad258786d3624eef5aefba394fc9bdded (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:19:57.582925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:20:08.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "886f186328b718400dbf79e1bc8cbcbd710ab766",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "380a82d36e37db49fd41ecc378c22fd29392e96a",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "536f5bbc322eb1e175bdd1ced22b236a951c4d8f",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "f87b9b7a618c82e7465e872eb10e14c803871892",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "ce569b389a5c78d64788a5ea94560e17fa574b35",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "5437a279804ced8088cabb945dba88a26d828f8c",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "9a56796ad258786d3624eef5aefba394fc9bdded",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngue: Fix skb memleak with inner IP protocol 0.\n\nsyzbot reported skb memleak below. [0]\n\nThe repro generated a GUE packet with its inner protocol 0.\n\ngue_udp_recv() returns -guehdr-\u003eproto_ctype for \"resubmit\"\nin ip_protocol_deliver_rcu(), but this only works with\nnon-zero protocol number.\n\nLet\u0027s drop such packets.\n\nNote that 0 is a valid number (IPv6 Hop-by-Hop Option).\n\nI think it is not practical to encap HOPOPT in GUE, so once\nsomeone starts to complain, we could pass down a resubmit\nflag pointer to distinguish two zeros from the upper layer:\n\n * no error\n * resubmit HOPOPT\n\n[0]\nBUG: memory leak\nunreferenced object 0xffff888109695a00 (size 240):\n comm \"syz.0.17\", pid 6088, jiffies 4294943096\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace (crc a84b336f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270\n __build_skb+0x23/0x60 net/core/skbuff.c:474\n build_skb+0x20/0x190 net/core/skbuff.c:490\n __tun_build_skb drivers/net/tun.c:1541 [inline]\n tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636\n tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770\n tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0xa7/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:54.306Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766"
},
{
"url": "https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a"
},
{
"url": "https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f"
},
{
"url": "https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892"
},
{
"url": "https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35"
},
{
"url": "https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c"
},
{
"url": "https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded"
}
],
"title": "gue: Fix skb memleak with inner IP protocol 0.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23095",
"datePublished": "2026-02-04T16:08:17.990Z",
"dateReserved": "2026-01-13T15:37:45.963Z",
"dateUpdated": "2026-06-16T20:20:08.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71143 (GCVE-0-2025-71143)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
clk: samsung: exynos-clkout: Assign .num before accessing .hws
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: samsung: exynos-clkout: Assign .num before accessing .hws
Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
__counted_by") annotated the hws member of 'struct clk_hw_onecell_data'
with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)
about the number of elements in .hws[], so that it can warn when .hws[]
is accessed out of bounds. As noted in that change, the __counted_by
member must be initialized with the number of elements before the first
array access happens, otherwise there will be a warning from each access
prior to the initialization because the number of elements is zero. This
occurs in exynos_clkout_probe() due to .num being assigned after .hws[]
has been accessed:
UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18
index 0 is out of range for type 'clk_hw *[*]'
Move the .num initialization to before the first access of .hws[],
clearing up the warning.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f316cdff8d677db9ad9c90acb44c4cd535b0ee27 , < fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236
(git)
Affected: f316cdff8d677db9ad9c90acb44c4cd535b0ee27 , < eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0 (git) Affected: f316cdff8d677db9ad9c90acb44c4cd535b0ee27 , < a317f63255ebc3dac378c79c5bff4f8d0561c290 (git) Affected: f316cdff8d677db9ad9c90acb44c4cd535b0ee27 , < cf33f0b7df13685234ccea7be7bfe316b60db4db (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/samsung/clk-exynos-clkout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
},
{
"lessThan": "eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
},
{
"lessThan": "a317f63255ebc3dac378c79c5bff4f8d0561c290",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
},
{
"lessThan": "cf33f0b7df13685234ccea7be7bfe316b60db4db",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/samsung/clk-exynos-clkout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: exynos-clkout: Assign .num before accessing .hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of \u0027struct clk_hw_onecell_data\u0027\nwith __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)\nabout the number of elements in .hws[], so that it can warn when .hws[]\nis accessed out of bounds. As noted in that change, the __counted_by\nmember must be initialized with the number of elements before the first\narray access happens, otherwise there will be a warning from each access\nprior to the initialization because the number of elements is zero. This\noccurs in exynos_clkout_probe() due to .num being assigned after .hws[]\nhas been accessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18\n index 0 is out of range for type \u0027clk_hw *[*]\u0027\n\nMove the .num initialization to before the first access of .hws[],\nclearing up the warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:48.662Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236"
},
{
"url": "https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0"
},
{
"url": "https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290"
},
{
"url": "https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db"
}
],
"title": "clk: samsung: exynos-clkout: Assign .num before accessing .hws",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71143",
"datePublished": "2026-01-14T15:07:55.828Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-05-11T21:55:48.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68256 (GCVE-0-2025-68256)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-05-11 21:49
VLAI?
EPSS
Title
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 9829c6e1b2e4180fd18315252ad6faeab6128076
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < b977eb31802817f4a37da95bf16bfdaa1eeb5fc2 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 30c558447e90935f0de61be181bbcedf75952e00 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < df191dd9f4c7249d98ada55634fa8ac19089b8cb (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c0d93d69e1472ba75b78898979b90a98ba2a2501 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 154828bf9559b9c8421fc2f0d7f7f76b3683aaed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9829c6e1b2e4180fd18315252ad6faeab6128076",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "b977eb31802817f4a37da95bf16bfdaa1eeb5fc2",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "30c558447e90935f0de61be181bbcedf75952e00",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "a54e2b2db1b7de2e008b4f62eec35aaefcc663c5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "df191dd9f4c7249d98ada55634fa8ac19089b8cb",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "c0d93d69e1472ba75b78898979b90a98ba2a2501",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "154828bf9559b9c8421fc2f0d7f7f76b3683aaed",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser\n\nThe Information Element (IE) parser rtw_get_ie() trusted the length\nbyte of each IE without validating that the IE body (len bytes after\nthe 2-byte header) fits inside the remaining frame buffer. A malformed\nframe can advertise an IE length larger than the available data, causing\nthe parser to increment its pointer beyond the buffer end. This results\nin out-of-bounds reads or, depending on the pattern, an infinite loop.\n\nFix by validating that (offset + 2 + len) does not exceed the limit\nbefore accepting the IE or advancing to the next element.\n\nThis prevents OOB reads and ensures the parser terminates safely on\nmalformed frames."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:51.333Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9829c6e1b2e4180fd18315252ad6faeab6128076"
},
{
"url": "https://git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2"
},
{
"url": "https://git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00"
},
{
"url": "https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5"
},
{
"url": "https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb"
},
{
"url": "https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501"
},
{
"url": "https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed"
}
],
"title": "staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68256",
"datePublished": "2025-12-16T14:44:58.829Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-05-11T21:49:51.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68746 (GCVE-0-2025-68746)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
spi: tegra210-quad: Fix timeout handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Fix timeout handling
When the CPU that the QSPI interrupt handler runs on (typically CPU 0)
is excessively busy, it can lead to rare cases of the IRQ thread not
running before the transfer timeout is reached.
While handling the timeouts, any pending transfers are cleaned up and
the message that they correspond to is marked as failed, which leaves
the curr_xfer field pointing at stale memory.
To avoid this, clear curr_xfer to NULL upon timeout and check for this
condition when the IRQ thread is finally run.
While at it, also make sure to clear interrupts on failure so that new
interrupts can be run.
A better, more involved, fix would move the interrupt clearing into a
hard IRQ handler. Ideally we would also want to signal that the IRQ
thread no longer needs to be run after the timeout is hit to avoid the
extra check for a valid transfer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 88db8bb7ed1bb474618acdf05ebd4f0758d244e2
(git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 83309dd551cfd60a5a1a98d9cab19f435b44d46d (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < c934e40246da2c5726d14e94719c514e30840df8 (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 551060efb156c50fe33799038ba8145418cfdeef (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < bb0c58be84f907285af45657c1d4847b960a12bf (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 01bbf25c767219b14c3235bfa85906b8d2cb8fbc (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < b4e002d8a7cee3b1d70efad0e222567f92a73000 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "c934e40246da2c5726d14e94719c514e30840df8",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "551060efb156c50fe33799038ba8145418cfdeef",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "bb0c58be84f907285af45657c1d4847b960a12bf",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Fix timeout handling\n\nWhen the CPU that the QSPI interrupt handler runs on (typically CPU 0)\nis excessively busy, it can lead to rare cases of the IRQ thread not\nrunning before the transfer timeout is reached.\n\nWhile handling the timeouts, any pending transfers are cleaned up and\nthe message that they correspond to is marked as failed, which leaves\nthe curr_xfer field pointing at stale memory.\n\nTo avoid this, clear curr_xfer to NULL upon timeout and check for this\ncondition when the IRQ thread is finally run.\n\nWhile at it, also make sure to clear interrupts on failure so that new\ninterrupts can be run.\n\nA better, more involved, fix would move the interrupt clearing into a\nhard IRQ handler. Ideally we would also want to signal that the IRQ\nthread no longer needs to be run after the timeout is hit to avoid the\nextra check for a valid transfer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:32.751Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2"
},
{
"url": "https://git.kernel.org/stable/c/83309dd551cfd60a5a1a98d9cab19f435b44d46d"
},
{
"url": "https://git.kernel.org/stable/c/c934e40246da2c5726d14e94719c514e30840df8"
},
{
"url": "https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef"
},
{
"url": "https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf"
},
{
"url": "https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc"
},
{
"url": "https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000"
}
],
"title": "spi: tegra210-quad: Fix timeout handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68746",
"datePublished": "2025-12-24T12:09:42.213Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-05-11T21:52:32.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22982 (GCVE-0-2026-22982)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
net: mscc: ocelot: Fix crash when adding interface under a lag
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mscc: ocelot: Fix crash when adding interface under a lag
Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")
fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.
The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic
and is susceptible to the same crash.
This issue specifically affects the ocelot_vsc7514.c frontend, which leaves
unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as
it uses the DSA framework which registers all ports.
Fix this by checking if the port pointer is valid before accessing it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
528d3f190c98c8f7d9581f68db4af021696727b2 , < 8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d
(git)
Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < b17818307446c5a8d925a39a792261dbfa930041 (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 2985712dc76dfa670eb7fd607c09d4d48e5f5c6e (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 03fb1708b7d1e76aecebf767ad059c319845039f (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < f490af47bbee02441e356a1e0b86e3b3dd5120ff (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "b17818307446c5a8d925a39a792261dbfa930041",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "2985712dc76dfa670eb7fd607c09d4d48e5f5c6e",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "03fb1708b7d1e76aecebf767ad059c319845039f",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "f490af47bbee02441e356a1e0b86e3b3dd5120ff",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix crash when adding interface under a lag\n\nCommit 15faa1f67ab4 (\"lan966x: Fix crash when adding interface under a lag\")\nfixed a similar issue in the lan966x driver caused by a NULL pointer dereference.\nThe ocelot_set_aggr_pgids() function in the ocelot driver has similar logic\nand is susceptible to the same crash.\n\nThis issue specifically affects the ocelot_vsc7514.c frontend, which leaves\nunused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as\nit uses the DSA framework which registers all ports.\n\nFix this by checking if the port pointer is valid before accessing it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:42.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d"
},
{
"url": "https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041"
},
{
"url": "https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e"
},
{
"url": "https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f"
},
{
"url": "https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff"
},
{
"url": "https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95"
}
],
"title": "net: mscc: ocelot: Fix crash when adding interface under a lag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22982",
"datePublished": "2026-01-23T15:24:04.556Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-05-11T21:57:42.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22978 (GCVE-0-2026-22978)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
wifi: avoid kernel-infoleak from struct iw_point
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: avoid kernel-infoleak from struct iw_point
struct iw_point has a 32bit hole on 64bit arches.
struct iw_point {
void __user *pointer; /* Pointer to the data (in user space) */
__u16 length; /* number of fields or size in bytes */
__u16 flags; /* Optional params */
};
Make sure to zero the structure to avoid disclosing 32bits of kernel data
to user space.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < d943b5f592767b107ba8c12a902f17431350378c
(git)
Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < a3827e310b5a73535646ef4a552d53b3c8bf74f6 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 442ceac0393185e9982323f6682a52a53e8462b1 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 024f71a57d563fbe162e528c8bf2d27e9cac7c7b (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < e3c35177103ead4658b8a62f41e3080d45885464 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 21cbf883d073abbfe09e3924466aa5e0449e7261 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d943b5f592767b107ba8c12a902f17431350378c",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "a3827e310b5a73535646ef4a552d53b3c8bf74f6",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "442ceac0393185e9982323f6682a52a53e8462b1",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "024f71a57d563fbe162e528c8bf2d27e9cac7c7b",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "e3c35177103ead4658b8a62f41e3080d45885464",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "21cbf883d073abbfe09e3924466aa5e0449e7261",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: avoid kernel-infoleak from struct iw_point\n\nstruct iw_point has a 32bit hole on 64bit arches.\n\nstruct iw_point {\n void __user *pointer; /* Pointer to the data (in user space) */\n __u16 length; /* number of fields or size in bytes */\n __u16 flags; /* Optional params */\n};\n\nMake sure to zero the structure to avoid disclosing 32bits of kernel data\nto user space."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:37.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c"
},
{
"url": "https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6"
},
{
"url": "https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1"
},
{
"url": "https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8"
},
{
"url": "https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b"
},
{
"url": "https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464"
},
{
"url": "https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261"
}
],
"title": "wifi: avoid kernel-infoleak from struct iw_point",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22978",
"datePublished": "2026-01-23T15:24:00.482Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-05-11T21:57:37.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68363 (GCVE-0-2025-68363)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
The bpf_skb_check_mtu helper needs to use skb->transport_header when
the BPF_MTU_CHK_SEGS flag is used:
bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)
The transport_header is not always set. There is a WARN_ON_ONCE
report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +
bpf_prog_test_run is used:
WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071
skb_gso_validate_network_len
bpf_skb_check_mtu
bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch
bpf_test_run
bpf_prog_test_run_skb
For a normal ingress skb (not test_run), skb_reset_transport_header
is performed but there is plan to avoid setting it as described in
commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").
This patch fixes the bpf helper by checking
skb_transport_header_was_set(). The check is done just before
skb->transport_header is used, to avoid breaking the existing bpf prog.
The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34b2021cc61642d61c3cf943d9e71925b827941b , < b3171a5e4622e915e94599a55f4964078bdec27e
(git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 97b876fa88322625228792cf7a5fd77531815a80 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 30ce906557a21adef4cba5901c8e995dc18263a9 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 1c30e4afc5507f0069cc09bd561e510e4d97fbf7 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5 (git) Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < d946f3c98328171fa50ddb908593cf833587f725 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3171a5e4622e915e94599a55f4964078bdec27e",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "97b876fa88322625228792cf7a5fd77531815a80",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "30ce906557a21adef4cba5901c8e995dc18263a9",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "1c30e4afc5507f0069cc09bd561e510e4d97fbf7",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "d946f3c98328171fa50ddb908593cf833587f725",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu\n\nThe bpf_skb_check_mtu helper needs to use skb-\u003etransport_header when\nthe BPF_MTU_CHK_SEGS flag is used:\n\n\tbpf_skb_check_mtu(skb, ifindex, \u0026mtu_len, 0, BPF_MTU_CHK_SEGS)\n\nThe transport_header is not always set. There is a WARN_ON_ONCE\nreport when CONFIG_DEBUG_NET is enabled + skb-\u003egso_size is set +\nbpf_prog_test_run is used:\n\nWARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071\n skb_gso_validate_network_len\n bpf_skb_check_mtu\n bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch\n bpf_test_run\n bpf_prog_test_run_skb\n\nFor a normal ingress skb (not test_run), skb_reset_transport_header\nis performed but there is plan to avoid setting it as described in\ncommit 2170a1f09148 (\"net: no longer reset transport_header in __netif_receive_skb_core()\").\n\nThis patch fixes the bpf helper by checking\nskb_transport_header_was_set(). The check is done just before\nskb-\u003etransport_header is used, to avoid breaking the existing bpf prog.\nThe WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:45.485Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e"
},
{
"url": "https://git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80"
},
{
"url": "https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9"
},
{
"url": "https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7"
},
{
"url": "https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5"
},
{
"url": "https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725"
}
],
"title": "bpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68363",
"datePublished": "2025-12-24T10:32:51.236Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-05-11T21:51:45.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71087 (GCVE-0-2025-71087)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
iavf: fix off-by-one issues in iavf_config_rss_reg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: fix off-by-one issues in iavf_config_rss_reg()
There are off-by-one bugs when configuring RSS hash key and lookup
table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
the loop upper bounds were:
i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to:
i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iavf iavf_watchdog_task
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x1a0
iavf_config_rss+0x619/0x800
iavf_watchdog_task+0x2be7/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 63:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x246/0x6f0
iavf_watchdog_task+0x28fc/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
^
ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
43a3d9ba34c9ca313573201d3f45de5ab3494cec , < ceb8459df28d22c225a82d74c0f725f2a935d194
(git)
Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 5bb18bfd505ca1affbca921462c350095a6c798c (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < d7369dc8dd7cbf5cee3a22610028d847b6f02982 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 18de0e41d69d97fab10b91fecf10ae78a5e43232 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < f36de3045d006e6d9be1be495f2ed88d1721e752 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 3095228e1320371e143835d0cebeef1a8a754c66 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 6daa2893f323981c7894c68440823326e93a7d61 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:36.543195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:14.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceb8459df28d22c225a82d74c0f725f2a935d194",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "5bb18bfd505ca1affbca921462c350095a6c798c",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "d7369dc8dd7cbf5cee3a22610028d847b6f02982",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "18de0e41d69d97fab10b91fecf10ae78a5e43232",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "f36de3045d006e6d9be1be495f2ed88d1721e752",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "3095228e1320371e143835d0cebeef1a8a754c66",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "6daa2893f323981c7894c68440823326e93a7d61",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix off-by-one issues in iavf_config_rss_reg()\n\nThere are off-by-one bugs when configuring RSS hash key and lookup\ntable, causing out-of-bounds reads to memory [1] and out-of-bounds\nwrites to device registers.\n\nBefore commit 43a3d9ba34c9 (\"i40evf: Allow PF driver to configure RSS\"),\nthe loop upper bounds were:\n i \u003c= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX\nwhich is safe since the value is the last valid index.\n\nThat commit changed the bounds to:\n i \u003c= adapter-\u003erss_{key,lut}_size / 4\nwhere `rss_{key,lut}_size / 4` is the number of dwords, so the last\nvalid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `\u003c=`\naccesses one element past the end.\n\nFix the issues by using `\u003c` instead of `\u003c=`, ensuring we do not exceed\nthe bounds.\n\n[1] KASAN splat about rss_key_size off-by-one\n BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800\n Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63\n\n CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Workqueue: iavf iavf_watchdog_task\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xb0\n print_report+0x170/0x4f3\n kasan_report+0xe1/0x1a0\n iavf_config_rss+0x619/0x800\n iavf_watchdog_task+0x2be7/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n Allocated by task 63:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x246/0x6f0\n iavf_watchdog_task+0x28fc/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n\n The buggy address belongs to the object at ffff888102c50100\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes to the right of\n allocated 52-byte region [ffff888102c50100, ffff888102c50134)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50\n flags: 0x200000000000000(node=0|zone=2)\n page_type: f5(slab)\n raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n \u003effff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\n ^\n ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc\n ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:29.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194"
},
{
"url": "https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c"
},
{
"url": "https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982"
},
{
"url": "https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232"
},
{
"url": "https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752"
},
{
"url": "https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66"
},
{
"url": "https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61"
}
],
"title": "iavf: fix off-by-one issues in iavf_config_rss_reg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71087",
"datePublished": "2026-01-13T15:34:49.691Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-06-11T18:44:14.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22990 (GCVE-0-2026-22990)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-06-16 20:38
VLAI?
EPSS
Title
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG. Instead, just declare the incremental osdmap to be invalid.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 9aa0b0c14cefece078286d78b97d4c09685e372d
(git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 4b106fbb1c7b841cd402abd83eb2447164c799ea (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6afd2a4213524bc742b709599a3663aeaf77193c (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < d3613770e2677683e65d062da5e31f48c409abe9 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6c6cec3db3b418c4fdf815731bc39e46dff75e1b (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6348d70af847b79805374fe628d3809a63fd7df3 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < e00c3f71b5cf75681dbd74ee3f982a99cb690c2b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:38:28.126291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:38:37.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9aa0b0c14cefece078286d78b97d4c09685e372d",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "4b106fbb1c7b841cd402abd83eb2447164c799ea",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6afd2a4213524bc742b709599a3663aeaf77193c",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "d3613770e2677683e65d062da5e31f48c409abe9",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6c6cec3db3b418c4fdf815731bc39e46dff75e1b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6348d70af847b79805374fe628d3809a63fd7df3",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "e00c3f71b5cf75681dbd74ee3f982a99cb690c2b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace overzealous BUG_ON in osdmap_apply_incremental()\n\nIf the osdmap is (maliciously) corrupted such that the incremental\nosdmap epoch is different from what is expected, there is no need to\nBUG. Instead, just declare the incremental osdmap to be invalid."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:52.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d"
},
{
"url": "https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea"
},
{
"url": "https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c"
},
{
"url": "https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9"
},
{
"url": "https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b"
},
{
"url": "https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3"
},
{
"url": "https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b"
}
],
"title": "libceph: replace overzealous BUG_ON in osdmap_apply_incremental()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22990",
"datePublished": "2026-01-23T15:24:11.332Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-06-16T20:38:37.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23059 (GCVE-0-2026-23059)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
scsi: qla2xxx: Sanitize payload size to prevent member overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Sanitize payload size to prevent member overflow
In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size
reported by firmware is used to calculate the copy length into
item->iocb. However, the iocb member is defined as a fixed-size 64-byte
array within struct purex_item.
If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will
overflow the iocb member boundary. While extra memory might be allocated,
this cross-member write is unsafe and triggers warnings under
CONFIG_FORTIFY_SOURCE.
Fix this by capping total_bytes to the size of the iocb member (64 bytes)
before allocation and copying. This ensures all copies remain within the
bounds of the destination structure member.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
875386b98857822b77ac7f95bdf367b70af5b78c , < 408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0
(git)
Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 1922468a4a80424e5a69f7ba50adcee37f4722e9 (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < aa14451fa5d5f2de919384c637e2a8c604e1a1fe (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_isr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "1922468a4a80424e5a69f7ba50adcee37f4722e9",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "aa14451fa5d5f2de919384c637e2a8c604e1a1fe",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "19bc5f2a6962dfaa0e32d0e0bc2271993d85d414",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_isr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Sanitize payload size to prevent member overflow\n\nIn qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size\nreported by firmware is used to calculate the copy length into\nitem-\u003eiocb. However, the iocb member is defined as a fixed-size 64-byte\narray within struct purex_item.\n\nIf the reported frame_size exceeds 64 bytes, subsequent memcpy calls will\noverflow the iocb member boundary. While extra memory might be allocated,\nthis cross-member write is unsafe and triggers warnings under\nCONFIG_FORTIFY_SOURCE.\n\nFix this by capping total_bytes to the size of the iocb member (64 bytes)\nbefore allocation and copying. This ensures all copies remain within the\nbounds of the destination structure member."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:12.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0"
},
{
"url": "https://git.kernel.org/stable/c/1922468a4a80424e5a69f7ba50adcee37f4722e9"
},
{
"url": "https://git.kernel.org/stable/c/aa14451fa5d5f2de919384c637e2a8c604e1a1fe"
},
{
"url": "https://git.kernel.org/stable/c/19bc5f2a6962dfaa0e32d0e0bc2271993d85d414"
}
],
"title": "scsi: qla2xxx: Sanitize payload size to prevent member overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23059",
"datePublished": "2026-02-04T16:07:42.150Z",
"dateReserved": "2026-01-13T15:37:45.952Z",
"dateUpdated": "2026-05-11T21:59:12.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71077 (GCVE-0-2025-71077)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
tpm: Cap the number of PCR banks
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: Cap the number of PCR banks
tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 8ceee7288152bc121a6bf92997261838c78bfe06
(git)
Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 275c686f1e3cc056ec66c764489ec1fe1e51b950 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < ceb70d31da5671d298bad94ae6c20e4bbb800f96 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < d88481653d74d622d1d0d2c9bad845fc2cc6fd23 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < b69492161c056d36789aee42a87a33c18c8ed5e1 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 858344bc9210bea9ab2bdc7e9e331ba84c164e50 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < faf07e611dfa464b201223a7253e9dc5ee0f3c9e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:49.952084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:05.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ceee7288152bc121a6bf92997261838c78bfe06",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "275c686f1e3cc056ec66c764489ec1fe1e51b950",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "ceb70d31da5671d298bad94ae6c20e4bbb800f96",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "d88481653d74d622d1d0d2c9bad845fc2cc6fd23",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "b69492161c056d36789aee42a87a33c18c8ed5e1",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "858344bc9210bea9ab2bdc7e9e331ba84c164e50",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "faf07e611dfa464b201223a7253e9dc5ee0f3c9e",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Cap the number of PCR banks\n\ntpm2_get_pcr_allocation() does not cap any upper limit for the number of\nbanks. Cap the limit to eight banks so that out of bounds values coming\nfrom external I/O cause on only limited harm."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:17.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06"
},
{
"url": "https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950"
},
{
"url": "https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96"
},
{
"url": "https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23"
},
{
"url": "https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1"
},
{
"url": "https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50"
},
{
"url": "https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e"
}
],
"title": "tpm: Cap the number of PCR banks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71077",
"datePublished": "2026-01-13T15:31:29.435Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-06-11T18:44:05.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23000 (GCVE-0-2026-23000)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-05-11 21:58
VLAI?
EPSS
Title
net/mlx5e: Fix crash on profile change rollback failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix crash on profile change rollback failure
mlx5e_netdev_change_profile can fail to attach a new profile and can
fail to rollback to old profile, in such case, we could end up with a
dangling netdev with a fully reset netdev_priv. A retry to change
profile, e.g. another attempt to call mlx5e_netdev_change_profile via
switchdev mode change, will crash trying to access the now NULL
priv->mdev.
This fix allows mlx5e_netdev_change_profile() to handle previous
failures and an empty priv, by not assuming priv is valid.
Pass netdev and mdev to all flows requiring
mlx5e_netdev_change_profile() and avoid passing priv.
In mlx5e_netdev_change_profile() check if current priv is valid, and if
not, just attach the new profile without trying to access the old one.
This fixes the following oops, when enabling switchdev mode for the 2nd
time after first time failure:
## Enabling switchdev mode first time:
mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
^^^^^^^^
mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
## retry: Enabling switchdev mode 2nd time:
mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload
BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_detach_netdev+0x3c/0x90
Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07
RSP: 0018:ffffc90000673890 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000
RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000
R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000
R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000
FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0
Call Trace:
<TASK>
mlx5e_netdev_change_profile+0x45/0xb0
mlx5e_vport_rep_load+0x27b/0x2d0
mlx5_esw_offloads_rep_load+0x72/0xf0
esw_offloads_enable+0x5d0/0x970
mlx5_eswitch_enable_locked+0x349/0x430
? is_mp_supported+0x57/0xb0
mlx5_devlink_eswitch_mode_set+0x26b/0x430
devlink_nl_eswitch_set_doit+0x6f/0xf0
genl_family_rcv_msg_doit+0xe8/0x140
genl_rcv_msg+0x18b/0x290
? __pfx_devlink_nl_pre_doit+0x10/0x10
? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10
? __pfx_devlink_nl_post_doit+0x10/0x10
? __pfx_genl_rcv_msg+0x10/0x10
netlink_rcv_skb+0x52/0x100
genl_rcv+0x28/0x40
netlink_unicast+0x282/0x3e0
? __alloc_skb+0xd6/0x190
netlink_sendmsg+0x1f7/0x430
__sys_sendto+0x213/0x220
? __sys_recvmsg+0x6a/0xd0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x50/0x1f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fdfb8495047
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d7eb57687f358cd498ea3624519236af8db97e , < dad52950b409d6923880d65a4cddb383286e17d2
(git)
Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < e05b8084a20f6bd5827d338c928e5e0fcbafa496 (git) Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 4dadc4077e3f77d6d31e199a925fc7a705e7adeb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dad52950b409d6923880d65a4cddb383286e17d2",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "e05b8084a20f6bd5827d338c928e5e0fcbafa496",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "4dadc4077e3f77d6d31e199a925fc7a705e7adeb",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash on profile change rollback failure\n\nmlx5e_netdev_change_profile can fail to attach a new profile and can\nfail to rollback to old profile, in such case, we could end up with a\ndangling netdev with a fully reset netdev_priv. A retry to change\nprofile, e.g. another attempt to call mlx5e_netdev_change_profile via\nswitchdev mode change, will crash trying to access the now NULL\npriv-\u003emdev.\n\nThis fix allows mlx5e_netdev_change_profile() to handle previous\nfailures and an empty priv, by not assuming priv is valid.\n\nPass netdev and mdev to all flows requiring\nmlx5e_netdev_change_profile() and avoid passing priv.\nIn mlx5e_netdev_change_profile() check if current priv is valid, and if\nnot, just attach the new profile without trying to access the old one.\n\nThis fixes the following oops, when enabling switchdev mode for the 2nd\ntime after first time failure:\n\n ## Enabling switchdev mode first time:\n\nmlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n ^^^^^^^^\nmlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\n\n ## retry: Enabling switchdev mode 2nd time:\n\nmlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload\nBUG: kernel NULL pointer dereference, address: 0000000000000038\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_detach_netdev+0x3c/0x90\nCode: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 \u003c48\u003e 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07\nRSP: 0018:ffffc90000673890 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000\nRDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000\nR10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000\nR13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000\nFS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0\nCall Trace:\n \u003cTASK\u003e\n mlx5e_netdev_change_profile+0x45/0xb0\n mlx5e_vport_rep_load+0x27b/0x2d0\n mlx5_esw_offloads_rep_load+0x72/0xf0\n esw_offloads_enable+0x5d0/0x970\n mlx5_eswitch_enable_locked+0x349/0x430\n ? is_mp_supported+0x57/0xb0\n mlx5_devlink_eswitch_mode_set+0x26b/0x430\n devlink_nl_eswitch_set_doit+0x6f/0xf0\n genl_family_rcv_msg_doit+0xe8/0x140\n genl_rcv_msg+0x18b/0x290\n ? __pfx_devlink_nl_pre_doit+0x10/0x10\n ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10\n ? __pfx_devlink_nl_post_doit+0x10/0x10\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x52/0x100\n genl_rcv+0x28/0x40\n netlink_unicast+0x282/0x3e0\n ? __alloc_skb+0xd6/0x190\n netlink_sendmsg+0x1f7/0x430\n __sys_sendto+0x213/0x220\n ? __sys_recvmsg+0x6a/0xd0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x50/0x1f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fdfb8495047"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:04.055Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dad52950b409d6923880d65a4cddb383286e17d2"
},
{
"url": "https://git.kernel.org/stable/c/e05b8084a20f6bd5827d338c928e5e0fcbafa496"
},
{
"url": "https://git.kernel.org/stable/c/4dadc4077e3f77d6d31e199a925fc7a705e7adeb"
}
],
"title": "net/mlx5e: Fix crash on profile change rollback failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23000",
"datePublished": "2026-01-25T14:36:14.854Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-05-11T21:58:04.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71136 (GCVE-0-2025-71136)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
It's possible for cp_read() and hdmi_read() to return -EIO. Those
values are further used as indexes for accessing arrays.
Fix that by checking return values where it's needed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < f81ee181cb036d046340c213091b69d9a8701a76
(git)
Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < f913b9a2ccd6114b206b9e91dae5e3dc13a415a0 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < d6a22a4a96e4dfe6897cb3532d2b3016d87706f0 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < a73881ae085db5702d8b13e2fc9f78d51c723d3f (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < 60dde0960e3ead8a9569f6c494d90d0232ac0983 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < b693d48a6ed0cd09171103ad418e4a693203d6e4 (git) Affected: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 , < 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/adv7842.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f81ee181cb036d046340c213091b69d9a8701a76",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "f913b9a2ccd6114b206b9e91dae5e3dc13a415a0",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "d6a22a4a96e4dfe6897cb3532d2b3016d87706f0",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "a73881ae085db5702d8b13e2fc9f78d51c723d3f",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "60dde0960e3ead8a9569f6c494d90d0232ac0983",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "b693d48a6ed0cd09171103ad418e4a693203d6e4",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "8163419e3e05d71dcfa8fb49c8fdf8d76908fe51",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/adv7842.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()\n\nIt\u0027s possible for cp_read() and hdmi_read() to return -EIO. Those\nvalues are further used as indexes for accessing arrays.\n\nFix that by checking return values where it\u0027s needed.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:40.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76"
},
{
"url": "https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0"
},
{
"url": "https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0"
},
{
"url": "https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f"
},
{
"url": "https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983"
},
{
"url": "https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4"
},
{
"url": "https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51"
}
],
"title": "media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71136",
"datePublished": "2026-01-14T15:07:50.568Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-05-11T21:55:40.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71147 (GCVE-0-2025-71147)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
Summary
In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'
but it is not freed in the failure paths. Address this by wrapping the blob
into with a cleanup helper.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2219745250f388edacabe6cca73654131c67d0a , < 3fd7df4636d8fd5e3592371967a5941204368936
(git)
Affected: f2219745250f388edacabe6cca73654131c67d0a , < af0689cafb127a8d1af78cc8b72585c9b2a19ecd (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 19166de9737218b77122c41a5730ac87025e089f (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 9b015f2918b95bdde2ca9cefa10ef02b138aae1e (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 62cd5d480b9762ce70d720a81fa5b373052ae05f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:59.884894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:18.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fd7df4636d8fd5e3592371967a5941204368936",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "af0689cafb127a8d1af78cc8b72585c9b2a19ecd",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "19166de9737218b77122c41a5730ac87025e089f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9b015f2918b95bdde2ca9cefa10ef02b138aae1e",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9e7c63c69f57b1db1a8a1542359a6167ff8fcef1",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "62cd5d480b9762ce70d720a81fa5b373052ae05f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix a memory leak in tpm2_load_cmd\n\n\u0027tpm2_load_cmd\u0027 allocates a tempoary blob indirectly via \u0027tpm2_key_decode\u0027\nbut it is not freed in the failure paths. Address this by wrapping the blob\ninto with a cleanup helper."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:53.398Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936"
},
{
"url": "https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd"
},
{
"url": "https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f"
},
{
"url": "https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e"
},
{
"url": "https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1"
},
{
"url": "https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f"
}
],
"title": "KEYS: trusted: Fix a memory leak in tpm2_load_cmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71147",
"datePublished": "2026-01-23T14:15:13.945Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-06-11T18:44:18.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43500 (GCVE-0-2026-43500)
Vulnerability from cvelistv5 – Published: 2026-05-11 06:26 – Updated: 2026-06-30 03:16
VLAI?
EPSS
Title
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 7c504ffab3efce8f7e4f463b314ae31030bdf18b
(git)
Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3711382a77342a9a1c3d2e7330dcfc7ea927f568 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < d45179f8795222ce858770dc619abe51f9d24411 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:51:19.227001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:53:36.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s RxRPC networking subsystem. When a socket buffer carrying a page-cache reference reaches the RxRPC authentication verification path, the kernel performs an in-place decryption directly on the referenced page without first isolating the buffer. A low-privileged local attacker can exploit this behavior to corrupt the page-cache contents of readable files, including sensitive system files such as /etc/passwd, and obtain root privileges. Exploitation does not require unprivileged user or network namespaces, but depends on the RxRPC protocol stack being available on the target system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:16:32.506Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43500"
},
{
"name": "RHBZ#2468273",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468273"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43500.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-11T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-11T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: \"Dirty Frag\" RxRPC variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c504ffab3efce8f7e4f463b314ae31030bdf18b",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3711382a77342a9a1c3d2e7330dcfc7ea927f568",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3eae0f4f9f7206a4801efa5e0235c25bbd5a412c",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "d45179f8795222ce858770dc619abe51f9d24411",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.29",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\n\nThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSE\nhandler in rxrpc_verify_response() copy the skb to a linear one before\ncalling into the security ops only when skb_cloned() is true. An skb\nthat is not cloned but still carries externally-owned paged fragments\n(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via\n__ip_append_data, or a chained skb_has_frag_list()) falls through to\nthe in-place decryption path, which binds the frag pages directly into\nthe AEAD/skcipher SGL via skb_to_sgvec().\n\nExtend the gate to also unshare when skb_has_frag_list() or\nskb_has_shared_frag() is true. This catches the splice-loopback vector\nand other externally-shared frag sources while preserving the\nzero-copy fast path for skbs whose frags are kernel-private (e.g. NIC\npage_pool RX, GRO). The OOM/trace handling already in place is reused."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:45:38.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b"
},
{
"url": "https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568"
},
{
"url": "https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c"
},
{
"url": "https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411"
},
{
"url": "https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71"
}
],
"title": "rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43500",
"datePublished": "2026-05-11T06:26:45.838Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-06-30T03:16:32.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68263 (GCVE-0-2025-68263)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-05-11 21:49
VLAI?
EPSS
Title
ksmbd: ipc: fix use-after-free in ipc_msg_send_request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: ipc: fix use-after-free in ipc_msg_send_request
ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.
Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():
BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
Write of size 12 at addr ffff888198ee6e20 by task pool/109349
...
Freed by task:
kvfree
ipc_msg_send_request [ksmbd]
ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]
Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
entry->response, freeing it when invalid, and removing the entry from
ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
semantics.
This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < de85fb58f9967ba024bb08e0041613d37b57b4d1
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 708a620b471a14466f1f52c90bf3f65ebdb31460 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 759c8c30cfa8706c518e56f67971b1f0932f4b9b (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8229c6ca50cea701e25a7ee25f48441b582ec5fa (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 1fab1fa091f5aa97265648b53ea031deedd26235 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de85fb58f9967ba024bb08e0041613d37b57b4d1",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "708a620b471a14466f1f52c90bf3f65ebdb31460",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "759c8c30cfa8706c518e56f67971b1f0932f4b9b",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "8229c6ca50cea701e25a7ee25f48441b582ec5fa",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "1fab1fa091f5aa97265648b53ea031deedd26235",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry-\u003eresponse under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry-\u003eresponse without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry-\u003eresponse while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n ...\n Freed by task:\n kvfree\n ipc_msg_send_request [ksmbd]\n ksmbd_rpc_open -\u003e ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n entry-\u003eresponse, freeing it when invalid, and removing the entry from\n ipc_msg_table.\n- Returning the final entry-\u003eresponse pointer to the caller only after\n the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n semantics.\n\nThis makes all accesses to entry-\u003eresponse consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:59.480Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1"
},
{
"url": "https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460"
},
{
"url": "https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e"
},
{
"url": "https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b"
},
{
"url": "https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa"
},
{
"url": "https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235"
}
],
"title": "ksmbd: ipc: fix use-after-free in ipc_msg_send_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68263",
"datePublished": "2025-12-16T14:45:05.218Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-05-11T21:49:59.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22997 (GCVE-0-2026-22997)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-16 20:36
VLAI?
EPSS
Title
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is
called only when the timer is enabled, we need to call
j1939_session_deactivate_activate_next() if we cancelled the timer.
Otherwise, refcount for j1939_session leaks, which will later appear as
| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.
problem.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d71dd0c70099914fcd063135da3c580865e924c , < a73e7d7e346dae1c22dc3e95b02ca464b12daf2c
(git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < adabf01c19561e42899da9de56a6a1da0e6b8a5b (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < b1d67607e97d489c0cfbbf55f48a76b00710b0e4 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 809a437e27a3bf3c1c6c8c157773635552116f2b (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < cb2a610867bc379988bae0bb4b8bbc59c0decf1a (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 6121b7564c725b632ffe4764abe85aa239d37703 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 1809c82aa073a11b7d335ae932d81ce51a588a4a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22997",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:36:25.922251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:36:36.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a73e7d7e346dae1c22dc3e95b02ca464b12daf2c",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "adabf01c19561e42899da9de56a6a1da0e6b8a5b",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "b1d67607e97d489c0cfbbf55f48a76b00710b0e4",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "809a437e27a3bf3c1c6c8c157773635552116f2b",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "cb2a610867bc379988bae0bb4b8bbc59c0decf1a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "6121b7564c725b632ffe4764abe85aa239d37703",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "1809c82aa073a11b7d335ae932d81ce51a588a4a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts\n\nSince j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is\ncalled only when the timer is enabled, we need to call\nj1939_session_deactivate_activate_next() if we cancelled the timer.\nOtherwise, refcount for j1939_session leaks, which will later appear as\n\n| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.\n\nproblem."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:00.440Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a73e7d7e346dae1c22dc3e95b02ca464b12daf2c"
},
{
"url": "https://git.kernel.org/stable/c/adabf01c19561e42899da9de56a6a1da0e6b8a5b"
},
{
"url": "https://git.kernel.org/stable/c/b1d67607e97d489c0cfbbf55f48a76b00710b0e4"
},
{
"url": "https://git.kernel.org/stable/c/809a437e27a3bf3c1c6c8c157773635552116f2b"
},
{
"url": "https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a"
},
{
"url": "https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703"
},
{
"url": "https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a"
}
],
"title": "net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22997",
"datePublished": "2026-01-25T14:36:12.053Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-06-16T20:36:36.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68724 (GCVE-0-2025-68724)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-06-16 19:22
VLAI?
EPSS
Title
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 60a7be5ee74408147e439164ac067e418ca74bb4
(git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c13c6e9de91d7f1dd7df756b1fa5a1f968839d76 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < dfc1613961828745165aec6552c3818fa14ab725 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 6af753ac5205115e6c310c8c4236c01b59a1c44f (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < b7090a5c153105b9fd221a5a81459ee8cd5babd6 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < df0845cf447ae1556c3440b8b155de0926cbaa56 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:22:49.497362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:22:59.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60a7be5ee74408147e439164ac067e418ca74bb4",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c13c6e9de91d7f1dd7df756b1fa5a1f968839d76",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "dfc1613961828745165aec6552c3818fa14ab725",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c73be4f51eed98fa0c7c189db8f279e1c86bfbf7",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "6af753ac5205115e6c310c8c4236c01b59a1c44f",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "b7090a5c153105b9fd221a5a81459ee8cd5babd6",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "df0845cf447ae1556c3440b8b155de0926cbaa56",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:06.966Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60a7be5ee74408147e439164ac067e418ca74bb4"
},
{
"url": "https://git.kernel.org/stable/c/c13c6e9de91d7f1dd7df756b1fa5a1f968839d76"
},
{
"url": "https://git.kernel.org/stable/c/dfc1613961828745165aec6552c3818fa14ab725"
},
{
"url": "https://git.kernel.org/stable/c/5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c"
},
{
"url": "https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7"
},
{
"url": "https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f"
},
{
"url": "https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6"
},
{
"url": "https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56"
}
],
"title": "crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68724",
"datePublished": "2025-12-24T10:33:08.932Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-06-16T19:22:59.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68817 (GCVE-0-2025-68817)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
Under high concurrency, A tree-connection object (tcon) is freed on
a disconnect path while another path still holds a reference and later
executes *_put()/write on it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dd45db4d9bbc8f122a9b4db5ce94ae29fcf03d3c , < 446beed646b2e426dd53d27358365f8678e1dd01
(git)
Affected: 7b58ee8d0b91359554cf219cd4f33872ea2afd66 , < d092de8a26c952379ded8e6b0bda31d89befac1a (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < d64977495e44855f2b28d8ce56107c963a7a50e4 (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < 21a3d01fc6db5129f81edb0ab7cb94fd758bcbea (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < 063cbbc6f595ea36ad146e1b7d2af820894beb21 (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < b39a1833cc4a2755b02603eec3a71a85e9dff926 (git) Affected: 5.15.145 , < 5.15.199 (semver) Affected: 6.1.71 , < 6.1.160 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/tree_connect.c",
"fs/smb/server/mgmt/tree_connect.h",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "446beed646b2e426dd53d27358365f8678e1dd01",
"status": "affected",
"version": "dd45db4d9bbc8f122a9b4db5ce94ae29fcf03d3c",
"versionType": "git"
},
{
"lessThan": "d092de8a26c952379ded8e6b0bda31d89befac1a",
"status": "affected",
"version": "7b58ee8d0b91359554cf219cd4f33872ea2afd66",
"versionType": "git"
},
{
"lessThan": "d64977495e44855f2b28d8ce56107c963a7a50e4",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "21a3d01fc6db5129f81edb0ab7cb94fd758bcbea",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "063cbbc6f595ea36ad146e1b7d2af820894beb21",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "b39a1833cc4a2755b02603eec3a71a85e9dff926",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "5.15.199",
"status": "affected",
"version": "5.15.145",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.71",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/tree_connect.c",
"fs/smb/server/mgmt/tree_connect.h",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency\n\nUnder high concurrency, A tree-connection object (tcon) is freed on\na disconnect path while another path still holds a reference and later\nexecutes *_put()/write on it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:57.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/446beed646b2e426dd53d27358365f8678e1dd01"
},
{
"url": "https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a"
},
{
"url": "https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4"
},
{
"url": "https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea"
},
{
"url": "https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21"
},
{
"url": "https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926"
}
],
"title": "ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68817",
"datePublished": "2026-01-13T15:29:21.210Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-05-23T16:02:57.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23187 (GCVE-0-2026-23187)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI?
EPSS
Title
pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 7842b5dfcac888ece025a2321257d74b2264b099
(git)
Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 071159ff5c0bf2e5efff79501e23faf3775cbcd1 (git) Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 4390dcdabb5fca4647bf56a5a6b050bbdfa5760f (git) Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < eb54ce033b344b531b374496e68a2554b2b56b5a (git) Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 6bd8b4a92a901fae1a422e6f914801063c345e8d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7842b5dfcac888ece025a2321257d74b2264b099",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "071159ff5c0bf2e5efff79501e23faf3775cbcd1",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "4390dcdabb5fca4647bf56a5a6b050bbdfa5760f",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "eb54ce033b344b531b374496e68a2554b2b56b5a",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "6bd8b4a92a901fae1a422e6f914801063c345e8d",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8m-blk-ctrl: fix out-of-range access of bc-\u003edomains\n\nFix out-of-range access of bc-\u003edomains in imx8m_blk_ctrl_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:00.524Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7842b5dfcac888ece025a2321257d74b2264b099"
},
{
"url": "https://git.kernel.org/stable/c/071159ff5c0bf2e5efff79501e23faf3775cbcd1"
},
{
"url": "https://git.kernel.org/stable/c/4390dcdabb5fca4647bf56a5a6b050bbdfa5760f"
},
{
"url": "https://git.kernel.org/stable/c/eb54ce033b344b531b374496e68a2554b2b56b5a"
},
{
"url": "https://git.kernel.org/stable/c/6bd8b4a92a901fae1a422e6f914801063c345e8d"
}
],
"title": "pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc-\u003edomains",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23187",
"datePublished": "2026-02-14T16:27:16.200Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-05-11T22:02:00.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38022 (GCVE-0-2025-38022)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:28 – Updated: 2026-06-11 17:53
VLAI?
EPSS
Title
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
strlen+0x93/0xa0 lib/string.c:420
__fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmsg+0x16d/0x220 net/socket.c:2652
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the
commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
fixes.
The root cause is: the function ib_device_rename() renames the name with
lock. But in the function kobject_uevent(), this name is accessed without
lock protection at the same time.
The solution is to add the lock protection when this name is accessed in
the function kobject_uevent().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
53e9a5a692f839780084ad81dbd461ec917f74f7 , < ba467b6870ea2a73590478d9612d6ea1dcdd68b7
(git)
Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 5629064f92f0de6d6b3572055cd35361c3ad953c (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 312dae3499106ec8cb7442ada12be080aa9fbc3b (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 17d3103325e891e10994e7aa28d12bea04dc2c60 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 10c7f1c647da3b77ef8827d974a97b6530b64df0 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < 03df57ad4b0ff9c5a93ff981aba0b42578ad1571 (git) Affected: 779e0bf47632c609c59f527f9711ecd3214dccb0 , < d0706bfd3ee40923c001c6827b786a309e2a8713 (git) Affected: 9b54e31fd08f8d8db507d021c88e760d5f8e4640 (git) Affected: 5.10.4 , < 5.10.248 (semver) Affected: 5.4.86 , < 5.5 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:23.842559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:38.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba467b6870ea2a73590478d9612d6ea1dcdd68b7",
"status": "affected",
"version": "53e9a5a692f839780084ad81dbd461ec917f74f7",
"versionType": "git"
},
{
"lessThan": "5629064f92f0de6d6b3572055cd35361c3ad953c",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "312dae3499106ec8cb7442ada12be080aa9fbc3b",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "17d3103325e891e10994e7aa28d12bea04dc2c60",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "10c7f1c647da3b77ef8827d974a97b6530b64df0",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "03df57ad4b0ff9c5a93ff981aba0b42578ad1571",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "d0706bfd3ee40923c001c6827b786a309e2a8713",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"status": "affected",
"version": "9b54e31fd08f8d8db507d021c88e760d5f8e4640",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.4",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.86",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem\n\nCall Trace:\n\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n strlen+0x93/0xa0 lib/string.c:420\n __fortify_strlen include/linux/fortify-string.h:268 [inline]\n get_kobj_path_length lib/kobject.c:118 [inline]\n kobject_get_path+0x3f/0x2a0 lib/kobject.c:158\n kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545\n ib_register_device drivers/infiniband/core/device.c:1472 [inline]\n ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393\n rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552\n rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225\n nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796\n rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmsg+0x16d/0x220 net/socket.c:2652\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis problem is similar to the problem that the\ncommit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\")\nfixes.\n\nThe root cause is: the function ib_device_rename() renames the name with\nlock. But in the function kobject_uevent(), this name is accessed without\nlock protection at the same time.\n\nThe solution is to add the lock protection when this name is accessed in\nthe function kobject_uevent()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:50.665Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba467b6870ea2a73590478d9612d6ea1dcdd68b7"
},
{
"url": "https://git.kernel.org/stable/c/5629064f92f0de6d6b3572055cd35361c3ad953c"
},
{
"url": "https://git.kernel.org/stable/c/312dae3499106ec8cb7442ada12be080aa9fbc3b"
},
{
"url": "https://git.kernel.org/stable/c/17d3103325e891e10994e7aa28d12bea04dc2c60"
},
{
"url": "https://git.kernel.org/stable/c/10c7f1c647da3b77ef8827d974a97b6530b64df0"
},
{
"url": "https://git.kernel.org/stable/c/03df57ad4b0ff9c5a93ff981aba0b42578ad1571"
},
{
"url": "https://git.kernel.org/stable/c/d0706bfd3ee40923c001c6827b786a309e2a8713"
}
],
"title": "RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38022",
"datePublished": "2025-06-18T09:28:29.218Z",
"dateReserved": "2025-04-16T04:51:23.977Z",
"dateUpdated": "2026-06-11T17:53:38.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68742 (GCVE-0-2025-68742)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
bpf: Fix invalid prog->stats access when update_effective_progs fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix invalid prog->stats access when update_effective_progs fails
Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:
__cgroup_bpf_detach
update_effective_progs
compute_effective_progs
bpf_prog_array_alloc <-- fault inject
purge_effective_progs
/* change to dummy_bpf_prog */
array->items[index] = &dummy_bpf_prog.prog
---softirq start---
__do_softirq
...
__cgroup_bpf_run_filter_skb
__bpf_prog_run_save_cb
bpf_prog_run
stats = this_cpu_ptr(prog->stats)
/* invalid memory access */
flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, skip updating stats when stats is NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 93d1964773ff513c9bd530f7686d3e48b786fa6b
(git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < bf2c990b012100610c0f1ec5c4ea434da2d080c2 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 539137e3038ce6f953efd72110110f03c14c7d97 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 56905bb70c8b88421709bb4e32fcba617aa37d41 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 2579c356ccd35d06238b176e4b460978186d804b (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 7dc211c1159d991db609bdf4b0fb9033c04adcbc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d1964773ff513c9bd530f7686d3e48b786fa6b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "bf2c990b012100610c0f1ec5c4ea434da2d080c2",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "539137e3038ce6f953efd72110110f03c14c7d97",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "56905bb70c8b88421709bb4e32fcba617aa37d41",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "2579c356ccd35d06238b176e4b460978186d804b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "7dc211c1159d991db609bdf4b0fb9033c04adcbc",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix invalid prog-\u003estats access when update_effective_progs fails\n\nSyzkaller triggers an invalid memory access issue following fault\ninjection in update_effective_progs. The issue can be described as\nfollows:\n\n__cgroup_bpf_detach\n update_effective_progs\n compute_effective_progs\n bpf_prog_array_alloc \u003c-- fault inject\n purge_effective_progs\n /* change to dummy_bpf_prog */\n array-\u003eitems[index] = \u0026dummy_bpf_prog.prog\n\n---softirq start---\n__do_softirq\n ...\n __cgroup_bpf_run_filter_skb\n __bpf_prog_run_save_cb\n bpf_prog_run\n stats = this_cpu_ptr(prog-\u003estats)\n /* invalid memory access */\n flags = u64_stats_update_begin_irqsave(\u0026stats-\u003esyncp)\n---softirq end---\n\n static_branch_dec(\u0026cgroup_bpf_enabled_key[atype])\n\nThe reason is that fault injection caused update_effective_progs to fail\nand then changed the original prog into dummy_bpf_prog.prog in\npurge_effective_progs. Then a softirq came, and accessing the members of\ndummy_bpf_prog.prog in the softirq triggers invalid mem access.\n\nTo fix it, skip updating stats when stats is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:28.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d1964773ff513c9bd530f7686d3e48b786fa6b"
},
{
"url": "https://git.kernel.org/stable/c/bf2c990b012100610c0f1ec5c4ea434da2d080c2"
},
{
"url": "https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97"
},
{
"url": "https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41"
},
{
"url": "https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b"
},
{
"url": "https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc"
}
],
"title": "bpf: Fix invalid prog-\u003estats access when update_effective_progs fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68742",
"datePublished": "2025-12-24T12:09:39.341Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-05-11T21:52:28.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71066 (GCVE-0-2025-71066)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
zdi-disclosures@trendmicro.com says:
The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.
Analysis:
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
{
...
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
//to race with .dequeue handler (`ets_qdisc_dequeue`)
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
// (2) the class is added to the q->active
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
}
}
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
if (q->classes[i].qdisc != &noop_qdisc)
qdisc_hash_add(q->classes[i].qdisc, true);
}
// (3) the qdisc is unlocked, now dequeue can be called in parallel
// to the rest of .change handler
sch_tree_unlock(sch);
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
// (4) we're reducing the refcount for our class's qdisc and
// freeing it
qdisc_put(q->classes[i].qdisc);
// (5) If we call .dequeue between (4) and (5), we will have
// a strong UAF and we can control RIP
q->classes[i].qdisc = NULL;
WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc
Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
cleanup() {
tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT
ip link set "$DEV" up
tc qdisc del dev "$DEV" root 2>/dev/null || true
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
>/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent
---truncated---
Severity ?
7.5 (High)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae2659d2c670252759ee9c823c4e039c0e05a6f2 , < 062d5d544e564473450d72e6af83077c2b2ff7c3
(git)
Affected: e25bdbc7e951ae5728fee1f4c09485df113d013c , < c7f6e7cc14df72b997258216e99d897d2df0dbbd (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < a75d617a4ef08682f5cfaadc01d5141c87e019c9 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 9987cda315c08f63a02423fa2f9a1f6602c861a0 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 06bfb66a7c8b45e3fed01351a4b087410ae5ef39 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 45466141da3c98a0c5fa88be0bc14b4b6a4bd75c (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < ce052b9402e461a9aded599f5b47e76bc727f7de (git) Affected: 5.10.83 , < 5.10.248 (semver) Affected: 5.15.6 , < 5.15.198 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-71066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T03:55:51.470582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T12:50:15.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "062d5d544e564473450d72e6af83077c2b2ff7c3",
"status": "affected",
"version": "ae2659d2c670252759ee9c823c4e039c0e05a6f2",
"versionType": "git"
},
{
"lessThan": "c7f6e7cc14df72b997258216e99d897d2df0dbbd",
"status": "affected",
"version": "e25bdbc7e951ae5728fee1f4c09485df113d013c",
"versionType": "git"
},
{
"lessThan": "a75d617a4ef08682f5cfaadc01d5141c87e019c9",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "9987cda315c08f63a02423fa2f9a1f6602c861a0",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "06bfb66a7c8b45e3fed01351a4b087410ae5ef39",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "45466141da3c98a0c5fa88be0bc14b4b6a4bd75c",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "ce052b9402e461a9aded599f5b47e76bc727f7de",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.83",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n struct netlink_ext_ack *extack)\n{\n...\n\n // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n //to race with .dequeue handler (`ets_qdisc_dequeue`)\n sch_tree_lock(sch);\n\n for (i = nbands; i \u003c oldbands; i++) {\n if (i \u003e= q-\u003enstrict \u0026\u0026 q-\u003eclasses[i].qdisc-\u003eq.qlen)\n list_del_init(\u0026q-\u003eclasses[i].alist);\n qdisc_purge_queue(q-\u003eclasses[i].qdisc);\n }\n\n WRITE_ONCE(q-\u003enbands, nbands);\n for (i = nstrict; i \u003c q-\u003enstrict; i++) {\n if (q-\u003eclasses[i].qdisc-\u003eq.qlen) {\n\t\t // (2) the class is added to the q-\u003eactive\n list_add_tail(\u0026q-\u003eclasses[i].alist, \u0026q-\u003eactive);\n q-\u003eclasses[i].deficit = quanta[i];\n }\n }\n WRITE_ONCE(q-\u003enstrict, nstrict);\n memcpy(q-\u003eprio2band, priomap, sizeof(priomap));\n\n for (i = 0; i \u003c q-\u003enbands; i++)\n WRITE_ONCE(q-\u003eclasses[i].quantum, quanta[i]);\n\n for (i = oldbands; i \u003c q-\u003enbands; i++) {\n q-\u003eclasses[i].qdisc = queues[i];\n if (q-\u003eclasses[i].qdisc != \u0026noop_qdisc)\n qdisc_hash_add(q-\u003eclasses[i].qdisc, true);\n }\n\n // (3) the qdisc is unlocked, now dequeue can be called in parallel\n // to the rest of .change handler\n sch_tree_unlock(sch);\n\n ets_offload_change(sch);\n for (i = q-\u003enbands; i \u003c oldbands; i++) {\n\t // (4) we\u0027re reducing the refcount for our class\u0027s qdisc and\n\t // freeing it\n qdisc_put(q-\u003eclasses[i].qdisc);\n\t // (5) If we call .dequeue between (4) and (5), we will have\n\t // a strong UAF and we can control RIP\n q-\u003eclasses[i].qdisc = NULL;\n WRITE_ONCE(q-\u003eclasses[i].quantum, 0);\n q-\u003eclasses[i].deficit = 0;\n gnet_stats_basic_sync_init(\u0026q-\u003eclasses[i].bstats);\n memset(\u0026q-\u003eclasses[i].qstats, 0, sizeof(q-\u003eclasses[i].qstats));\n }\n return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\" # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n tc qdisc del dev \"$DEV\" root 2\u003e/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2\u003e/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n \u003e/dev/null 2\u003e\u00261 \u0026\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:01.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3"
},
{
"url": "https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd"
},
{
"url": "https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9"
},
{
"url": "https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0"
},
{
"url": "https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39"
},
{
"url": "https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c"
},
{
"url": "https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de"
}
],
"title": "net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71066",
"datePublished": "2026-01-13T15:31:21.931Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-05-23T16:03:01.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57795 (GCVE-0-2024-57795)
Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2026-05-11 20:59
VLAI?
EPSS
Title
RDMA/rxe: Remove the direct link to net_device
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Remove the direct link to net_device
The similar patch in siw is in the link:
https://git.kernel.org/rdma/rdma/c/16b87037b48889
This problem also occurred in RXE. The following analyze this problem.
In the following Call Traces:
"
BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295
CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted
6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0
Hardware name: Google Compute Engine/Google Compute Engine,
BIOS Google 09/13/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60
__ib_query_port drivers/infiniband/core/device.c:2111 [inline]
ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143
ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494
ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
"
1). In the link [1],
"
infiniband syz2: set down
"
This means that on 839.350575, the event ib_cache_event_task was sent andi
queued in ib_wq.
2). In the link [1],
"
team0 (unregistering): Port device team_slave_0 removed
"
It indicates that before 843.251853, the net device should be freed.
3). In the link [1],
"
BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0
"
This means that on 850.559070, this slab-use-after-free problem occurred.
In all, on 839.350575, the event ib_cache_event_task was sent and queued
in ib_wq,
before 843.251853, the net device veth was freed.
on 850.559070, this event was executed, and the mentioned freed net device
was called. Thus, the above call trace occurred.
[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 32ca3557d968e662957131374a5f81c9c9cdbba8
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 9f6f54e6a6863131442b40e14d1792b090c7ce21 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 2ac5415022d16d63d912a39a06f32f1f51140261 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T13:56:40.628550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T14:04:27.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe.c",
"drivers/infiniband/sw/rxe/rxe.h",
"drivers/infiniband/sw/rxe/rxe_mcast.c",
"drivers/infiniband/sw/rxe/rxe_net.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32ca3557d968e662957131374a5f81c9c9cdbba8",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "9f6f54e6a6863131442b40e14d1792b090c7ce21",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "2ac5415022d16d63d912a39a06f32f1f51140261",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe.c",
"drivers/infiniband/sw/rxe/rxe.h",
"drivers/infiniband/sw/rxe/rxe_mcast.c",
"drivers/infiniband/sw/rxe/rxe_net.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.9",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:59:08.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32ca3557d968e662957131374a5f81c9c9cdbba8"
},
{
"url": "https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21"
},
{
"url": "https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261"
}
],
"title": "RDMA/rxe: Remove the direct link to net_device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57795",
"datePublished": "2025-01-15T13:10:23.880Z",
"dateReserved": "2025-01-15T13:08:59.657Z",
"dateUpdated": "2026-05-11T20:59:08.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68800 (GCVE-0-2025-68800)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 16:50
VLAI?
EPSS
Title
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f38656d067257cc43b652958dd154e1ab0773701 , < b957366f5611bbaba03dd10ef861283347ddcc88
(git)
Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 6e367c361a523a4b54fe618215c64a0ee189caf0 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 216afc198484fde110ebeafc017992266f4596ce (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 4049a6ace209f4ed150429f86ae796d7d6a4c22b (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 8ac1dacec458f55f871f7153242ed6ab60373b90 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:50:11.101316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:50:24.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b957366f5611bbaba03dd10ef861283347ddcc88",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "6e367c361a523a4b54fe618215c64a0ee189caf0",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "5f2831fc593c2b2efbff7dd0dd7441cec76adcd5",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "216afc198484fde110ebeafc017992266f4596ce",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "4049a6ace209f4ed150429f86ae796d7d6a4c22b",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "8ac1dacec458f55f871f7153242ed6ab60373b90",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats\n\nCited commit added a dedicated mutex (instead of RTNL) to protect the\nmulticast route list, so that it will not change while the driver\nperiodically traverses it in order to update the kernel about multicast\nroute stats that were queried from the device.\n\nOne instance of list entry deletion (during route replace) was missed\nand it can result in a use-after-free [1].\n\nFix by acquiring the mutex before deleting the entry from the list and\nreleasing it afterwards.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nRead of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043\n\nCPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)\nHardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017\nWorkqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xba/0x110\n print_report+0x174/0x4f5\n kasan_report+0xdf/0x110\n mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x43/0x70\n kfree+0x14e/0x700\n mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:35.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88"
},
{
"url": "https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0"
},
{
"url": "https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73"
},
{
"url": "https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5"
},
{
"url": "https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce"
},
{
"url": "https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b"
},
{
"url": "https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90"
}
],
"title": "mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68800",
"datePublished": "2026-01-13T15:29:09.688Z",
"dateReserved": "2025-12-24T10:30:51.044Z",
"dateUpdated": "2026-06-16T16:50:24.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23086 (GCVE-0-2026-23086)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
vsock/virtio: cap TX credit to local buffer size
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: cap TX credit to local buffer size
The virtio transports derives its TX credit directly from peer_buf_alloc,
which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value.
On the host side this means that the amount of data we are willing to
queue for a connection is scaled by a guest-chosen buffer size, rather
than the host's own vsock configuration. A malicious guest can advertise
a large buffer and read slowly, causing the host to allocate a
correspondingly large amount of sk_buff memory.
The same thing would happen in the guest with a malicious host, since
virtio transports share the same code base.
Introduce a small helper, virtio_transport_tx_buf_size(), that
returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume
peer_buf_alloc.
This ensures the effective TX window is bounded by both the peer's
advertised buffer and our own buf_alloc (already clamped to
buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer
cannot force the other to queue more data than allowed by its own
vsock settings.
On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with
32 guest vsock connections advertising 2 GiB each and reading slowly
drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only
recovered after killing the QEMU process. That said, if QEMU memory is
limited with cgroups, the maximum memory used will be limited.
With this patch applied:
Before:
MemFree: ~61.6 GiB
Slab: ~142 MiB
SUnreclaim: ~117 MiB
After 32 high-credit connections:
MemFree: ~61.5 GiB
Slab: ~178 MiB
SUnreclaim: ~152 MiB
Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest
remains responsive.
Compatibility with non-virtio transports:
- VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per
socket based on the local vsk->buffer_* values; the remote side
cannot enlarge those queues beyond what the local endpoint
configured.
- Hyper-V's vsock transport uses fixed-size VMBus ring buffers and
an MTU bound; there is no peer-controlled credit field comparable
to peer_buf_alloc, and the remote endpoint cannot drive in-flight
kernel memory above those ring sizes.
- The loopback path reuses virtio_transport_common.c, so it
naturally follows the same semantics as the virtio transport.
This change is limited to virtio_transport_common.c and thus affects
virtio-vsock, vhost-vsock, and loopback, bringing them in line with the
"remote window intersected with local policy" behaviour that VMCI and
Hyper-V already effectively have.
[Stefano: small adjustments after changing the previous patch]
[Stefano: tweak the commit message]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
06a8fc78367d070720af960dcecec917d3ae5f3b , < fef7110ae5617555c792a2bb4d27878d84583adf
(git)
Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < d9d5f222558b42f6277eafaaa6080966faf37676 (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < 84ef86aa7120449828d1e0ce438c499014839711 (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < 8ee784fdf006cbe8739cfa093f54d326cbf54037 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23086",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:20.829487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:22.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fef7110ae5617555c792a2bb4d27878d84583adf",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "d9d5f222558b42f6277eafaaa6080966faf37676",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "84ef86aa7120449828d1e0ce438c499014839711",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "8ee784fdf006cbe8739cfa093f54d326cbf54037",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: cap TX credit to local buffer size\n\nThe virtio transports derives its TX credit directly from peer_buf_alloc,\nwhich is set from the remote endpoint\u0027s SO_VM_SOCKETS_BUFFER_SIZE value.\n\nOn the host side this means that the amount of data we are willing to\nqueue for a connection is scaled by a guest-chosen buffer size, rather\nthan the host\u0027s own vsock configuration. A malicious guest can advertise\na large buffer and read slowly, causing the host to allocate a\ncorrespondingly large amount of sk_buff memory.\nThe same thing would happen in the guest with a malicious host, since\nvirtio transports share the same code base.\n\nIntroduce a small helper, virtio_transport_tx_buf_size(), that\nreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consume\npeer_buf_alloc.\n\nThis ensures the effective TX window is bounded by both the peer\u0027s\nadvertised buffer and our own buf_alloc (already clamped to\nbuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer\ncannot force the other to queue more data than allowed by its own\nvsock settings.\n\nOn an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with\n32 guest vsock connections advertising 2 GiB each and reading slowly\ndrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only\nrecovered after killing the QEMU process. That said, if QEMU memory is\nlimited with cgroups, the maximum memory used will be limited.\n\nWith this patch applied:\n\n Before:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n After 32 high-credit connections:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest\nremains responsive.\n\nCompatibility with non-virtio transports:\n\n - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per\n socket based on the local vsk-\u003ebuffer_* values; the remote side\n cannot enlarge those queues beyond what the local endpoint\n configured.\n\n - Hyper-V\u0027s vsock transport uses fixed-size VMBus ring buffers and\n an MTU bound; there is no peer-controlled credit field comparable\n to peer_buf_alloc, and the remote endpoint cannot drive in-flight\n kernel memory above those ring sizes.\n\n - The loopback path reuses virtio_transport_common.c, so it\n naturally follows the same semantics as the virtio transport.\n\nThis change is limited to virtio_transport_common.c and thus affects\nvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the\n\"remote window intersected with local policy\" behaviour that VMCI and\nHyper-V already effectively have.\n\n[Stefano: small adjustments after changing the previous patch]\n[Stefano: tweak the commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:43.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf"
},
{
"url": "https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676"
},
{
"url": "https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce"
},
{
"url": "https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711"
},
{
"url": "https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037"
}
],
"title": "vsock/virtio: cap TX credit to local buffer size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23086",
"datePublished": "2026-02-04T16:08:10.047Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-06-11T18:44:22.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68756 (GCVE-0-2025-68756)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
blk_mq_{add,del}_queue_tag_set() functions add and remove queues from
tagset, the functions make sure that tagset and queues are marked as
shared when two or more queues are attached to the same tagset.
Initially a tagset starts as unshared and when the number of added
queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along
with all the queues attached to it. When the number of attached queues
drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and
the remaining queues as unshared.
Both functions need to freeze current queues in tagset before setting on
unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions
hold set->tag_list_lock mutex, which makes sense as we do not want
queues to be added or deleted in the process. This used to work fine
until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset")
made the nvme driver quiesce tagset instead of quiscing individual
queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in
set->tag_list while holding set->tag_list_lock also.
This results in deadlock between two threads with these stacktraces:
__schedule+0x47c/0xbb0
? timerqueue_add+0x66/0xb0
schedule+0x1c/0xa0
schedule_preempt_disabled+0xa/0x10
__mutex_lock.constprop.0+0x271/0x600
blk_mq_quiesce_tagset+0x25/0xc0
nvme_dev_disable+0x9c/0x250
nvme_timeout+0x1fc/0x520
blk_mq_handle_expired+0x5c/0x90
bt_iter+0x7e/0x90
blk_mq_queue_tag_busy_iter+0x27e/0x550
? __blk_mq_complete_request_remote+0x10/0x10
? __blk_mq_complete_request_remote+0x10/0x10
? __call_rcu_common.constprop.0+0x1c0/0x210
blk_mq_timeout_work+0x12d/0x170
process_one_work+0x12e/0x2d0
worker_thread+0x288/0x3a0
? rescuer_thread+0x480/0x480
kthread+0xb8/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
__schedule+0x47c/0xbb0
? xas_find+0x161/0x1a0
schedule+0x1c/0xa0
blk_mq_freeze_queue_wait+0x3d/0x70
? destroy_sched_domains_rcu+0x30/0x30
blk_mq_update_tag_set_shared+0x44/0x80
blk_mq_exit_queue+0x141/0x150
del_gendisk+0x25a/0x2d0
nvme_ns_remove+0xc9/0x170
nvme_remove_namespaces+0xc7/0x100
nvme_remove+0x62/0x150
pci_device_remove+0x23/0x60
device_release_driver_internal+0x159/0x200
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x112/0x1e0
vfs_write+0x2b1/0x3d0
ksys_write+0x4e/0xb0
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The top stacktrace is showing nvme_timeout() called to handle nvme
command timeout. timeout handler is trying to disable the controller and
as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not
to call queue callback handlers. The thread is stuck waiting for
set->tag_list_lock as it tries to walk the queues in set->tag_list.
The lock is held by the second thread in the bottom stack which is
waiting for one of queues to be frozen. The queue usage counter will
drop to zero after nvme_timeout() finishes, and this will not happen
because the thread will wait for this mutex forever.
Given that [un]quiescing queue is an operation that does not need to
sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking
set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU
safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list)
in blk_mq_del_queue_tag_set() because we can not re-initialize it while
the list is being traversed under RCU. The deleted queue will not be
added/deleted to/from a tagset and it will be freed in blk_free_queue()
after the end of RCU grace period.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98d81f0df70ce6fc48517d938026e3c684b9051a , < ca8764c0ea1fb825f17f19704af55e9e02c9f768
(git)
Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 3baeec23a82e7ee9691f434c6ab0ab1387326108 (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 6e8d363786765a81e35083e0909e076796468edf (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < ef0cd7b694928573f6569e61c14f5f059253162e (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 59e25ef2b413c72da6686d431e7759302cfccafa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca8764c0ea1fb825f17f19704af55e9e02c9f768",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "3baeec23a82e7ee9691f434c6ab0ab1387326108",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "6e8d363786765a81e35083e0909e076796468edf",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "ef0cd7b694928573f6569e61c14f5f059253162e",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "59e25ef2b413c72da6686d431e7759302cfccafa",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock\n\nblk_mq_{add,del}_queue_tag_set() functions add and remove queues from\ntagset, the functions make sure that tagset and queues are marked as\nshared when two or more queues are attached to the same tagset.\nInitially a tagset starts as unshared and when the number of added\nqueues reaches two, blk_mq_add_queue_tag_set() marks it as shared along\nwith all the queues attached to it. When the number of attached queues\ndrops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and\nthe remaining queues as unshared.\n\nBoth functions need to freeze current queues in tagset before setting on\nunsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions\nhold set-\u003etag_list_lock mutex, which makes sense as we do not want\nqueues to be added or deleted in the process. This used to work fine\nuntil commit 98d81f0df70c (\"nvme: use blk_mq_[un]quiesce_tagset\")\nmade the nvme driver quiesce tagset instead of quiscing individual\nqueues. blk_mq_quiesce_tagset() does the job and quiesce the queues in\nset-\u003etag_list while holding set-\u003etag_list_lock also.\n\nThis results in deadlock between two threads with these stacktraces:\n\n __schedule+0x47c/0xbb0\n ? timerqueue_add+0x66/0xb0\n schedule+0x1c/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.constprop.0+0x271/0x600\n blk_mq_quiesce_tagset+0x25/0xc0\n nvme_dev_disable+0x9c/0x250\n nvme_timeout+0x1fc/0x520\n blk_mq_handle_expired+0x5c/0x90\n bt_iter+0x7e/0x90\n blk_mq_queue_tag_busy_iter+0x27e/0x550\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __call_rcu_common.constprop.0+0x1c0/0x210\n blk_mq_timeout_work+0x12d/0x170\n process_one_work+0x12e/0x2d0\n worker_thread+0x288/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n\n __schedule+0x47c/0xbb0\n ? xas_find+0x161/0x1a0\n schedule+0x1c/0xa0\n blk_mq_freeze_queue_wait+0x3d/0x70\n ? destroy_sched_domains_rcu+0x30/0x30\n blk_mq_update_tag_set_shared+0x44/0x80\n blk_mq_exit_queue+0x141/0x150\n del_gendisk+0x25a/0x2d0\n nvme_ns_remove+0xc9/0x170\n nvme_remove_namespaces+0xc7/0x100\n nvme_remove+0x62/0x150\n pci_device_remove+0x23/0x60\n device_release_driver_internal+0x159/0x200\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x112/0x1e0\n vfs_write+0x2b1/0x3d0\n ksys_write+0x4e/0xb0\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe top stacktrace is showing nvme_timeout() called to handle nvme\ncommand timeout. timeout handler is trying to disable the controller and\nas a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not\nto call queue callback handlers. The thread is stuck waiting for\nset-\u003etag_list_lock as it tries to walk the queues in set-\u003etag_list.\n\nThe lock is held by the second thread in the bottom stack which is\nwaiting for one of queues to be frozen. The queue usage counter will\ndrop to zero after nvme_timeout() finishes, and this will not happen\nbecause the thread will wait for this mutex forever.\n\nGiven that [un]quiescing queue is an operation that does not need to\nsleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking\nset-\u003etag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU\nsafe list operations. Also, delete INIT_LIST_HEAD(\u0026q-\u003etag_set_list)\nin blk_mq_del_queue_tag_set() because we can not re-initialize it while\nthe list is being traversed under RCU. The deleted queue will not be\nadded/deleted to/from a tagset and it will be freed in blk_free_queue()\nafter the end of RCU grace period."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:44.585Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca8764c0ea1fb825f17f19704af55e9e02c9f768"
},
{
"url": "https://git.kernel.org/stable/c/3baeec23a82e7ee9691f434c6ab0ab1387326108"
},
{
"url": "https://git.kernel.org/stable/c/6e8d363786765a81e35083e0909e076796468edf"
},
{
"url": "https://git.kernel.org/stable/c/ef0cd7b694928573f6569e61c14f5f059253162e"
},
{
"url": "https://git.kernel.org/stable/c/59e25ef2b413c72da6686d431e7759302cfccafa"
}
],
"title": "block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68756",
"datePublished": "2026-01-05T09:32:29.824Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-05-11T21:52:44.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46333 (GCVE-0-2026-46333)
Vulnerability from cvelistv5 – Published: 2026-05-15 12:58 – Updated: 2026-07-01 12:05
VLAI?
EPSS
Title
ptrace: slightly saner 'get_dumpable()' logic
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the
traditional "drop capabilities" model doesn't make any difference for
this all.
Make it all make a *bit* more sense by saying that if you don't have a
MM pointer, we'll use a cached "last dumpability" flag if the thread
ever had a MM (it will be zero for kernel threads since it is never
set), and require a proper CAP_SYS_PTRACE capability to override.
Severity ?
7.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6
(git)
Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 15b828a46f305ae9f05a7c16914b3ce273474205 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 4709234fd1b95136ceb789f639b1e7ea5de1b181 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 8f907d345bae8f4b3f004c5abc56bf2dfb851ea7 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 2a93a4fac7b6051d3be7cd1b015fe7320cd0404d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a (git) Affected: d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12 (git) Affected: 03eed7afbc09e061f66b448daf7863174c3dc3f3 (git) Affected: e45692fa1aea06676449b63ef3c2b6e1e72b7578 (git) Affected: 694a95fa6dae4991f16cda333d897ea063021fed (git) Affected: 3.16.52 , < 3.17 (semver) Affected: 4.4.40 , < 4.5 (semver) Affected: 4.8.16 , < 4.9 (semver) Affected: 4.9.1 , < 4.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-20T18:47:13.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/9"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00035.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46333",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:24.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el8",
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-15T05:55:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully terminates. Successful exploitation may lead to the disclosure of sensitive data such as SSH host private keys or /etc/shadow contents."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:05:06.860Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46333"
},
{
"name": "RHBZ#2477802",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477802"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46333.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19540"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21701"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21702"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20299"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19705"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20593"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20054"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19666"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23470"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20130"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20051"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19521"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23471"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23469"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24814"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23468"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19664"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19711"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19875"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:19540: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:21701: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:21702: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:20299: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19705: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:20593: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:20054: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20129: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19666: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:23470: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:20130: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20051: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19521: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23471: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23469: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:24814: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:23468: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19664: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:19711: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19875: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T08:27:21.590Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-15T05:55:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Read root-owned files as an unprivileged user",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "15b828a46f305ae9f05a7c16914b3ce273474205",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "4709234fd1b95136ceb789f639b1e7ea5de1b181",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "8f907d345bae8f4b3f004c5abc56bf2dfb851ea7",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "2a93a4fac7b6051d3be7cd1b015fe7320cd0404d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "01363cb3fbd0238ffdeb09f53e9039c9edf8a730",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"status": "affected",
"version": "d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12",
"versionType": "git"
},
{
"status": "affected",
"version": "03eed7afbc09e061f66b448daf7863174c3dc3f3",
"versionType": "git"
},
{
"status": "affected",
"version": "e45692fa1aea06676449b63ef3c2b6e1e72b7578",
"versionType": "git"
},
{
"status": "affected",
"version": "694a95fa6dae4991f16cda333d897ea063021fed",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.52",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.40",
"versionType": "semver"
},
{
"lessThan": "4.9",
"status": "affected",
"version": "4.8.16",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.256",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.207",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.173",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.139",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.89",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.31",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptrace: slightly saner \u0027get_dumpable()\u0027 logic\n\nThe \u0027dumpability\u0027 of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don\u0027t have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses \u0027dumpable\u0027 to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt\u0027s not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn\u0027t make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don\u0027t have a\nMM pointer, we\u0027ll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:28.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6"
},
{
"url": "https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205"
},
{
"url": "https://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181"
},
{
"url": "https://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7"
},
{
"url": "https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d"
},
{
"url": "https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404d"
},
{
"url": "https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730"
},
{
"url": "https://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a"
}
],
"title": "ptrace: slightly saner \u0027get_dumpable()\u0027 logic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46333",
"datePublished": "2026-05-15T12:58:44.599Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-07-01T12:05:06.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23006 (GCVE-0-2026-23006)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-05-11 21:58
VLAI?
EPSS
Title
ASoC: tlv320adcx140: fix null pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: tlv320adcx140: fix null pointer
The "snd_soc_component" in "adcx140_priv" was only used once but never
set. It was only used for reaching "dev" which is already present in
"adcx140_priv".
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4e82971f7b556cff3491c867e8840e7d788693b9 , < 954260a32c21d5072d8e7253c0a8b1627927cb02
(git)
Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < 659939d08e5f7bc17b941c53e8c9c0a6c6113b21 (git) Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < 61757f5191daab863d25f03680e912b5449a1eed (git) Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < 53bd838ed5950cb18927e4b2e8ee841b7cb10929 (git) Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < be7664c81d3129fc313ef62ff275fd3d33cfecd4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/tlv320adcx140.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "954260a32c21d5072d8e7253c0a8b1627927cb02",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "659939d08e5f7bc17b941c53e8c9c0a6c6113b21",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "61757f5191daab863d25f03680e912b5449a1eed",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "53bd838ed5950cb18927e4b2e8ee841b7cb10929",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "be7664c81d3129fc313ef62ff275fd3d33cfecd4",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/tlv320adcx140.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: tlv320adcx140: fix null pointer\n\nThe \"snd_soc_component\" in \"adcx140_priv\" was only used once but never\nset. It was only used for reaching \"dev\" which is already present in\n\"adcx140_priv\"."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:10.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/954260a32c21d5072d8e7253c0a8b1627927cb02"
},
{
"url": "https://git.kernel.org/stable/c/659939d08e5f7bc17b941c53e8c9c0a6c6113b21"
},
{
"url": "https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed"
},
{
"url": "https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929"
},
{
"url": "https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4"
}
],
"title": "ASoC: tlv320adcx140: fix null pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23006",
"datePublished": "2026-01-25T14:36:19.819Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-05-11T21:58:10.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23116 (GCVE-0-2026-23116)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset
and clock enable bits, but is ungated and reset together with the VPUs.
So we can't reset G1 or G2 separately, it may led to the system hang.
Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.
Let imx8mq_vpu_power_notifier() do really vpu reset.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
608d7c325e855cb4a853afef3cd9f0df594bd12d , < 8859e336d233e61a4c40d40dc6a9f21e8b9b719c
(git)
Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < cad7003d951e8899db58ee2fef211586af726f09 (git) Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < 5c56a6f4b5a4f87c094c92a30fa17e28e37ec2ab (git) Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < fd675de6bddf7e9bdf42ae3929d4c27ba6d1ef76 (git) Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < 3de49966499634454fd59e0e6fecd50baab7febd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8859e336d233e61a4c40d40dc6a9f21e8b9b719c",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "cad7003d951e8899db58ee2fef211586af726f09",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "5c56a6f4b5a4f87c094c92a30fa17e28e37ec2ab",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "fd675de6bddf7e9bdf42ae3929d4c27ba6d1ef76",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "3de49966499634454fd59e0e6fecd50baab7febd",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu\n\nFor i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset\nand clock enable bits, but is ungated and reset together with the VPUs.\nSo we can\u0027t reset G1 or G2 separately, it may led to the system hang.\nRemove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.\nLet imx8mq_vpu_power_notifier() do really vpu reset."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:26.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8859e336d233e61a4c40d40dc6a9f21e8b9b719c"
},
{
"url": "https://git.kernel.org/stable/c/cad7003d951e8899db58ee2fef211586af726f09"
},
{
"url": "https://git.kernel.org/stable/c/5c56a6f4b5a4f87c094c92a30fa17e28e37ec2ab"
},
{
"url": "https://git.kernel.org/stable/c/fd675de6bddf7e9bdf42ae3929d4c27ba6d1ef76"
},
{
"url": "https://git.kernel.org/stable/c/3de49966499634454fd59e0e6fecd50baab7febd"
}
],
"title": "pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23116",
"datePublished": "2026-02-14T15:09:48.511Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-05-11T22:00:26.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68757 (GCVE-0-2025-68757)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
drm/vgem-fence: Fix potential deadlock on release
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vgem-fence: Fix potential deadlock on release
A timer that expires a vgem fence automatically in 10 seconds is now
released with timer_delete_sync() from fence->ops.release() called on last
dma_fence_put(). In some scenarios, it can run in IRQ context, which is
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while
working on new IGT subtests syncobj_timeline@stress-* as user space
replacements of some problematic test cases of a dma-fence-chain selftest
[1].
[117.004338] ================================
[117.004340] WARNING: inconsistent lock state
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U
[117.004346] --------------------------------
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190
[117.004361] {HARDIRQ-ON-W} state was registered at:
[117.004363] lock_acquire+0xc4/0x2e0
[117.004366] call_timer_fn+0x80/0x2a0
[117.004368] __run_timers+0x231/0x310
[117.004370] run_timer_softirq+0x76/0xe0
[117.004372] handle_softirqs+0xd4/0x4d0
[117.004375] __irq_exit_rcu+0x13f/0x160
[117.004377] irq_exit_rcu+0xe/0x20
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004385] cpuidle_enter_state+0x12b/0x8a0
[117.004388] cpuidle_enter+0x2e/0x50
[117.004393] call_cpuidle+0x22/0x60
[117.004395] do_idle+0x1fd/0x260
[117.004398] cpu_startup_entry+0x29/0x30
[117.004401] start_secondary+0x12d/0x160
[117.004404] common_startup_64+0x13e/0x141
[117.004407] irq event stamp: 2282669
[117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.004426]
other info that might help us debug this:
[117.004429] Possible unsafe locking scenario:
[117.004432] CPU0
[117.004433] ----
[117.004434] lock((&fence->timer));
[117.004436] <Interrupt>
[117.004438] lock((&fence->timer));
[117.004440]
*** DEADLOCK ***
[117.004443] 1 lock held by swapper/0/0:
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0
[117.004450]
stack backtrace:
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004456] Call Trace:
[117.004456] <IRQ>
[117.004457] dump_stack_lvl+0x91/0xf0
[117.004460] dump_stack+0x10/0x20
[117.004461] print_usage_bug.part.0+0x260/0x360
[117.004463] mark_lock+0x76e/0x9c0
[117.004465] ? register_lock_class+0x48/0x4a0
[117.004467] __lock_acquire+0xbc3/0x2860
[117.004469] lock_acquire+0xc4/0x2e0
[117.004470] ? __timer_delete_sync+0x4b/0x190
[117.004472] ? __timer_delete_sync+0x4b/0x190
[117.004473] __timer_delete_sync+0x68/0x190
[117.004474] ? __timer_delete_sync+0x4b/0x190
[117.004475] timer_delete_sync+0x10/0x20
[117.004476] vgem_fence_release+0x19/0x30 [vgem]
[117.004478] dma_fence_release+0xc1/0x3b0
[117.004480] ? dma_fence_release+0xa1/0x3b0
[117.004481] dma_fence_chain_release+0xe7/0x130
[117.004483] dma_fence_release+0xc1/0x3b0
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004485] dma_fence_chain_irq_work+0x59/0x80
[117.004487] irq_work_single+0x75/0xa0
[117.004490] irq_work_r
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4077798484459a2eced2050045099a466ecb618a , < 37289a18099fc7ce916933bd542926a7334791a3
(git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 489b2158aec92a3fc256d70992416869f86e16e0 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 338e388c0d80ffc04963b6b0ec702ffdfd2c4eba (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 4f335cb8fad69b2be5accf0ebac3a8b345915f4e (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 1f0ca9d3e7c38a39f1f12377c24decf0bba46e54 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 78b4d6463e9e69e5103f98b367f8984ad12cdc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "37289a18099fc7ce916933bd542926a7334791a3",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "489b2158aec92a3fc256d70992416869f86e16e0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "338e388c0d80ffc04963b6b0ec702ffdfd2c4eba",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "4f335cb8fad69b2be5accf0ebac3a8b345915f4e",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1f0ca9d3e7c38a39f1f12377c24decf0bba46e54",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "78b4d6463e9e69e5103f98b367f8984ad12cdc6f",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put(). In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used. One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363] lock_acquire+0xc4/0x2e0\n[117.004366] call_timer_fn+0x80/0x2a0\n[117.004368] __run_timers+0x231/0x310\n[117.004370] run_timer_softirq+0x76/0xe0\n[117.004372] handle_softirqs+0xd4/0x4d0\n[117.004375] __irq_exit_rcu+0x13f/0x160\n[117.004377] irq_exit_rcu+0xe/0x20\n[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385] cpuidle_enter_state+0x12b/0x8a0\n[117.004388] cpuidle_enter+0x2e/0x50\n[117.004393] call_cpuidle+0x22/0x60\n[117.004395] do_idle+0x1fd/0x260\n[117.004398] cpu_startup_entry+0x29/0x30\n[117.004401] start_secondary+0x12d/0x160\n[117.004404] common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429] Possible unsafe locking scenario:\n[117.004432] CPU0\n[117.004433] ----\n[117.004434] lock((\u0026fence-\u003etimer));\n[117.004436] \u003cInterrupt\u003e\n[117.004438] lock((\u0026fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445] #0: ffffc90000003d50 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456] \u003cIRQ\u003e\n[117.004457] dump_stack_lvl+0x91/0xf0\n[117.004460] dump_stack+0x10/0x20\n[117.004461] print_usage_bug.part.0+0x260/0x360\n[117.004463] mark_lock+0x76e/0x9c0\n[117.004465] ? register_lock_class+0x48/0x4a0\n[117.004467] __lock_acquire+0xbc3/0x2860\n[117.004469] lock_acquire+0xc4/0x2e0\n[117.004470] ? __timer_delete_sync+0x4b/0x190\n[117.004472] ? __timer_delete_sync+0x4b/0x190\n[117.004473] __timer_delete_sync+0x68/0x190\n[117.004474] ? __timer_delete_sync+0x4b/0x190\n[117.004475] timer_delete_sync+0x10/0x20\n[117.004476] vgem_fence_release+0x19/0x30 [vgem]\n[117.004478] dma_fence_release+0xc1/0x3b0\n[117.004480] ? dma_fence_release+0xa1/0x3b0\n[117.004481] dma_fence_chain_release+0xe7/0x130\n[117.004483] dma_fence_release+0xc1/0x3b0\n[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485] dma_fence_chain_irq_work+0x59/0x80\n[117.004487] irq_work_single+0x75/0xa0\n[117.004490] irq_work_r\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:45.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3"
},
{
"url": "https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0"
},
{
"url": "https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"
},
{
"url": "https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"
},
{
"url": "https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"
},
{
"url": "https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"
},
{
"url": "https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"
},
{
"url": "https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"
}
],
"title": "drm/vgem-fence: Fix potential deadlock on release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68757",
"datePublished": "2026-01-05T09:32:30.496Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-05-11T21:52:45.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68351 (GCVE-0-2025-68351)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-27 09:28
VLAI?
EPSS
Title
exfat: fix refcount leak in exfat_find
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix refcount leak in exfat_find
Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.
Function `exfat_get_dentry_set` would increase the reference counter of
`es->bh` on success. Therefore, `exfat_put_dentry_set` must be called
after `exfat_get_dentry_set` to ensure refcount consistency. This patch
relocate two checks to avoid possible leaks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
92075758782c5edb4c67d0da9e47586a624c22f7 , < fc9ce762525e73438d31b613f18bca92a4d3d578
(git)
Affected: 13940cef95491472760ca261b6713692ece9b946 , < d009ff8959d28d2a33aeb96a5f7e7161c421d78f (git) Affected: 13940cef95491472760ca261b6713692ece9b946 , < 9aee8de970f18c2aaaa348e3de86c38e2d956c1d (git) Affected: 0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d (git) Affected: 6c627bcc1896ba62ec793d0c00da74f3c93ce3ad (git) Affected: 6.12.23 , < 6.12.68 (semver) Affected: 6.13.11 , < 6.14 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc9ce762525e73438d31b613f18bca92a4d3d578",
"status": "affected",
"version": "92075758782c5edb4c67d0da9e47586a624c22f7",
"versionType": "git"
},
{
"lessThan": "d009ff8959d28d2a33aeb96a5f7e7161c421d78f",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"lessThan": "9aee8de970f18c2aaaa348e3de86c38e2d956c1d",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"status": "affected",
"version": "0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d",
"versionType": "git"
},
{
"status": "affected",
"version": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
"versionType": "git"
},
{
"lessThan": "6.12.68",
"status": "affected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.12.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix refcount leak in exfat_find\n\nFix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.\n\nFunction `exfat_get_dentry_set` would increase the reference counter of\n`es-\u003ebh` on success. Therefore, `exfat_put_dentry_set` must be called\nafter `exfat_get_dentry_set` to ensure refcount consistency. This patch\nrelocate two checks to avoid possible leaks."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T09:28:13.537Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc9ce762525e73438d31b613f18bca92a4d3d578"
},
{
"url": "https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f"
},
{
"url": "https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d"
}
],
"title": "exfat: fix refcount leak in exfat_find",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68351",
"datePublished": "2025-12-24T10:32:42.683Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-05-27T09:28:13.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68759 (GCVE-0-2025-68759)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA
allocations in a loop. When an allocation fails, the previously
successful allocations are not freed on exit.
Fix that by jumping to err_free_rings label on error, which calls
rtl8180_free_rx_ring() to free the allocations. Remove the free of
rx_ring in rtl8180_init_rx_ring() error path, and set the freed
priv->rx_buf entry to null, to avoid double free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f653211197f3841f383fa9757ef8ce182c6cf627 , < 3677c01891fb0239361e444afee8398868e34bdf
(git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 89caaeee8dd95fae8bb4f4964e6fe3ca688500c4 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a4fb7cca9837378878e6c94d9e7af019c8fdfcdb (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < bf8513dfa31ea015c9cf415796dca2113d293840 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < ee7db11742b30641f21306105ad27a275e3c61d7 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a813a74570212cb5f3a7d3b05c0cb0cd00bace1d (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < c9d1c4152e6d32fa74034464854bee262a60bc43 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 9b5b9c042b30befc5b37e4539ace95af70843473 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3677c01891fb0239361e444afee8398868e34bdf",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "89caaeee8dd95fae8bb4f4964e6fe3ca688500c4",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a4fb7cca9837378878e6c94d9e7af019c8fdfcdb",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "bf8513dfa31ea015c9cf415796dca2113d293840",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "ee7db11742b30641f21306105ad27a275e3c61d7",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a813a74570212cb5f3a7d3b05c0cb0cd00bace1d",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "c9d1c4152e6d32fa74034464854bee262a60bc43",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "9b5b9c042b30befc5b37e4539ace95af70843473",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()\n\nIn rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA\nallocations in a loop. When an allocation fails, the previously\nsuccessful allocations are not freed on exit.\n\nFix that by jumping to err_free_rings label on error, which calls\nrtl8180_free_rx_ring() to free the allocations. Remove the free of\nrx_ring in rtl8180_init_rx_ring() error path, and set the freed\npriv-\u003erx_buf entry to null, to avoid double free."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:48.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3677c01891fb0239361e444afee8398868e34bdf"
},
{
"url": "https://git.kernel.org/stable/c/89caaeee8dd95fae8bb4f4964e6fe3ca688500c4"
},
{
"url": "https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb"
},
{
"url": "https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840"
},
{
"url": "https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7"
},
{
"url": "https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d"
},
{
"url": "https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43"
},
{
"url": "https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473"
}
],
"title": "wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68759",
"datePublished": "2026-01-05T09:32:32.174Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-05-11T21:52:48.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23191 (GCVE-0-2026-23191)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-06-16 20:20
VLAI?
EPSS
Title
ALSA: aloop: Fix racy access at PCM trigger
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.
For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
cable->lock spinlock, and add the proper NULL checks. This avoids
already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
that may be stopped in this function, which was the major pain point
leading to UAF.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b1c73fc8e697eb73e23603e465e9af2711ed4183 , < bad15420050db1803767e58756114800cce91ea4
(git)
Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 5727ccf9d19ca414cb76d9b647883822e2789c2e (git) Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 826af7fa62e347464b1b4e0ba2fe19a92438084f (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:20:28.206628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:20:36.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bad15420050db1803767e58756114800cce91ea4",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable-\u003elock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:05.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"
},
{
"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"
},
{
"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"
}
],
"title": "ALSA: aloop: Fix racy access at PCM trigger",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23191",
"datePublished": "2026-02-14T16:27:18.882Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-06-16T20:20:36.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46000 (GCVE-0-2026-46000)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:55 – Updated: 2026-06-14 17:47
VLAI?
EPSS
Title
rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).
Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
17926a79320afa9b95df6b977b40cca6d8713cea , < c0428a22daf69714dc042b67ea759956b74c74e5
(git)
Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 98a2046d155f73f6cf5d2c493c5e09b4963e2e12 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < ca71ac2de389b01eecdc48bfafbdf073ec232044 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < d9b93a0f57ca5f6831bfaa34014b6cd705564a00 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 24481a7f573305706054c59e275371f8d0fe919f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0428a22daf69714dc042b67ea759956b74c74e5",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "98a2046d155f73f6cf5d2c493c5e09b4963e2e12",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "ca71ac2de389b01eecdc48bfafbdf073ec232044",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "d9b93a0f57ca5f6831bfaa34014b6cd705564a00",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "24481a7f573305706054c59e275371f8d0fe919f",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix conn-level packet handling to unshare RESPONSE packets\n\nThe security operations that verify the RESPONSE packets decrypt bits of it\nin place - however, the sk_buff may be shared with a packet sniffer, which\nwould lead to the sniffer seeing an apparently corrupt packet (actually\ndecrypted).\n\nFix this by handing a copy of the packet off to the specific security\nhandler if the packet was cloned."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:47:13.061Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5"
},
{
"url": "https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12"
},
{
"url": "https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044"
},
{
"url": "https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00"
},
{
"url": "https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f"
}
],
"title": "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46000",
"datePublished": "2026-05-27T12:55:55.288Z",
"dateReserved": "2026-05-13T15:03:33.091Z",
"dateUpdated": "2026-06-14T17:47:13.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22977 (GCVE-0-2026-22977)
Vulnerability from cvelistv5 – Published: 2026-01-21 13:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
net: sock: fix hardened usercopy panic in sock_recv_errqueue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sock: fix hardened usercopy panic in sock_recv_errqueue
skbuff_fclone_cache was created without defining a usercopy region,
[1] unlike skbuff_head_cache which properly whitelists the cb[] field.
[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is
enabled and the kernel attempts to copy sk_buff.cb data to userspace
via sock_recv_errqueue() -> put_cmsg().
The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()
(from skbuff_fclone_cache) [1]
2. The skb is cloned via skb_clone() using the pre-allocated fclone
[3] 3. The cloned skb is queued to sk_error_queue for timestamp
reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)
5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb
[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no
usercopy whitelist [5]
When cloned skbs allocated from skbuff_fclone_cache are used in the
socket error queue, accessing the sock_exterr_skb structure in skb->cb
via put_cmsg() triggers a usercopy hardening violation:
[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)!
[ 5.382796] kernel BUG at mm/usercopy.c:102!
[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7
[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80
[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490
[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246
[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74
[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0
[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74
[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001
[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00
[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000
[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0
[ 5.384903] PKRU: 55555554
[ 5.384903] Call Trace:
[ 5.384903] <TASK>
[ 5.384903] __check_heap_object+0x9a/0xd0
[ 5.384903] __check_object_size+0x46c/0x690
[ 5.384903] put_cmsg+0x129/0x5e0
[ 5.384903] sock_recv_errqueue+0x22f/0x380
[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? schedule+0x6d/0x270
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? mutex_unlock+0x81/0xd0
[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10
[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10
[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0
[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
The crash offset 296 corresponds to skb2->cb within skbuff_fclones:
- sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -
offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =
272 + 24 (inside sock_exterr_skb.ee)
This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.
[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885
[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104
[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566
[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491
[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6d07d1cd300f4c7e16005f881fea388164999cc8 , < 88dd6be7ebb3153b662c2cebcb06e032a92857f5
(git)
Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < c655d2167bf014d4c61b4faeca59b60ff9b9f6b1 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 8c6901aa29626e35045130bac09b75f791acca85 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 582a5e922a9652fcbb7d0165c95d5b20aa37575d (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 005671c60fcf1dbdb8bddf12a62568fd5e4ec391 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < e00b169eaac5f7cdbf710c354c8fa76d02009115 (git) Affected: 6d07d1cd300f4c7e16005f881fea388164999cc8 , < 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:47.626Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22977",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:47.988660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:16.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88dd6be7ebb3153b662c2cebcb06e032a92857f5",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "c655d2167bf014d4c61b4faeca59b60ff9b9f6b1",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "8c6901aa29626e35045130bac09b75f791acca85",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "582a5e922a9652fcbb7d0165c95d5b20aa37575d",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "005671c60fcf1dbdb8bddf12a62568fd5e4ec391",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "e00b169eaac5f7cdbf710c354c8fa76d02009115",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sock: fix hardened usercopy panic in sock_recv_errqueue\n\nskbuff_fclone_cache was created without defining a usercopy region,\n[1] unlike skbuff_head_cache which properly whitelists the cb[] field.\n[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is\nenabled and the kernel attempts to copy sk_buff.cb data to userspace\nvia sock_recv_errqueue() -\u003e put_cmsg().\n\nThe crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()\n (from skbuff_fclone_cache) [1]\n2. The skb is cloned via skb_clone() using the pre-allocated fclone\n[3] 3. The cloned skb is queued to sk_error_queue for timestamp\nreporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)\n5. sock_recv_errqueue() calls put_cmsg() to copy serr-\u003eee from skb-\u003ecb\n[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no\n usercopy whitelist [5]\n\nWhen cloned skbs allocated from skbuff_fclone_cache are used in the\nsocket error queue, accessing the sock_exterr_skb structure in skb-\u003ecb\nvia put_cmsg() triggers a usercopy hardening violation:\n\n[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object \u0027skbuff_fclone_cache\u0027 (offset 296, size 16)!\n[ 5.382796] kernel BUG at mm/usercopy.c:102!\n[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7\n[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80\n[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff \u003c0f\u003e 0b 490\n[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246\n[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74\n[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0\n[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74\n[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001\n[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00\n[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000\n[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0\n[ 5.384903] PKRU: 55555554\n[ 5.384903] Call Trace:\n[ 5.384903] \u003cTASK\u003e\n[ 5.384903] __check_heap_object+0x9a/0xd0\n[ 5.384903] __check_object_size+0x46c/0x690\n[ 5.384903] put_cmsg+0x129/0x5e0\n[ 5.384903] sock_recv_errqueue+0x22f/0x380\n[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? schedule+0x6d/0x270\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? mutex_unlock+0x81/0xd0\n[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10\n[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10\n[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0\n[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n\nThe crash offset 296 corresponds to skb2-\u003ecb within skbuff_fclones:\n - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -\n offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =\n 272 + 24 (inside sock_exterr_skb.ee)\n\nThis patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.\n\n[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885\n[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104\n[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566\n[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491\n[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:36.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5"
},
{
"url": "https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1"
},
{
"url": "https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85"
},
{
"url": "https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d"
},
{
"url": "https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391"
},
{
"url": "https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115"
},
{
"url": "https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20"
}
],
"title": "net: sock: fix hardened usercopy panic in sock_recv_errqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22977",
"datePublished": "2026-01-21T13:08:54.858Z",
"dateReserved": "2026-01-13T15:37:45.935Z",
"dateUpdated": "2026-06-11T18:44:16.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68291 (GCVE-0-2025-68291)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-05-11 21:50
VLAI?
EPSS
Title
mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
syzbot reported divide-by-zero in __tcp_select_window() by
MPTCP socket. [0]
We had a similar issue for the bare TCP and fixed in commit
499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead
of 0").
Let's apply the same fix to mptcp_do_fastclose().
[0]:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336
Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00
RSP: 0018:ffffc90003017640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028
R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0
Call Trace:
<TASK>
tcp_select_window net/ipv4/tcp_output.c:281 [inline]
__tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568
tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]
tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836
mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793
mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253
mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776
mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xe5/0x270 net/socket.c:742
__sys_sendto+0x3bd/0x520 net/socket.c:2244
__do_sys_sendto net/socket.c:2251 [inline]
__se_sys_sendto net/socket.c:2247 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2247
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66e998f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9ea05fabce31ff93a0adae8221c58bc6d7b832f3 , < 46b8b58f93f1b383c3840fc6e8fab6c3bce9295f
(git)
Affected: 3a13454fd098ed51e733958488f8ec62859a9ed8 , < eee39f83246a81d970a9ecb7392b7ab74e660094 (git) Affected: f6fb2cbc91a81178dea23d463503b4525a76825d , < 05f5e26d488cdc7abc2a826cf1071782d5a21203 (git) Affected: c4f7b0916b95fd2226e5ab98882482b08f52e1c0 , < 88163f85d59b4164884df900ee171720fd26686b (git) Affected: ae155060247be8dcae3802a95bd1bdf93ab3215d , < f07f4ea53e22429c84b20832fa098b5ecc0d4e35 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46b8b58f93f1b383c3840fc6e8fab6c3bce9295f",
"status": "affected",
"version": "9ea05fabce31ff93a0adae8221c58bc6d7b832f3",
"versionType": "git"
},
{
"lessThan": "eee39f83246a81d970a9ecb7392b7ab74e660094",
"status": "affected",
"version": "3a13454fd098ed51e733958488f8ec62859a9ed8",
"versionType": "git"
},
{
"lessThan": "05f5e26d488cdc7abc2a826cf1071782d5a21203",
"status": "affected",
"version": "f6fb2cbc91a81178dea23d463503b4525a76825d",
"versionType": "git"
},
{
"lessThan": "88163f85d59b4164884df900ee171720fd26686b",
"status": "affected",
"version": "c4f7b0916b95fd2226e5ab98882482b08f52e1c0",
"versionType": "git"
},
{
"lessThan": "f07f4ea53e22429c84b20832fa098b5ecc0d4e35",
"status": "affected",
"version": "ae155060247be8dcae3802a95bd1bdf93ab3215d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThan": "6.12.61",
"status": "affected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThan": "6.17.11",
"status": "affected",
"version": "6.17.10",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().\n\nsyzbot reported divide-by-zero in __tcp_select_window() by\nMPTCP socket. [0]\n\nWe had a similar issue for the bare TCP and fixed in commit\n499350a5a6e7 (\"tcp: initialize rcv_mss to TCP_MIN_MSS instead\nof 0\").\n\nLet\u0027s apply the same fix to mptcp_do_fastclose().\n\n[0]:\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336\nCode: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 \u003cf7\u003e 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00\nRSP: 0018:ffffc90003017640 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028\nR10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n tcp_select_window net/ipv4/tcp_output.c:281 [inline]\n __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568\n tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]\n tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836\n mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793\n mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253\n mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776\n mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xe5/0x270 net/socket.c:742\n __sys_sendto+0x3bd/0x520 net/socket.c:2244\n __do_sys_sendto net/socket.c:2251 [inline]\n __se_sys_sendto net/socket.c:2247 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2247\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f66e998f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:50:19.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46b8b58f93f1b383c3840fc6e8fab6c3bce9295f"
},
{
"url": "https://git.kernel.org/stable/c/eee39f83246a81d970a9ecb7392b7ab74e660094"
},
{
"url": "https://git.kernel.org/stable/c/05f5e26d488cdc7abc2a826cf1071782d5a21203"
},
{
"url": "https://git.kernel.org/stable/c/88163f85d59b4164884df900ee171720fd26686b"
},
{
"url": "https://git.kernel.org/stable/c/f07f4ea53e22429c84b20832fa098b5ecc0d4e35"
}
],
"title": "mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68291",
"datePublished": "2025-12-16T15:06:12.095Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-05-11T21:50:19.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22994 (GCVE-0-2026-22994)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
bpf: Fix reference count leak in bpf_prog_test_run_xdp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix reference count leak in bpf_prog_test_run_xdp()
syzbot is reporting
unregister_netdevice: waiting for sit0 to become free. Usage count = 2
problem. A debug printk() patch found that a refcount is obtained at
xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().
According to commit ec94670fcb3b ("bpf: Support specifying ingress via
xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by
xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().
Therefore, we can consider that the error handling path introduced by
commit 1c1949982524 ("bpf: introduce frags support to
bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1c194998252469cad00a08bd9ef0b99fd255c260 , < 368569bc546d3368ee9980ba79fc42fdff9a3365
(git)
Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < 98676ee71fd4eafeb8be63c7f3f1905d40e03101 (git) Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < fb9ef40cccdbacce36029b305d0ef1e12e4fea38 (git) Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < 737be05a765761d7d7c9f7fe92274bd8e6f6951e (git) Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < ec69daabe45256f98ac86c651b8ad1b2574489a7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "368569bc546d3368ee9980ba79fc42fdff9a3365",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "98676ee71fd4eafeb8be63c7f3f1905d40e03101",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "fb9ef40cccdbacce36029b305d0ef1e12e4fea38",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "737be05a765761d7d7c9f7fe92274bd8e6f6951e",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "ec69daabe45256f98ac86c651b8ad1b2574489a7",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference count leak in bpf_prog_test_run_xdp()\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for sit0 to become free. Usage count = 2\n\nproblem. A debug printk() patch found that a refcount is obtained at\nxdp_convert_md_to_buff() from bpf_prog_test_run_xdp().\n\nAccording to commit ec94670fcb3b (\"bpf: Support specifying ingress via\nxdp_md context in BPF_PROG_TEST_RUN\"), the refcount obtained by\nxdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().\n\nTherefore, we can consider that the error handling path introduced by\ncommit 1c1949982524 (\"bpf: introduce frags support to\nbpf_prog_test_run_xdp()\") forgot to call xdp_convert_buff_to_md()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:56.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365"
},
{
"url": "https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101"
},
{
"url": "https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38"
},
{
"url": "https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e"
},
{
"url": "https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7"
}
],
"title": "bpf: Fix reference count leak in bpf_prog_test_run_xdp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22994",
"datePublished": "2026-01-23T15:24:14.749Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-05-11T21:57:56.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71162 (GCVE-0-2025-71162)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
dmaengine: tegra-adma: Fix use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: tegra-adma: Fix use-after-free
A use-after-free bug exists in the Tegra ADMA driver when audio streams
are terminated, particularly during XRUN conditions. The issue occurs
when the DMA buffer is freed by tegra_adma_terminate_all() before the
vchan completion tasklet finishes accessing it.
The race condition follows this sequence:
1. DMA transfer completes, triggering an interrupt that schedules the
completion tasklet (tasklet has not executed yet)
2. Audio playback stops, calling tegra_adma_terminate_all() which
frees the DMA buffer memory via kfree()
3. The scheduled tasklet finally executes, calling vchan_complete()
which attempts to access the already-freed memory
Since tasklets can execute at any time after being scheduled, there is
no guarantee that the buffer will remain valid when vchan_complete()
runs.
Fix this by properly synchronizing the virtual channel completion:
- Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
descriptors as terminated instead of freeing the descriptor.
- Add the callback tegra_adma_synchronize() that calls
vchan_synchronize() which kills any pending tasklets and frees any
terminated descriptors.
Crash logs:
[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
[ 337.427562] Call trace:
[ 337.427564] dump_backtrace+0x0/0x320
[ 337.427571] show_stack+0x20/0x30
[ 337.427575] dump_stack_lvl+0x68/0x84
[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
[ 337.427590] kasan_report+0x1f4/0x210
[ 337.427598] __asan_load8+0xa0/0xd0
[ 337.427603] vchan_complete+0x124/0x3b0
[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
[ 337.427617] tasklet_action+0x30/0x40
[ 337.427623] __do_softirq+0x1a0/0x5c4
[ 337.427628] irq_exit+0x110/0x140
[ 337.427633] handle_domain_irq+0xa4/0xe0
[ 337.427640] gic_handle_irq+0x64/0x160
[ 337.427644] call_on_irq_stack+0x20/0x4c
[ 337.427649] do_interrupt_handler+0x7c/0x90
[ 337.427654] el1_interrupt+0x30/0x80
[ 337.427659] el1h_64_irq_handler+0x18/0x30
[ 337.427663] el1h_64_irq+0x7c/0x80
[ 337.427667] cpuidle_enter_state+0xe4/0x540
[ 337.427674] cpuidle_enter+0x54/0x80
[ 337.427679] do_idle+0x2e0/0x380
[ 337.427685] cpu_startup_entry+0x2c/0x70
[ 337.427690] rest_init+0x114/0x130
[ 337.427695] arch_call_rest_init+0x18/0x24
[ 337.427702] start_kernel+0x380/0x3b4
[ 337.427706] __primary_switched+0xc0/0xc8
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f46b195799b5cb05338e7c44cb3617eacb56d755 , < 5f8d1d66a952d0396671e1f21ff8127a4d14fb4e
(git)
Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < 76992310f80776b4d1f7f8915f59b92883a3e44c (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < ae3eed72de682ddbba507ed2d6b848c21a6b721e (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < 59cb421b0902fbef2b9512ae8ba198a20f26b41f (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < be655c3736b3546f39bc8116ffbf2a3b6cac96c4 (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < 2efd07a7c36949e6fa36a69183df24d368bf9e96 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra210-adma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f8d1d66a952d0396671e1f21ff8127a4d14fb4e",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "76992310f80776b4d1f7f8915f59b92883a3e44c",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "ae3eed72de682ddbba507ed2d6b848c21a6b721e",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "59cb421b0902fbef2b9512ae8ba198a20f26b41f",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "be655c3736b3546f39bc8116ffbf2a3b6cac96c4",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "2efd07a7c36949e6fa36a69183df24d368bf9e96",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra210-adma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n 1. DMA transfer completes, triggering an interrupt that schedules the\n completion tasklet (tasklet has not executed yet)\n 2. Audio playback stops, calling tegra_adma_terminate_all() which\n frees the DMA buffer memory via kfree()\n 3. The scheduled tasklet finally executes, calling vchan_complete()\n which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n vchan_synchronize() which kills any pending tasklets and frees any\n terminated descriptors.\n\nCrash logs:\n[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[ 337.427562] Call trace:\n[ 337.427564] dump_backtrace+0x0/0x320\n[ 337.427571] show_stack+0x20/0x30\n[ 337.427575] dump_stack_lvl+0x68/0x84\n[ 337.427584] print_address_description.constprop.0+0x74/0x2b8\n[ 337.427590] kasan_report+0x1f4/0x210\n[ 337.427598] __asan_load8+0xa0/0xd0\n[ 337.427603] vchan_complete+0x124/0x3b0\n[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0\n[ 337.427617] tasklet_action+0x30/0x40\n[ 337.427623] __do_softirq+0x1a0/0x5c4\n[ 337.427628] irq_exit+0x110/0x140\n[ 337.427633] handle_domain_irq+0xa4/0xe0\n[ 337.427640] gic_handle_irq+0x64/0x160\n[ 337.427644] call_on_irq_stack+0x20/0x4c\n[ 337.427649] do_interrupt_handler+0x7c/0x90\n[ 337.427654] el1_interrupt+0x30/0x80\n[ 337.427659] el1h_64_irq_handler+0x18/0x30\n[ 337.427663] el1h_64_irq+0x7c/0x80\n[ 337.427667] cpuidle_enter_state+0xe4/0x540\n[ 337.427674] cpuidle_enter+0x54/0x80\n[ 337.427679] do_idle+0x2e0/0x380\n[ 337.427685] cpu_startup_entry+0x2c/0x70\n[ 337.427690] rest_init+0x114/0x130\n[ 337.427695] arch_call_rest_init+0x18/0x24\n[ 337.427702] start_kernel+0x380/0x3b4\n[ 337.427706] __primary_switched+0xc0/0xc8"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:10.084Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f8d1d66a952d0396671e1f21ff8127a4d14fb4e"
},
{
"url": "https://git.kernel.org/stable/c/76992310f80776b4d1f7f8915f59b92883a3e44c"
},
{
"url": "https://git.kernel.org/stable/c/ae3eed72de682ddbba507ed2d6b848c21a6b721e"
},
{
"url": "https://git.kernel.org/stable/c/59cb421b0902fbef2b9512ae8ba198a20f26b41f"
},
{
"url": "https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca"
},
{
"url": "https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4"
},
{
"url": "https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96"
}
],
"title": "dmaengine: tegra-adma: Fix use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71162",
"datePublished": "2026-01-25T14:36:09.029Z",
"dateReserved": "2026-01-13T15:30:19.666Z",
"dateUpdated": "2026-05-11T21:56:10.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47328 (GCVE-0-2026-47328)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:27 – Updated: 2026-05-28 19:25
VLAI?
EPSS
Title
Invalid pointer deallocation in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.
Severity ?
6.1 (Medium)
CWE
- CWE-590 - Free of memory not on the heap
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:20:06.494860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:25:13.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-590",
"description": "CWE-590 Free of memory not on the heap",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:27:33.181Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=7f3c4902c39432ce7ea0d384cb70eba282247fac"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Invalid pointer deallocation in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47328",
"datePublished": "2026-05-28T18:27:33.181Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-28T19:25:13.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68794 (GCVE-0-2025-68794)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
iomap: adjust read range correctly for non-block-aligned positions
Summary
In the Linux kernel, the following vulnerability has been resolved:
iomap: adjust read range correctly for non-block-aligned positions
iomap_adjust_read_range() assumes that the position and length passed in
are block-aligned. This is not always the case however, as shown in the
syzbot generated case for erofs. This causes too many bytes to be
skipped for uptodate blocks, which results in returning the incorrect
position and length to read in. If all the blocks are uptodate, this
underflows length and returns a position beyond the folio.
Fix the calculation to also take into account the block offset when
calculating how many bytes can be skipped for uptodate blocks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9dc55f1389f9569acf9659e58dd836a9c70df217 , < 82b60ffbb532d919959702768dca04c3c0500ae5
(git)
Affected: 9dc55f1389f9569acf9659e58dd836a9c70df217 , < 12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e (git) Affected: 9dc55f1389f9569acf9659e58dd836a9c70df217 , < 142194fb21afe964d2d194cab1fc357cbf87e899 (git) Affected: 9dc55f1389f9569acf9659e58dd836a9c70df217 , < 7aa6bc3e8766990824f66ca76c19596ce10daf3e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82b60ffbb532d919959702768dca04c3c0500ae5",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "142194fb21afe964d2d194cab1fc357cbf87e899",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "7aa6bc3e8766990824f66ca76c19596ce10daf3e",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: adjust read range correctly for non-block-aligned positions\n\niomap_adjust_read_range() assumes that the position and length passed in\nare block-aligned. This is not always the case however, as shown in the\nsyzbot generated case for erofs. This causes too many bytes to be\nskipped for uptodate blocks, which results in returning the incorrect\nposition and length to read in. If all the blocks are uptodate, this\nunderflows length and returns a position beyond the folio.\n\nFix the calculation to also take into account the block offset when\ncalculating how many bytes can be skipped for uptodate blocks."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:27.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5"
},
{
"url": "https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e"
},
{
"url": "https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899"
},
{
"url": "https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e"
}
],
"title": "iomap: adjust read range correctly for non-block-aligned positions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68794",
"datePublished": "2026-01-13T15:29:05.553Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-05-11T21:53:27.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23148 (GCVE-0-2026-23148)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
There is a race condition in nvmet_bio_done() that can cause a NULL
pointer dereference in blk_cgroup_bio_start():
1. nvmet_bio_done() is called when a bio completes
2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)
3. The queue_response callback can re-queue and re-submit the same request
4. The re-submission reuses the same inline_bio from nvmet_req
5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)
invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL
6. The re-submitted bio enters submit_bio_noacct_nocheck()
7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
RIP: 0010:blk_cgroup_bio_start+0x10/0xd0
Call Trace:
submit_bio_noacct_nocheck+0x44/0x250
nvmet_bdev_execute_rw+0x254/0x370 [nvmet]
process_one_work+0x193/0x3c0
worker_thread+0x281/0x3a0
Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()
BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before
the request can be re-submitted, preventing the race condition.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
431e58d56fcb5ff1f9eb630724a922e0d2a941df , < ee10b06980acca1d46e0fa36d6fb4a9578eab6e4
(git)
Affected: 190f4c2c863af7cc5bb354b70e0805f06419c038 , < 68207ceefd71cc74ce4e983fa9bd10c3122e349b (git) Affected: 190f4c2c863af7cc5bb354b70e0805f06419c038 , < 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e (git) Affected: 2e2028fcf924d1c6df017033c8d6e28b735a0508 (git) Affected: 6.12.37 , < 6.12.69 (semver) Affected: 6.15.6 , < 6.16 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/io-cmd-bdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee10b06980acca1d46e0fa36d6fb4a9578eab6e4",
"status": "affected",
"version": "431e58d56fcb5ff1f9eb630724a922e0d2a941df",
"versionType": "git"
},
{
"lessThan": "68207ceefd71cc74ce4e983fa9bd10c3122e349b",
"status": "affected",
"version": "190f4c2c863af7cc5bb354b70e0805f06419c038",
"versionType": "git"
},
{
"lessThan": "0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e",
"status": "affected",
"version": "190f4c2c863af7cc5bb354b70e0805f06419c038",
"versionType": "git"
},
{
"status": "affected",
"version": "2e2028fcf924d1c6df017033c8d6e28b735a0508",
"versionType": "git"
},
{
"lessThan": "6.12.69",
"status": "affected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/io-cmd-bdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req-\u003eops-\u003equeue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n invokes bio_uninit() for inline_bio, which sets bio-\u003ebi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio-\u003ebi_blkg, causing a crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Call Trace:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:59.219Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4"
},
{
"url": "https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b"
},
{
"url": "https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e"
}
],
"title": "nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23148",
"datePublished": "2026-02-14T16:01:17.575Z",
"dateReserved": "2026-01-13T15:37:45.975Z",
"dateUpdated": "2026-05-23T16:03:59.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71150 (GCVE-0-2025-71150)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
ksmbd: Fix refcount leak when invalid session is found on session lookup
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix refcount leak when invalid session is found on session lookup
When a session is found but its state is not SMB2_SESSION_VALID, It
indicates that no valid session was found, but it is missing to decrement
the reference count acquired by the session lookup, which results in
a reference count leak. This patch fixes the issue by explicitly calling
ksmbd_user_session_put to release the reference to the session.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2107ab40629aeabbec369cf34b8cf0f288c3eb1b , < 11fe566b442e3bc2774191740fd377739a87a1c0
(git)
Affected: 37a0e2b362b3150317fb6e2139de67b1e29ae5ff , < 0fb87b28cafae71e9c8248432cc3a6a1fd759efc (git) Affected: 450a844c045ff0895d41b05a1cbe8febd1acfcfd , < e54fb2a4772545701766cba08aab20de5eace8cd (git) Affected: a39e31e22a535d47b14656a7d6a893c7f6cf758c , < 02e06785e85b4bd86ef3d23b7c8d87acc76773d5 (git) Affected: b95629435b84b9ecc0c765995204a4d8a913ed52 , < 8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7 (git) Affected: b95629435b84b9ecc0c765995204a4d8a913ed52 , < cafb57f7bdd57abba87725eb4e82bbdca4959644 (git) Affected: 5.15.176 , < 5.15.203 (semver) Affected: 6.1.121 , < 6.1.160 (semver) Affected: 6.6.67 , < 6.6.120 (semver) Affected: 6.12.6 , < 6.12.64 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11fe566b442e3bc2774191740fd377739a87a1c0",
"status": "affected",
"version": "2107ab40629aeabbec369cf34b8cf0f288c3eb1b",
"versionType": "git"
},
{
"lessThan": "0fb87b28cafae71e9c8248432cc3a6a1fd759efc",
"status": "affected",
"version": "37a0e2b362b3150317fb6e2139de67b1e29ae5ff",
"versionType": "git"
},
{
"lessThan": "e54fb2a4772545701766cba08aab20de5eace8cd",
"status": "affected",
"version": "450a844c045ff0895d41b05a1cbe8febd1acfcfd",
"versionType": "git"
},
{
"lessThan": "02e06785e85b4bd86ef3d23b7c8d87acc76773d5",
"status": "affected",
"version": "a39e31e22a535d47b14656a7d6a893c7f6cf758c",
"versionType": "git"
},
{
"lessThan": "8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
},
{
"lessThan": "cafb57f7bdd57abba87725eb4e82bbdca4959644",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
},
{
"lessThan": "5.15.203",
"status": "affected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.121",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.67",
"versionType": "semver"
},
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix refcount leak when invalid session is found on session lookup\n\nWhen a session is found but its state is not SMB2_SESSION_VALID, It\nindicates that no valid session was found, but it is missing to decrement\nthe reference count acquired by the session lookup, which results in\na reference count leak. This patch fixes the issue by explicitly calling\nksmbd_user_session_put to release the reference to the session."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:25.067Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11fe566b442e3bc2774191740fd377739a87a1c0"
},
{
"url": "https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc"
},
{
"url": "https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd"
},
{
"url": "https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5"
},
{
"url": "https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7"
},
{
"url": "https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644"
}
],
"title": "ksmbd: Fix refcount leak when invalid session is found on session lookup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71150",
"datePublished": "2026-01-23T14:15:16.898Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-05-23T16:03:25.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23178 (GCVE-0-2026-23178)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.
The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).
The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.
Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.
The impact is low since access to hidraw devices requires root.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < f9c9ad89d845f88a1509e9d672f65d234425fde9
(git)
Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < cff3f619fd1cb40cdd89971df9001f075613d219 (git) Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < 786ec171788bdf9dda38789163f1b1fbb47f2d1e (git) Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < 2124279f1f8c32c1646ce98e75a1a39b23b7db76 (git) Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/i2c-hid/i2c-hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9c9ad89d845f88a1509e9d672f65d234425fde9",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "cff3f619fd1cb40cdd89971df9001f075613d219",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "786ec171788bdf9dda38789163f1b1fbb47f2d1e",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "2124279f1f8c32c1646ce98e75a1a39b23b7db76",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "2497ff38c530b1af0df5130ca9f5ab22c5e92f29",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/i2c-hid/i2c-hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid-\u003erawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid-\u003ebufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:49.899Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9"
},
{
"url": "https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219"
},
{
"url": "https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e"
},
{
"url": "https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76"
},
{
"url": "https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29"
}
],
"title": "HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23178",
"datePublished": "2026-02-14T16:27:10.108Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-05-11T22:01:49.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68347 (GCVE-0-2025-68347)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
The DSP event handling code in hwdep_read() could write more bytes to
the user buffer than requested, when a user provides a buffer smaller
than the event header size (8 bytes).
Fix by using min_t() to clamp the copy size, This ensures we never copy
more than the user requested.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < 16620f0617400746984362c3d6ac547eeae1d35f
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6275fd726d53a8ec724f20201cf3bd862711e17b (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 161291bac551821bba98eb4ea84c82338578d1b0 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < cdda0d06f8650e33255f79839f188bbece44117c (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16620f0617400746984362c3d6ac547eeae1d35f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6275fd726d53a8ec724f20201cf3bd862711e17b",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "161291bac551821bba98eb4ea84c82338578d1b0",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "cdda0d06f8650e33255f79839f188bbece44117c",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "210d77cca3d0494ed30a5c628b20c1d95fa04fb1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events\n\nThe DSP event handling code in hwdep_read() could write more bytes to\nthe user buffer than requested, when a user provides a buffer smaller\nthan the event header size (8 bytes).\n\nFix by using min_t() to clamp the copy size, This ensures we never copy\nmore than the user requested."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:26.312Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16620f0617400746984362c3d6ac547eeae1d35f"
},
{
"url": "https://git.kernel.org/stable/c/ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe"
},
{
"url": "https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b"
},
{
"url": "https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0"
},
{
"url": "https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c"
},
{
"url": "https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1"
}
],
"title": "ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68347",
"datePublished": "2025-12-24T10:32:39.804Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-05-11T21:51:26.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23193 (GCVE-0-2026-23193)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-06-16 20:19
VLAI?
EPSS
Title
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e48354ce078c079996f89d715dfa44814b4eba01 , < 2b64015550a13bcc72910be0565548d9a754d46d
(git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < fd8b0900173307039d3a84644c2fee041a7ed4fb (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < d8dbdc146e9e9a976931b78715be2e91299049f9 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 11ebafffce31efc6abeb28c509017976fc49f1ca (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 41b86a9ec037bd3435d68dd3692f0891a207e7e7 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 4530f4e4d0e6a207110b0ffed0c911bca43531a4 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 84dc6037390b8607c5551047d3970336cb51ba9a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:19:30.330319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:19:39.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b64015550a13bcc72910be0565548d9a754d46d",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "fd8b0900173307039d3a84644c2fee041a7ed4fb",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "d8dbdc146e9e9a976931b78715be2e91299049f9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "11ebafffce31efc6abeb28c509017976fc49f1ca",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "41b86a9ec037bd3435d68dd3692f0891a207e7e7",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "4530f4e4d0e6a207110b0ffed0c911bca43531a4",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "84dc6037390b8607c5551047d3970336cb51ba9a",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()\n\nIn iscsit_dec_session_usage_count(), the function calls complete() while\nholding the sess-\u003esession_usage_lock. Similar to the connection usage count\nlogic, the waiter signaled by complete() (e.g., in the session release\npath) may wake up and free the iscsit_session structure immediately.\n\nThis creates a race condition where the current thread may attempt to\nexecute spin_unlock_bh() on a session structure that has already been\ndeallocated, resulting in a KASAN slab-use-after-free.\n\nTo resolve this, release the session_usage_lock before calling complete()\nto ensure all dereferences of the sess pointer are finished before the\nwaiter is allowed to proceed with deallocation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:07.544Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b64015550a13bcc72910be0565548d9a754d46d"
},
{
"url": "https://git.kernel.org/stable/c/fd8b0900173307039d3a84644c2fee041a7ed4fb"
},
{
"url": "https://git.kernel.org/stable/c/d8dbdc146e9e9a976931b78715be2e91299049f9"
},
{
"url": "https://git.kernel.org/stable/c/11ebafffce31efc6abeb28c509017976fc49f1ca"
},
{
"url": "https://git.kernel.org/stable/c/41b86a9ec037bd3435d68dd3692f0891a207e7e7"
},
{
"url": "https://git.kernel.org/stable/c/4530f4e4d0e6a207110b0ffed0c911bca43531a4"
},
{
"url": "https://git.kernel.org/stable/c/84dc6037390b8607c5551047d3970336cb51ba9a"
}
],
"title": "scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23193",
"datePublished": "2026-02-14T16:27:20.251Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-06-16T20:19:39.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71104 (GCVE-0-2025-71104)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
When advancing the target expiration for the guest's APIC timer in periodic
mode, set the expiration to "now" if the target expiration is in the past
(similar to what is done in update_target_expiration()). Blindly adding
the period to the previous target expiration can result in KVM generating
a practically unbounded number of hrtimer IRQs due to programming an
expired timer over and over. In extreme scenarios, e.g. if userspace
pauses/suspends a VM for an extended duration, this can even cause hard
lockups in the host.
Currently, the bug only affects Intel CPUs when using the hypervisor timer
(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,
a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the
HV timer only runs while the guest is active. As a result, if the vCPU
does not run for an extended duration, there will be a huge gap between
the target expiration and the current time the vCPU resumes running.
Because the target expiration is incremented by only one period on each
timer expiration, this leads to a series of timer expirations occurring
rapidly after the vCPU/VM resumes.
More critically, when the vCPU first triggers a periodic HV timer
expiration after resuming, advancing the expiration by only one period
will result in a target expiration in the past. As a result, the delta
may be calculated as a negative value. When the delta is converted into
an absolute value (tscdeadline is an unsigned u64), the resulting value
can overflow what the HV timer is capable of programming. I.e. the large
value will exceed the VMX Preemption Timer's maximum bit width of
cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the
HV timer to the software timer (hrtimers).
After switching to the software timer, periodic timer expiration callbacks
may be executed consecutively within a single clock interrupt handler,
because hrtimers honors KVM's request for an expiration in the past and
immediately re-invokes KVM's callback after reprogramming. And because
the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer
over and over until the target expiration is advanced to "now" can result
in a hard lockup.
E.g. the following hard lockup was triggered in the host when running a
Windows VM (only relevant because it used the APIC timer in periodic mode)
after resuming the VM from a long suspend (in the host).
NMI watchdog: Watchdog detected hard LOCKUP on cpu 45
...
RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]
...
RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046
RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc
RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500
RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0
R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0
R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8
FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0
PKRU: 55555554
Call Trace:
<IRQ>
apic_timer_fn+0x31/0x50 [kvm]
__hrtimer_run_queues+0x100/0x280
hrtimer_interrupt+0x100/0x210
? ttwu_do_wakeup+0x19/0x160
smp_apic_timer_interrupt+0x6a/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
Moreover, if the suspend duration of the virtual machine is not long enough
to trigger a hard lockup in this scenario, since commit 98c25ead5eda
("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM
will continue using the software timer until the guest reprograms the APIC
timer in some way. Since the periodic timer does not require frequent APIC
timer register programming, the guest may continue to use the software
timer in
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 786ed625c125c5cd180d6aaa37e653e3e4ffb8d9
(git)
Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 807dbe8f3862fa7c164155857550ce94b36a11b9 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < e746e51947053a02af2ea964593dc4887108d379 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < e23f46f1a971c73dad2fd63e1408696114ddebe2 (git) Affected: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc , < 18ab3fc8e880791aa9f7c000261320fc812b5465 (git) Affected: 421e1fadb0b0a648cc75afd5b3c826fa7daeaffc (git) Affected: 5a69b7b69beae9bb86e7e1b095685087976cba47 (git) Affected: 4.14.45 , < 4.15 (semver) Affected: 4.16.13 , < 4.17 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:39.879856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:04.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "786ed625c125c5cd180d6aaa37e653e3e4ffb8d9",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "807dbe8f3862fa7c164155857550ce94b36a11b9",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "e746e51947053a02af2ea964593dc4887108d379",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "e23f46f1a971c73dad2fd63e1408696114ddebe2",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "18ab3fc8e880791aa9f7c000261320fc812b5465",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"status": "affected",
"version": "421e1fadb0b0a648cc75afd5b3c826fa7daeaffc",
"versionType": "git"
},
{
"status": "affected",
"version": "5a69b7b69beae9bb86e7e1b095685087976cba47",
"versionType": "git"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.45",
"versionType": "semver"
},
{
"lessThan": "4.17",
"status": "affected",
"version": "4.16.13",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer\n\nWhen advancing the target expiration for the guest\u0027s APIC timer in periodic\nmode, set the expiration to \"now\" if the target expiration is in the past\n(similar to what is done in update_target_expiration()). Blindly adding\nthe period to the previous target expiration can result in KVM generating\na practically unbounded number of hrtimer IRQs due to programming an\nexpired timer over and over. In extreme scenarios, e.g. if userspace\npauses/suspends a VM for an extended duration, this can even cause hard\nlockups in the host.\n\nCurrently, the bug only affects Intel CPUs when using the hypervisor timer\n(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,\na.k.a. hrtimer, which KVM keeps running even on exits to userspace, the\nHV timer only runs while the guest is active. As a result, if the vCPU\ndoes not run for an extended duration, there will be a huge gap between\nthe target expiration and the current time the vCPU resumes running.\nBecause the target expiration is incremented by only one period on each\ntimer expiration, this leads to a series of timer expirations occurring\nrapidly after the vCPU/VM resumes.\n\nMore critically, when the vCPU first triggers a periodic HV timer\nexpiration after resuming, advancing the expiration by only one period\nwill result in a target expiration in the past. As a result, the delta\nmay be calculated as a negative value. When the delta is converted into\nan absolute value (tscdeadline is an unsigned u64), the resulting value\ncan overflow what the HV timer is capable of programming. I.e. the large\nvalue will exceed the VMX Preemption Timer\u0027s maximum bit width of\ncpu_preemption_timer_multi + 32, and thus cause KVM to switch from the\nHV timer to the software timer (hrtimers).\n\nAfter switching to the software timer, periodic timer expiration callbacks\nmay be executed consecutively within a single clock interrupt handler,\nbecause hrtimers honors KVM\u0027s request for an expiration in the past and\nimmediately re-invokes KVM\u0027s callback after reprogramming. And because\nthe interrupt handler runs with IRQs disabled, restarting KVM\u0027s hrtimer\nover and over until the target expiration is advanced to \"now\" can result\nin a hard lockup.\n\nE.g. the following hard lockup was triggered in the host when running a\nWindows VM (only relevant because it used the APIC timer in periodic mode)\nafter resuming the VM from a long suspend (in the host).\n\n NMI watchdog: Watchdog detected hard LOCKUP on cpu 45\n ...\n RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]\n ...\n RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046\n RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc\n RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500\n RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0\n R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0\n R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8\n FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n apic_timer_fn+0x31/0x50 [kvm]\n __hrtimer_run_queues+0x100/0x280\n hrtimer_interrupt+0x100/0x210\n ? ttwu_do_wakeup+0x19/0x160\n smp_apic_timer_interrupt+0x6a/0x130\n apic_timer_interrupt+0xf/0x20\n \u003c/IRQ\u003e\n\nMoreover, if the suspend duration of the virtual machine is not long enough\nto trigger a hard lockup in this scenario, since commit 98c25ead5eda\n(\"KVM: VMX: Move preemption timer \u003c=\u003e hrtimer dance to common x86\"), KVM\nwill continue using the software timer until the guest reprograms the APIC\ntimer in some way. Since the periodic timer does not require frequent APIC\ntimer register programming, the guest may continue to use the software\ntimer in \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:11.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9"
},
{
"url": "https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73"
},
{
"url": "https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9"
},
{
"url": "https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed"
},
{
"url": "https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379"
},
{
"url": "https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2"
},
{
"url": "https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465"
}
],
"title": "KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71104",
"datePublished": "2026-01-14T15:05:53.802Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-06-11T18:44:04.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68774 (GCVE-0-2025-68774)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
When sync() and link() are called concurrently, both threads may
enter hfs_bnode_find() without finding the node in the hash table
and proceed to create it.
Thread A:
hfsplus_write_inode()
-> hfsplus_write_system_inode()
-> hfs_btree_write()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
Thread B:
hfsplus_create_cat()
-> hfs_brec_insert()
-> hfs_bnode_split()
-> hfs_bmap_alloc()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.
Thread B also tries to create the same bnode, notices it has already
been inserted, drops its own instance, and uses the hashed one without
getting the node.
```
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
```
However, hfs_bnode_find() requires each call to take a reference.
Here both threads end up setting refcnt=1. When they later put the node,
this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table
rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by
another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")
but the same issue remained in HFS+ until now.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3b0fc7af50b896d0f3d104e70787ba1973bc0b56
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 39e149d58ef4d7883cbf87448d39d51292fd342d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b68dc4134b18a3922cd33439ec614aad4172bc86 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b9d1c6bb5f19460074ce9862cb80be86b5fb0a50 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 457f795e7abd7770de10216d7f9994a3f12a56d6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5882e7c8cdbb5e254a69628b780acff89c78071e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 152af114287851583cf7e0abc10129941f19466a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b0fc7af50b896d0f3d104e70787ba1973bc0b56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39e149d58ef4d7883cbf87448d39d51292fd342d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b68dc4134b18a3922cd33439ec614aad4172bc86",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9d1c6bb5f19460074ce9862cb80be86b5fb0a50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "457f795e7abd7770de10216d7f9994a3f12a56d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5882e7c8cdbb5e254a69628b780acff89c78071e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "152af114287851583cf7e0abc10129941f19466a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nWhen sync() and link() are called concurrently, both threads may\nenter hfs_bnode_find() without finding the node in the hash table\nand proceed to create it.\n\nThread A:\n hfsplus_write_inode()\n -\u003e hfsplus_write_system_inode()\n -\u003e hfs_btree_write()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nThread B:\n hfsplus_create_cat()\n -\u003e hfs_brec_insert()\n -\u003e hfs_bnode_split()\n -\u003e hfs_bmap_alloc()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nIn this case, thread A creates the bnode, sets refcnt=1, and hashes it.\nThread B also tries to create the same bnode, notices it has already\nbeen inserted, drops its own instance, and uses the hashed one without\ngetting the node.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) { \u003c- Thread A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode-\u003enext_hash = tree-\u003enode_hash[hash];\n\t\ttree-\u003enode_hash[hash] = node;\n\t\ttree-\u003enode_hash_cnt++;\n\t} else { \u003c- Thread B\n\t\tspin_unlock(\u0026tree-\u003ehash_lock);\n\t\tkfree(node);\n\t\twait_event(node2-\u003elock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, \u0026node2-\u003eflags));\n\t\treturn node2;\n\t}\n```\n\nHowever, hfs_bnode_find() requires each call to take a reference.\nHere both threads end up setting refcnt=1. When they later put the node,\nthis triggers:\n\nBUG_ON(!atomic_read(\u0026node-\u003erefcnt))\n\nIn this scenario, Thread B in fact finds the node in the hash table\nrather than creating a new one, and thus must take a reference.\n\nFix this by calling hfs_bnode_get() when reusing a bnode newly created by\nanother thread to ensure the refcount is updated correctly.\n\nA similar bug was fixed in HFS long ago in commit\na9dc087fd3c4 (\"fix missing hfs_bnode_get() in __hfs_bnode_create\")\nbut the same issue remained in HFS+ until now."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:05.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56"
},
{
"url": "https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d"
},
{
"url": "https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86"
},
{
"url": "https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50"
},
{
"url": "https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6"
},
{
"url": "https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e"
},
{
"url": "https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a"
}
],
"title": "hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68774",
"datePublished": "2026-01-13T15:28:51.379Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:05.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71094 (GCVE-0-2025-71094)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
net: usb: asix: validate PHY address before use
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: validate PHY address before use
The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():
addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < fc96018f09f8d30586ca6582c5045a84eafef146
(git)
Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < f5f4f30f3811d37e1aa48667c36add74e5a8d99f (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < 38722e69ee64dbb020028c93898d25d6f4c0e0b2 (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < 98a12c2547a44a5f03f35c108d2022cc652cbc4d (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < bf8a0f3b787ca7c5889bfca12c60c483041fbee3 (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < a1e077a3f76eea0dc671ed6792e7d543946227e8 (git) Affected: 4e4f3cb41d687bd64cd03358862b23c84d82329e (git) Affected: 5.13.13 , < 5.14 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:29.490248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:23.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc96018f09f8d30586ca6582c5045a84eafef146",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "f5f4f30f3811d37e1aa48667c36add74e5a8d99f",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "38722e69ee64dbb020028c93898d25d6f4c0e0b2",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "98a12c2547a44a5f03f35c108d2022cc652cbc4d",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "bf8a0f3b787ca7c5889bfca12c60c483041fbee3",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "a1e077a3f76eea0dc671ed6792e7d543946227e8",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"status": "affected",
"version": "4e4f3cb41d687bd64cd03358862b23c84d82329e",
"versionType": "git"
},
{
"lessThan": "5.14",
"status": "affected",
"version": "5.13.13",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: validate PHY address before use\n\nThe ASIX driver reads the PHY address from the USB device via\nasix_read_phy_addr(). A malicious or faulty device can return an\ninvalid address (\u003e= PHY_MAX_ADDR), which causes a warning in\nmdiobus_get_phy():\n\n addr 207 out of range\n WARNING: drivers/net/phy/mdio_bus.c:76\n\nValidate the PHY address in asix_read_phy_addr() and remove the\nnow-redundant check in ax88172a.c."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:10.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146"
},
{
"url": "https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f"
},
{
"url": "https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2"
},
{
"url": "https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d"
},
{
"url": "https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3"
},
{
"url": "https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8"
}
],
"title": "net: usb: asix: validate PHY address before use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71094",
"datePublished": "2026-01-13T15:34:54.669Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-06-11T18:44:23.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68810 (GCVE-0-2025-68810)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was
initially created with a guest_memfd binding, as KVM doesn't support
toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling
KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag.
Failure to reject the new memslot results in a use-after-free due to KVM
not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY
change is easy enough, and can/will be done as a hardening measure (in
anticipation of KVM supporting dirty logging on guest_memfd at some point),
but fixing the use-after-free would only address the immediate symptom.
==================================================================
BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]
Write of size 8 at addr ffff8881111ae908 by task repro/745
CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x60
print_report+0xcb/0x5c0
kasan_report+0xb4/0xe0
kvm_gmem_release+0x362/0x400 [kvm]
__fput+0x2fa/0x9d0
task_work_run+0x12c/0x200
do_exit+0x6ae/0x2100
do_group_exit+0xa8/0x230
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0x737/0x740
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f581f2eac31
</TASK>
Allocated by task 745 on cpu 6 at 9.746971s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_kmalloc+0x77/0x90
kvm_set_memory_region.part.0+0x652/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 745 on cpu 6 at 9.747467s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_save_free_info+0x37/0x50
__kasan_slab_free+0x3b/0x60
kfree+0xf5/0x440
kvm_set_memslot+0x3c2/0x1160 [kvm]
kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < 89dbbe6ff323fc34659621a577fe0af913f47386
(git)
Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < cb51bef465d8ec60a968507330e01020e35dc127 (git) Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < 9935df5333aa503a18de5071f53762b65c783c4c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89dbbe6ff323fc34659621a577fe0af913f47386",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "cb51bef465d8ec60a968507330e01020e35dc127",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "9935df5333aa503a18de5071f53762b65c783c4c",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot\n\nReject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was\ninitially created with a guest_memfd binding, as KVM doesn\u0027t support\ntoggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling\nKVM_MEM_GUEST_MEMFD, but doesn\u0027t prevent clearing the flag.\n\nFailure to reject the new memslot results in a use-after-free due to KVM\nnot unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY\nchange is easy enough, and can/will be done as a hardening measure (in\nanticipation of KVM supporting dirty logging on guest_memfd at some point),\nbut fixing the use-after-free would only address the immediate symptom.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]\n Write of size 8 at addr ffff8881111ae908 by task repro/745\n\n CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x60\n print_report+0xcb/0x5c0\n kasan_report+0xb4/0xe0\n kvm_gmem_release+0x362/0x400 [kvm]\n __fput+0x2fa/0x9d0\n task_work_run+0x12c/0x200\n do_exit+0x6ae/0x2100\n do_group_exit+0xa8/0x230\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0x737/0x740\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f581f2eac31\n \u003c/TASK\u003e\n\n Allocated by task 745 on cpu 6 at 9.746971s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_kmalloc+0x77/0x90\n kvm_set_memory_region.part.0+0x652/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 745 on cpu 6 at 9.747467s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x3b/0x60\n kfree+0xf5/0x440\n kvm_set_memslot+0x3c2/0x1160 [kvm]\n kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:46.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386"
},
{
"url": "https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127"
},
{
"url": "https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c"
}
],
"title": "KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68810",
"datePublished": "2026-01-13T15:29:16.475Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-05-11T21:53:46.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68764 (GCVE-0-2025-68764)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-06-16 16:52
VLAI?
EPSS
Title
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
When a filesystem is being automounted, it needs to preserve the
user-set superblock mount options, such as the "ro" flag.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2aedb713c284429987dc66c7aaf38decfc8da2a , < a3dc6c40bcab1a888d5c0d134ccc0746b4c98929
(git)
Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < ba1495aefd22fcf0746a2a3025c95d766d7cde4d (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < c09070b4def1b34e473a746c6a5331ccb80902c1 (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < dce10c59211e5cd763a62ea01e79b82a629811e3 (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 612cc98698d667df804792f0c47d4e501e66da29 (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 4b296944e632cf4c6a4cc8e2585c6451eae47b1b (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < df9b003a2ecacc7218486fbb31fe008c93097d5f (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 8675c69816e4276b979ff475ee5fac4688f80125 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:51:54.569623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:52:07.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3dc6c40bcab1a888d5c0d134ccc0746b4c98929",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "ba1495aefd22fcf0746a2a3025c95d766d7cde4d",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "c09070b4def1b34e473a746c6a5331ccb80902c1",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "dce10c59211e5cd763a62ea01e79b82a629811e3",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "612cc98698d667df804792f0c47d4e501e66da29",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "4b296944e632cf4c6a4cc8e2585c6451eae47b1b",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "df9b003a2ecacc7218486fbb31fe008c93097d5f",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "8675c69816e4276b979ff475ee5fac4688f80125",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags\n\nWhen a filesystem is being automounted, it needs to preserve the\nuser-set superblock mount options, such as the \"ro\" flag."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:53.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3dc6c40bcab1a888d5c0d134ccc0746b4c98929"
},
{
"url": "https://git.kernel.org/stable/c/ba1495aefd22fcf0746a2a3025c95d766d7cde4d"
},
{
"url": "https://git.kernel.org/stable/c/c09070b4def1b34e473a746c6a5331ccb80902c1"
},
{
"url": "https://git.kernel.org/stable/c/dce10c59211e5cd763a62ea01e79b82a629811e3"
},
{
"url": "https://git.kernel.org/stable/c/612cc98698d667df804792f0c47d4e501e66da29"
},
{
"url": "https://git.kernel.org/stable/c/4b296944e632cf4c6a4cc8e2585c6451eae47b1b"
},
{
"url": "https://git.kernel.org/stable/c/df9b003a2ecacc7218486fbb31fe008c93097d5f"
},
{
"url": "https://git.kernel.org/stable/c/8675c69816e4276b979ff475ee5fac4688f80125"
}
],
"title": "NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68764",
"datePublished": "2026-01-05T09:44:12.518Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-06-16T16:52:07.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23135 (GCVE-0-2026-23135)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
wifi: ath12k: fix dma_free_coherent() pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 36e0bc5e8b282564906fca636c4ebc99814de4e7
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 24585a13c41ea7253ee59aac74441fb570f5824a (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 4846b32be324f4dd3653f38a3f69c049543d52ae (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < bb97131fbf9b708dd9616ac2bdc793ad102b5c48 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36e0bc5e8b282564906fca636c4ebc99814de4e7",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "24585a13c41ea7253ee59aac74441fb570f5824a",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "4846b32be324f4dd3653f38a3f69c049543d52ae",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "bb97131fbf9b708dd9616ac2bdc793ad102b5c48",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:48.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36e0bc5e8b282564906fca636c4ebc99814de4e7"
},
{
"url": "https://git.kernel.org/stable/c/24585a13c41ea7253ee59aac74441fb570f5824a"
},
{
"url": "https://git.kernel.org/stable/c/4846b32be324f4dd3653f38a3f69c049543d52ae"
},
{
"url": "https://git.kernel.org/stable/c/bb97131fbf9b708dd9616ac2bdc793ad102b5c48"
}
],
"title": "wifi: ath12k: fix dma_free_coherent() pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23135",
"datePublished": "2026-02-14T15:14:34.473Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-05-11T22:00:48.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71089 (GCVE-0-2025-71089)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-16 16:20
VLAI?
EPSS
Title
iommu: disable SVA when CONFIG_X86 is set
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < b34289505180a83607fcfdce14b5a290d0528476
(git)
Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 7cad37e358970af1bb49030ff01f06a69fa7d985 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 240cd7f2812cc25496b12063d11c823618f364e9 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c341dee80b5df49a936182341b36395c831c2661 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 72f98ef9a4be30d2a60136dd6faee376f780d06c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:19:59.752068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:20:14.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b34289505180a83607fcfdce14b5a290d0528476",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "7cad37e358970af1bb49030ff01f06a69fa7d985",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "240cd7f2812cc25496b12063d11c823618f364e9",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c2c3f1a3fd74ef16cf115f0c558616a13a8471b4",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c341dee80b5df49a936182341b36395c831c2661",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "72f98ef9a4be30d2a60136dd6faee376f780d06c",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel\npage table entries. When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries. This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU\u0027s page tables. The x86 architecture maps the\nkernel\u0027s virtual address space into the upper portion of every process\u0027s\npage table. Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings. This can cause the IOMMU\u0027s internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated. The IOMMU could\nmisinterpret the new data as valid page table entries. The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation. This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings. However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out. This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:31.972Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476"
},
{
"url": "https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985"
},
{
"url": "https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9"
},
{
"url": "https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4"
},
{
"url": "https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661"
},
{
"url": "https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c"
}
],
"title": "iommu: disable SVA when CONFIG_X86 is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71089",
"datePublished": "2026-01-13T15:34:51.079Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-06-16T16:20:14.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71194 (GCVE-0-2025-71194)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-06-16 16:19
VLAI?
EPSS
Title
btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
When wait_current_trans() is called during start_transaction(), it
currently waits for a blocked transaction without considering whether
the given transaction type actually needs to wait for that particular
transaction state. The btrfs_blocked_trans_types[] array already defines
which transaction types should wait for which transaction states, but
this check was missing in wait_current_trans().
This can lead to a deadlock scenario involving two transactions and
pending ordered extents:
1. Transaction A is in TRANS_STATE_COMMIT_DOING state
2. A worker processing an ordered extent calls start_transaction()
with TRANS_JOIN
3. join_transaction() returns -EBUSY because Transaction A is in
TRANS_STATE_COMMIT_DOING
4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes
5. A new Transaction B is created (TRANS_STATE_RUNNING)
6. The ordered extent from step 2 is added to Transaction B's
pending ordered extents
7. Transaction B immediately starts commit by another task and
enters TRANS_STATE_COMMIT_START
8. The worker finally reaches wait_current_trans(), sees Transaction B
in TRANS_STATE_COMMIT_START (a blocked state), and waits
unconditionally
9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START
according to btrfs_blocked_trans_types[]
10. Transaction B is waiting for pending ordered extents to complete
11. Deadlock: Transaction B waits for ordered extent, ordered extent
waits for Transaction B
This can be illustrated by the following call stacks:
CPU0 CPU1
btrfs_finish_ordered_io()
start_transaction(TRANS_JOIN)
join_transaction()
# -EBUSY (Transaction A is
# TRANS_STATE_COMMIT_DOING)
# Transaction A completes
# Transaction B created
# ordered extent added to
# Transaction B's pending list
btrfs_commit_transaction()
# Transaction B enters
# TRANS_STATE_COMMIT_START
# waiting for pending ordered
# extents
wait_current_trans()
# waits for Transaction B
# (should not wait!)
Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered
extents:
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
btrfs_commit_transaction+0xbf7/0xda0 [btrfs]
btrfs_sync_file+0x342/0x4d0 [btrfs]
__x64_sys_fdatasync+0x4b/0x80
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Task kworker in wait_current_trans waiting for transaction commit:
Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
wait_current_trans+0xb0/0x110 [btrfs]
start_transaction+0x346/0x5b0 [btrfs]
btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]
btrfs_work_helper+0xe8/0x350 [btrfs]
process_one_work+0x1d3/0x3c0
worker_thread+0x4d/0x3e0
kthread+0x12d/0x150
ret_from_fork+0x1f/0x30
Fix this by passing the transaction type to wait_current_trans() and
checking btrfs_blocked_trans_types[cur_trans->state] against the given
type before deciding to wait. This ensures that transaction types which
are allowed to join during certain blocked states will not unnecessarily
wait and cause deadlocks.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4a9d8bdee368de78ace8b36da4eb2186afea162d , < e563f59395981fcd69d130761290929806e728d6
(git)
Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < dc84036c173cff6a432d9ab926298850b1d2a659 (git) Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < d7b04b40ac8e6d814e35202a0e1568809b818295 (git) Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 99da896614d17e8a84aeb2b2d464ac046cc8633d (git) Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 8b0bb145d3bc264360f525c9717653be3522e528 (git) Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 9ac63333d600732a56b35ee1fa46836da671eb50 (git) Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 5037b342825df7094a4906d1e2a9674baab50cb2 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:18:56.240141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:19:10.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e563f59395981fcd69d130761290929806e728d6",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "dc84036c173cff6a432d9ab926298850b1d2a659",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "d7b04b40ac8e6d814e35202a0e1568809b818295",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "99da896614d17e8a84aeb2b2d464ac046cc8633d",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "8b0bb145d3bc264360f525c9717653be3522e528",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "9ac63333d600732a56b35ee1fa46836da671eb50",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "5037b342825df7094a4906d1e2a9674baab50cb2",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock in wait_current_trans() due to ignored transaction type\n\nWhen wait_current_trans() is called during start_transaction(), it\ncurrently waits for a blocked transaction without considering whether\nthe given transaction type actually needs to wait for that particular\ntransaction state. The btrfs_blocked_trans_types[] array already defines\nwhich transaction types should wait for which transaction states, but\nthis check was missing in wait_current_trans().\n\nThis can lead to a deadlock scenario involving two transactions and\npending ordered extents:\n\n 1. Transaction A is in TRANS_STATE_COMMIT_DOING state\n\n 2. A worker processing an ordered extent calls start_transaction()\n with TRANS_JOIN\n\n 3. join_transaction() returns -EBUSY because Transaction A is in\n TRANS_STATE_COMMIT_DOING\n\n 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes\n\n 5. A new Transaction B is created (TRANS_STATE_RUNNING)\n\n 6. The ordered extent from step 2 is added to Transaction B\u0027s\n pending ordered extents\n\n 7. Transaction B immediately starts commit by another task and\n enters TRANS_STATE_COMMIT_START\n\n 8. The worker finally reaches wait_current_trans(), sees Transaction B\n in TRANS_STATE_COMMIT_START (a blocked state), and waits\n unconditionally\n\n 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START\n according to btrfs_blocked_trans_types[]\n\n 10. Transaction B is waiting for pending ordered extents to complete\n\n 11. Deadlock: Transaction B waits for ordered extent, ordered extent\n waits for Transaction B\n\nThis can be illustrated by the following call stacks:\n CPU0 CPU1\n btrfs_finish_ordered_io()\n start_transaction(TRANS_JOIN)\n join_transaction()\n # -EBUSY (Transaction A is\n # TRANS_STATE_COMMIT_DOING)\n # Transaction A completes\n # Transaction B created\n # ordered extent added to\n # Transaction B\u0027s pending list\n btrfs_commit_transaction()\n # Transaction B enters\n # TRANS_STATE_COMMIT_START\n # waiting for pending ordered\n # extents\n wait_current_trans()\n # waits for Transaction B\n # (should not wait!)\n\nTask bstore_kv_sync in btrfs_commit_transaction waiting for ordered\nextents:\n\n __schedule+0x2e7/0x8a0\n schedule+0x64/0xe0\n btrfs_commit_transaction+0xbf7/0xda0 [btrfs]\n btrfs_sync_file+0x342/0x4d0 [btrfs]\n __x64_sys_fdatasync+0x4b/0x80\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nTask kworker in wait_current_trans waiting for transaction commit:\n\n Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]\n __schedule+0x2e7/0x8a0\n schedule+0x64/0xe0\n wait_current_trans+0xb0/0x110 [btrfs]\n start_transaction+0x346/0x5b0 [btrfs]\n btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]\n btrfs_work_helper+0xe8/0x350 [btrfs]\n process_one_work+0x1d3/0x3c0\n worker_thread+0x4d/0x3e0\n kthread+0x12d/0x150\n ret_from_fork+0x1f/0x30\n\nFix this by passing the transaction type to wait_current_trans() and\nchecking btrfs_blocked_trans_types[cur_trans-\u003estate] against the given\ntype before deciding to wait. This ensures that transaction types which\nare allowed to join during certain blocked states will not unnecessarily\nwait and cause deadlocks."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:28.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6"
},
{
"url": "https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659"
},
{
"url": "https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295"
},
{
"url": "https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d"
},
{
"url": "https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528"
},
{
"url": "https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50"
},
{
"url": "https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2"
}
],
"title": "btrfs: fix deadlock in wait_current_trans() due to ignored transaction type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71194",
"datePublished": "2026-02-04T16:04:15.389Z",
"dateReserved": "2026-01-31T11:36:51.190Z",
"dateUpdated": "2026-06-16T16:19:10.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68755 (GCVE-0-2025-68755)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
staging: most: remove broken i2c driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: most: remove broken i2c driver
The MOST I2C driver has been completely broken for five years without
anyone noticing so remove the driver from staging.
Specifically, commit 723de0f9171e ("staging: most: remove device from
interface structure") started requiring drivers to set the interface
device pointer before registration, but the I2C driver was never updated
which results in a NULL pointer dereference if anyone ever tries to
probe it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 6cbba922934805f86eece6ba7010b7201962695d
(git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 6059a66dba7f26b21852831432e17075f1a1c783 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < e463548fd80e779efea1cb2d3049b8a7231e6925 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 495df2da6944477d282d5cc0c13174d06e25b310 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cbba922934805f86eece6ba7010b7201962695d",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "6059a66dba7f26b21852831432e17075f1a1c783",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "e463548fd80e779efea1cb2d3049b8a7231e6925",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "495df2da6944477d282d5cc0c13174d06e25b310",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: most: remove broken i2c driver\n\nThe MOST I2C driver has been completely broken for five years without\nanyone noticing so remove the driver from staging.\n\nSpecifically, commit 723de0f9171e (\"staging: most: remove device from\ninterface structure\") started requiring drivers to set the interface\ndevice pointer before registration, but the I2C driver was never updated\nwhich results in a NULL pointer dereference if anyone ever tries to\nprobe it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:43.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cbba922934805f86eece6ba7010b7201962695d"
},
{
"url": "https://git.kernel.org/stable/c/6059a66dba7f26b21852831432e17075f1a1c783"
},
{
"url": "https://git.kernel.org/stable/c/e463548fd80e779efea1cb2d3049b8a7231e6925"
},
{
"url": "https://git.kernel.org/stable/c/495df2da6944477d282d5cc0c13174d06e25b310"
}
],
"title": "staging: most: remove broken i2c driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68755",
"datePublished": "2026-01-05T09:32:29.149Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-05-11T21:52:43.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23065 (GCVE-0-2026-23065)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
platform/x86/amd: Fix memory leak in wbrf_record()
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd: Fix memory leak in wbrf_record()
The tmp buffer is allocated using kcalloc() but is not freed if
acpi_evaluate_dsm() fails. This causes a memory leak in the error path.
Fix this by explicitly freeing the tmp buffer in the error handling
path of acpi_evaluate_dsm().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
58e82a62669da52e688f4a8b89922c1839bf1001 , < 1152dffe01af86e42ce2b208b92ef7f8c275d130
(git)
Affected: 58e82a62669da52e688f4a8b89922c1839bf1001 , < 1a0072bd1f1e559eda3e91a24dbc51c9eb025c54 (git) Affected: 58e82a62669da52e688f4a8b89922c1839bf1001 , < 2bf1877b7094c684e1d652cac6912cfbc507ad3e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/wbrf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1152dffe01af86e42ce2b208b92ef7f8c275d130",
"status": "affected",
"version": "58e82a62669da52e688f4a8b89922c1839bf1001",
"versionType": "git"
},
{
"lessThan": "1a0072bd1f1e559eda3e91a24dbc51c9eb025c54",
"status": "affected",
"version": "58e82a62669da52e688f4a8b89922c1839bf1001",
"versionType": "git"
},
{
"lessThan": "2bf1877b7094c684e1d652cac6912cfbc507ad3e",
"status": "affected",
"version": "58e82a62669da52e688f4a8b89922c1839bf1001",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/wbrf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: Fix memory leak in wbrf_record()\n\nThe tmp buffer is allocated using kcalloc() but is not freed if\nacpi_evaluate_dsm() fails. This causes a memory leak in the error path.\n\nFix this by explicitly freeing the tmp buffer in the error handling\npath of acpi_evaluate_dsm()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:19.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1152dffe01af86e42ce2b208b92ef7f8c275d130"
},
{
"url": "https://git.kernel.org/stable/c/1a0072bd1f1e559eda3e91a24dbc51c9eb025c54"
},
{
"url": "https://git.kernel.org/stable/c/2bf1877b7094c684e1d652cac6912cfbc507ad3e"
}
],
"title": "platform/x86/amd: Fix memory leak in wbrf_record()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23065",
"datePublished": "2026-02-04T16:07:47.077Z",
"dateReserved": "2026-01-13T15:37:45.953Z",
"dateUpdated": "2026-05-11T21:59:19.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23156 (GCVE-0-2026-23156)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
efivarfs: fix error propagation in efivar_entry_get()
Summary
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: fix error propagation in efivar_entry_get()
efivar_entry_get() always returns success even if the underlying
__efivar_entry_get() fails, masking errors.
This may result in uninitialized heap memory being copied to userspace
in the efivarfs_file_read() path.
Fix it by returning the error from __efivar_entry_get().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d82e6227ea189c0589e7383a36616ac2a2d248c , < 3960f1754664661a970dc9ebbab44ff93a0b4c42
(git)
Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < 510a16f1c5c1690b33504052bc13fbc2772c23f8 (git) Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < 89b8ca709eeeabcc11ebba64806677873a2787a8 (git) Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < e4e15a0a4403c96d9898d8398f0640421df9cb16 (git) Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < 4b22ec1685ce1fc0d862dcda3225d852fb107995 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/vars.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3960f1754664661a970dc9ebbab44ff93a0b4c42",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "510a16f1c5c1690b33504052bc13fbc2772c23f8",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "89b8ca709eeeabcc11ebba64806677873a2787a8",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "e4e15a0a4403c96d9898d8398f0640421df9cb16",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "4b22ec1685ce1fc0d862dcda3225d852fb107995",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/vars.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: fix error propagation in efivar_entry_get()\n\nefivar_entry_get() always returns success even if the underlying\n__efivar_entry_get() fails, masking errors.\n\nThis may result in uninitialized heap memory being copied to userspace\nin the efivarfs_file_read() path.\n\nFix it by returning the error from __efivar_entry_get()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:17.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3960f1754664661a970dc9ebbab44ff93a0b4c42"
},
{
"url": "https://git.kernel.org/stable/c/510a16f1c5c1690b33504052bc13fbc2772c23f8"
},
{
"url": "https://git.kernel.org/stable/c/89b8ca709eeeabcc11ebba64806677873a2787a8"
},
{
"url": "https://git.kernel.org/stable/c/e4e15a0a4403c96d9898d8398f0640421df9cb16"
},
{
"url": "https://git.kernel.org/stable/c/4b22ec1685ce1fc0d862dcda3225d852fb107995"
}
],
"title": "efivarfs: fix error propagation in efivar_entry_get()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23156",
"datePublished": "2026-02-14T16:01:23.215Z",
"dateReserved": "2026-01-13T15:37:45.978Z",
"dateUpdated": "2026-05-11T22:01:17.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68799 (GCVE-0-2025-68799)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
caif: fix integer underflow in cffrml_receive()
Summary
In the Linux kernel, the following vulnerability has been resolved:
caif: fix integer underflow in cffrml_receive()
The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.
This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691
(git)
Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < c54091eec6fed19e94182aa05dd6846600a642f7 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 785c7be6361630070790f6235b696da156ac71b3 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < f818cd472565f8b0c2c409b040e0121c5cf8592c (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 21fdcc00656a60af3c7aae2dea8dd96abd35519c (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 8a11ff0948b5ad09b71896b7ccc850625f9878d1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "c54091eec6fed19e94182aa05dd6846600a642f7",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "785c7be6361630070790f6235b696da156ac71b3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "f818cd472565f8b0c2c409b040e0121c5cf8592c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "21fdcc00656a60af3c7aae2dea8dd96abd35519c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "8a11ff0948b5ad09b71896b7ccc850625f9878d1",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif: fix integer underflow in cffrml_receive()\n\nThe cffrml_receive() function extracts a length field from the packet\nheader and, when FCS is disabled, subtracts 2 from this length without\nvalidating that len \u003e= 2.\n\nIf an attacker sends a malicious packet with a length field of 0 or 1\nto an interface with FCS disabled, the subtraction causes an integer\nunderflow.\n\nThis can lead to memory exhaustion and kernel instability, potential\ninformation disclosure if padding contains uninitialized kernel memory.\n\nFix this by validating that len \u003e= 2 before performing the subtraction."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:33.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691"
},
{
"url": "https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7"
},
{
"url": "https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3"
},
{
"url": "https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c"
},
{
"url": "https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3"
},
{
"url": "https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c"
},
{
"url": "https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1"
}
],
"title": "caif: fix integer underflow in cffrml_receive()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68799",
"datePublished": "2026-01-13T15:29:09.012Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-05-11T21:53:33.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71138 (GCVE-0-2025-71138)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
drm/msm/dpu: Add missing NULL pointer check for pingpong interface
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Add missing NULL pointer check for pingpong interface
It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a
single place the check is missing.
Also use convenient locals instead of phys_enc->* where available.
Patchwork: https://patchwork.freedesktop.org/patch/693860/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7d0e73f7de33a2b9998b607707a3e944ef3b86d , < 678d1c86566dfbb247ba25482d37fddde6140cc9
(git)
Affected: d7d0e73f7de33a2b9998b607707a3e944ef3b86d , < 471baae774a30a04cf066907b60eaf3732928cb7 (git) Affected: d7d0e73f7de33a2b9998b607707a3e944ef3b86d , < 35ea3282136a630a3fd92b76f5a3a02651145ef1 (git) Affected: d7d0e73f7de33a2b9998b607707a3e944ef3b86d , < 88733a0b64872357e5ecd82b7488121503cb9cc6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "678d1c86566dfbb247ba25482d37fddde6140cc9",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
},
{
"lessThan": "471baae774a30a04cf066907b60eaf3732928cb7",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
},
{
"lessThan": "35ea3282136a630a3fd92b76f5a3a02651145ef1",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
},
{
"lessThan": "88733a0b64872357e5ecd82b7488121503cb9cc6",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add missing NULL pointer check for pingpong interface\n\nIt is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a\nsingle place the check is missing.\nAlso use convenient locals instead of phys_enc-\u003e* where available.\n\nPatchwork: https://patchwork.freedesktop.org/patch/693860/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:42.803Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/678d1c86566dfbb247ba25482d37fddde6140cc9"
},
{
"url": "https://git.kernel.org/stable/c/471baae774a30a04cf066907b60eaf3732928cb7"
},
{
"url": "https://git.kernel.org/stable/c/35ea3282136a630a3fd92b76f5a3a02651145ef1"
},
{
"url": "https://git.kernel.org/stable/c/88733a0b64872357e5ecd82b7488121503cb9cc6"
}
],
"title": "drm/msm/dpu: Add missing NULL pointer check for pingpong interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71138",
"datePublished": "2026-01-14T15:07:51.943Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-05-11T21:55:42.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68780 (GCVE-0-2025-68780)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
sched/deadline: only set free_cpus for online runqueues
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/deadline: only set free_cpus for online runqueues
Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus
to reflect rd->online") introduced the cpudl_set/clear_freecpu
functions to allow the cpu_dl::free_cpus mask to be manipulated
by the deadline scheduler class rq_on/offline callbacks so the
mask would also reflect this state.
Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask
from cpudl_find()") removed the check of the cpu_active_mask to
save some processing on the premise that the cpudl::free_cpus
mask already reflected the runqueue online state.
Unfortunately, there are cases where it is possible for the
cpudl_clear function to set the free_cpus bit for a CPU when the
deadline runqueue is offline. When this occurs while a CPU is
connected to the default root domain the flag may retain the bad
state after the CPU has been unplugged. Later, a different CPU
that is transitioning through the default root domain may push a
deadline task to the powered down CPU when cpudl_find sees its
free_cpus bit is set. If this happens the task will not have the
opportunity to run.
One example is outlined here:
https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com
Another occurs when the last deadline task is migrated from a
CPU that has an offlined runqueue. The dequeue_task member of
the deadline scheduler class will eventually call cpudl_clear
and set the free_cpus bit for the CPU.
This commit modifies the cpudl_clear function to be aware of the
online state of the deadline runqueue so that the free_cpus mask
can be updated appropriately.
It is no longer necessary to manage the mask outside of the
cpudl_set/clear functions so the cpudl_set/clear_freecpu
functions are removed. In addition, since the free_cpus mask is
now only updated under the cpudl lock the code was changed to
use the non-atomic __cpumask functions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9659e1eeee28f7025b6545934d644d19e9c6e603 , < 9019e399684e3cc68c4a3f050e268f74d69c1317
(git)
Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < fb36846cbcc936954f2ad2bffdff13d16c0be08a (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 91e448e69aca4bb0ba2e998eb3e555644db7322b (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < dbc61834b0412435df21c71410562d933e4eba49 (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8 (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 382748c05e58a9f1935f5a653c352422375566ea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9019e399684e3cc68c4a3f050e268f74d69c1317",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "fb36846cbcc936954f2ad2bffdff13d16c0be08a",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "91e448e69aca4bb0ba2e998eb3e555644db7322b",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "dbc61834b0412435df21c71410562d933e4eba49",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "382748c05e58a9f1935f5a653c352422375566ea",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: only set free_cpus for online runqueues\n\nCommit 16b269436b72 (\"sched/deadline: Modify cpudl::free_cpus\nto reflect rd-\u003eonline\") introduced the cpudl_set/clear_freecpu\nfunctions to allow the cpu_dl::free_cpus mask to be manipulated\nby the deadline scheduler class rq_on/offline callbacks so the\nmask would also reflect this state.\n\nCommit 9659e1eeee28 (\"sched/deadline: Remove cpu_active_mask\nfrom cpudl_find()\") removed the check of the cpu_active_mask to\nsave some processing on the premise that the cpudl::free_cpus\nmask already reflected the runqueue online state.\n\nUnfortunately, there are cases where it is possible for the\ncpudl_clear function to set the free_cpus bit for a CPU when the\ndeadline runqueue is offline. When this occurs while a CPU is\nconnected to the default root domain the flag may retain the bad\nstate after the CPU has been unplugged. Later, a different CPU\nthat is transitioning through the default root domain may push a\ndeadline task to the powered down CPU when cpudl_find sees its\nfree_cpus bit is set. If this happens the task will not have the\nopportunity to run.\n\nOne example is outlined here:\nhttps://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com\n\nAnother occurs when the last deadline task is migrated from a\nCPU that has an offlined runqueue. The dequeue_task member of\nthe deadline scheduler class will eventually call cpudl_clear\nand set the free_cpus bit for the CPU.\n\nThis commit modifies the cpudl_clear function to be aware of the\nonline state of the deadline runqueue so that the free_cpus mask\ncan be updated appropriately.\n\nIt is no longer necessary to manage the mask outside of the\ncpudl_set/clear functions so the cpudl_set/clear_freecpu\nfunctions are removed. In addition, since the free_cpus mask is\nnow only updated under the cpudl lock the code was changed to\nuse the non-atomic __cpumask functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:12.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317"
},
{
"url": "https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a"
},
{
"url": "https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b"
},
{
"url": "https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49"
},
{
"url": "https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8"
},
{
"url": "https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea"
}
],
"title": "sched/deadline: only set free_cpus for online runqueues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68780",
"datePublished": "2026-01-13T15:28:55.483Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-05-11T21:53:12.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23090 (GCVE-0-2026-23090)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
slimbus: core: fix device reference leak on report present
Summary
In the Linux kernel, the following vulnerability has been resolved:
slimbus: core: fix device reference leak on report present
Slimbus devices can be allocated dynamically upon reception of
report-present messages.
Make sure to drop the reference taken when looking up already registered
devices.
Note that this requires taking an extra reference in case the device has
not yet been registered and has to be allocated.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < b1217e40705b2f6d311c197b12866752656217ff
(git)
Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 948615429c9f2ac9d25d4e1f1a4472926b217a9a (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 02b78bbfbafe49832e508079148cb87cdfa55825 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 6602bb4d1338e92b5838e50322b87697bdbd2ee0 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 9391380eb91ea5ac792aae9273535c8da5b9aa01 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1217e40705b2f6d311c197b12866752656217ff",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "948615429c9f2ac9d25d4e1f1a4472926b217a9a",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "02b78bbfbafe49832e508079148cb87cdfa55825",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "6602bb4d1338e92b5838e50322b87697bdbd2ee0",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "9391380eb91ea5ac792aae9273535c8da5b9aa01",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: core: fix device reference leak on report present\n\nSlimbus devices can be allocated dynamically upon reception of\nreport-present messages.\n\nMake sure to drop the reference taken when looking up already registered\ndevices.\n\nNote that this requires taking an extra reference in case the device has\nnot yet been registered and has to be allocated."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:48.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1217e40705b2f6d311c197b12866752656217ff"
},
{
"url": "https://git.kernel.org/stable/c/948615429c9f2ac9d25d4e1f1a4472926b217a9a"
},
{
"url": "https://git.kernel.org/stable/c/02b78bbfbafe49832e508079148cb87cdfa55825"
},
{
"url": "https://git.kernel.org/stable/c/2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6"
},
{
"url": "https://git.kernel.org/stable/c/54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9"
},
{
"url": "https://git.kernel.org/stable/c/6602bb4d1338e92b5838e50322b87697bdbd2ee0"
},
{
"url": "https://git.kernel.org/stable/c/9391380eb91ea5ac792aae9273535c8da5b9aa01"
}
],
"title": "slimbus: core: fix device reference leak on report present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23090",
"datePublished": "2026-02-04T16:08:13.438Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-05-11T21:59:48.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23112 (GCVE-0-2026-23112)
Vulnerability from cvelistv5 – Published: 2026-02-13 13:29 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU
length or offset exceeds sg_cnt and then use bogus sg->length/offset
values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining
entries, and sg->length/offset before building the bvec.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 0b9981751be14b59b4473383c731c833738aebdb
(git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 42afe8ed8ad2de9c19457156244ef3e1eca94b5d (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 1385be357e8acd09b36e026567f3a9d5c61139de (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < dca1a6ba0da9f472ef040525fab10fd9956db59f (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 19672ae68d52ff75347ebe2420dde1b07adca09f (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < ab200d71553bdcf4de554a5985b05b2dd606bc57 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 52a0a98549344ca20ad81a4176d68d28e3c05a5c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:59.106Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b9981751be14b59b4473383c731c833738aebdb",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "42afe8ed8ad2de9c19457156244ef3e1eca94b5d",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "1385be357e8acd09b36e026567f3a9d5c61139de",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "dca1a6ba0da9f472ef040525fab10fd9956db59f",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "19672ae68d52ff75347ebe2420dde1b07adca09f",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "ab200d71553bdcf4de554a5985b05b2dd606bc57",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "52a0a98549344ca20ad81a4176d68d28e3c05a5c",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd-\u003ereq.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg-\u003elength/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg-\u003elength/offset before building the bvec."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:21.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b9981751be14b59b4473383c731c833738aebdb"
},
{
"url": "https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d"
},
{
"url": "https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de"
},
{
"url": "https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f"
},
{
"url": "https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f"
},
{
"url": "https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57"
},
{
"url": "https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c"
}
],
"title": "nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23112",
"datePublished": "2026-02-13T13:29:56.724Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-06-02T13:00:59.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31533 (GCVE-0-2026-31533)
Vulnerability from cvelistv5 – Published: 2026-04-23 15:11 – Updated: 2026-05-23 16:05
VLAI?
EPSS
Title
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to double cleanup of encrypt_pending and the
scatterlist entry.
When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
the cryptd backlog and the async callback tls_encrypt_done() will be
invoked upon completion. That callback unconditionally restores the
scatterlist entry (sge->offset, sge->length) and decrements
ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
error, the synchronous error path in tls_do_encryption() performs the
same cleanup again, double-decrementing encrypt_pending and
double-restoring the scatterlist.
The double-decrement corrupts the encrypt_pending sentinel (initialized
to 1), making tls_encrypt_async_wait() permanently skip the wait for
pending async callbacks. A subsequent sendmsg can then free the
tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
pending, resulting in a use-after-free when the callback fires on the
freed record.
Fix this by skipping the synchronous cleanup when the -EBUSY async
wait returns an error, since the callback has already handled
encrypt_pending and sge restoration.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3ade391adc584f17b5570fd205de3ad029090368 , < 414fc5e5a5aff776c150f1b86770e0a25a35df3a
(git)
Affected: cd1bbca03f3c1d845ce274c0d0a66de8e5929f72 , < 02f3ecadb23558bbe068e6504118f1b712d4ece0 (git) Affected: 13eca403876bbea3716e82cdfe6f1e6febb38754 , < 0e43e0a3c94044acc74b8e0927c27972eb5a59e8 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < aa9facde6c5005205874c37db3fd25799d741baf (git) Affected: 8590541473188741055d27b955db0777569438e3 , < 5d70eb25b41e9b010828cd12818b06a0c3b04412 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < 2694d408b0e595024e0fc1d64ff9db0358580f74 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < a9b8b18364fffce4c451e6f6fd218fa4ab646705 (git) Affected: ab6397f072e5097f267abf5cb08a8004e6b17694 (git) Affected: 5.15.160 , < 5.15.203 (semver) Affected: 6.1.84 , < 6.1.169 (semver) Affected: 6.6.18 , < 6.6.135 (semver) Affected: 6.7.6 , < 6.8 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "414fc5e5a5aff776c150f1b86770e0a25a35df3a",
"status": "affected",
"version": "3ade391adc584f17b5570fd205de3ad029090368",
"versionType": "git"
},
{
"lessThan": "02f3ecadb23558bbe068e6504118f1b712d4ece0",
"status": "affected",
"version": "cd1bbca03f3c1d845ce274c0d0a66de8e5929f72",
"versionType": "git"
},
{
"lessThan": "0e43e0a3c94044acc74b8e0927c27972eb5a59e8",
"status": "affected",
"version": "13eca403876bbea3716e82cdfe6f1e6febb38754",
"versionType": "git"
},
{
"lessThan": "aa9facde6c5005205874c37db3fd25799d741baf",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "5d70eb25b41e9b010828cd12818b06a0c3b04412",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "2694d408b0e595024e0fc1d64ff9db0358580f74",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "a9b8b18364fffce4c451e6f6fd218fa4ab646705",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"status": "affected",
"version": "ab6397f072e5097f267abf5cb08a8004e6b17694",
"versionType": "git"
},
{
"lessThan": "5.15.203",
"status": "affected",
"version": "5.15.160",
"versionType": "semver"
},
{
"lessThan": "6.1.169",
"status": "affected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThan": "6.6.135",
"status": "affected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "6.1.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge-\u003eoffset, sge-\u003elength) and decrements\nctx-\u003eencrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:05:17.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a"
},
{
"url": "https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0"
},
{
"url": "https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8"
},
{
"url": "https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf"
},
{
"url": "https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412"
},
{
"url": "https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74"
},
{
"url": "https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705"
}
],
"title": "net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31533",
"datePublished": "2026-04-23T15:11:06.955Z",
"dateReserved": "2026-03-09T15:48:24.113Z",
"dateUpdated": "2026-05-23T16:05:17.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68821 (GCVE-0-2025-68821)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
fuse: fix readahead reclaim deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix readahead reclaim deadlock
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is
needed") skips allocating ff->release_args if the server does not
implement open. However in doing so, fuse_prepare_release() now skips
grabbing the reference on the inode, which makes it possible for an
inode to be evicted from the dcache while there are inflight readahead
requests. This causes a deadlock if the server triggers reclaim while
servicing the readahead request and reclaim attempts to evict the inode
of the file being read ahead. Since the folio is locked during
readahead, when reclaim evicts the fuse inode and fuse_evict_inode()
attempts to remove all folios associated with the inode from the page
cache (truncate_inode_pages_range()), reclaim will block forever waiting
for the lock since readahead cannot relinquish the lock because it is
itself blocked in reclaim:
>>> stack_trace(1504735)
folio_wait_bit_common (mm/filemap.c:1308:4)
folio_lock (./include/linux/pagemap.h:1052:3)
truncate_inode_pages_range (mm/truncate.c:336:10)
fuse_evict_inode (fs/fuse/inode.c:161:2)
evict (fs/inode.c:704:3)
dentry_unlink_inode (fs/dcache.c:412:3)
__dentry_kill (fs/dcache.c:615:3)
shrink_kill (fs/dcache.c:1060:12)
shrink_dentry_list (fs/dcache.c:1087:3)
prune_dcache_sb (fs/dcache.c:1168:2)
super_cache_scan (fs/super.c:221:10)
do_shrink_slab (mm/shrinker.c:435:9)
shrink_slab (mm/shrinker.c:626:10)
shrink_node (mm/vmscan.c:5951:2)
shrink_zones (mm/vmscan.c:6195:3)
do_try_to_free_pages (mm/vmscan.c:6257:3)
do_swap_page (mm/memory.c:4136:11)
handle_pte_fault (mm/memory.c:5562:10)
handle_mm_fault (mm/memory.c:5870:9)
do_user_addr_fault (arch/x86/mm/fault.c:1338:10)
handle_page_fault (arch/x86/mm/fault.c:1481:3)
exc_page_fault (arch/x86/mm/fault.c:1539:2)
asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the
reference on the inode when preparing the file for release even if the
server does not implement open. The inode reference will be dropped when
the last reference on the fuse file is dropped (see fuse_file_put() ->
fuse_release_end()).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a39f70d63f4373a598820d9491719e44cd60afe9 , < cbbf3f1bb9f834bb2acbb61ddca74363456e19cd
(git)
Affected: 7d38aa079ed859b73f4460aab89c7619b04963b8 , < 4703bc0e8cd3409acb1476a70cb5b7ff943cf39a (git) Affected: c7ec75f3cbf73bd46f479f7d6942585f765715da , < cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < e0d6de83a4cc22bbac72713f3a58121af36cc411 (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 (git) Affected: 5.15.196 , < 5.15.198 (semver) Affected: 6.1.158 , < 6.1.160 (semver) Affected: 6.6.115 , < 6.6.120 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cbbf3f1bb9f834bb2acbb61ddca74363456e19cd",
"status": "affected",
"version": "a39f70d63f4373a598820d9491719e44cd60afe9",
"versionType": "git"
},
{
"lessThan": "4703bc0e8cd3409acb1476a70cb5b7ff943cf39a",
"status": "affected",
"version": "7d38aa079ed859b73f4460aab89c7619b04963b8",
"versionType": "git"
},
{
"lessThan": "cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f",
"status": "affected",
"version": "c7ec75f3cbf73bd46f479f7d6942585f765715da",
"versionType": "git"
},
{
"lessThan": "fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "e0d6de83a4cc22bbac72713f3a58121af36cc411",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.115",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix readahead reclaim deadlock\n\nCommit e26ee4efbc79 (\"fuse: allocate ff-\u003erelease_args only if release is\nneeded\") skips allocating ff-\u003erelease_args if the server does not\nimplement open. However in doing so, fuse_prepare_release() now skips\ngrabbing the reference on the inode, which makes it possible for an\ninode to be evicted from the dcache while there are inflight readahead\nrequests. This causes a deadlock if the server triggers reclaim while\nservicing the readahead request and reclaim attempts to evict the inode\nof the file being read ahead. Since the folio is locked during\nreadahead, when reclaim evicts the fuse inode and fuse_evict_inode()\nattempts to remove all folios associated with the inode from the page\ncache (truncate_inode_pages_range()), reclaim will block forever waiting\nfor the lock since readahead cannot relinquish the lock because it is\nitself blocked in reclaim:\n\n\u003e\u003e\u003e stack_trace(1504735)\n folio_wait_bit_common (mm/filemap.c:1308:4)\n folio_lock (./include/linux/pagemap.h:1052:3)\n truncate_inode_pages_range (mm/truncate.c:336:10)\n fuse_evict_inode (fs/fuse/inode.c:161:2)\n evict (fs/inode.c:704:3)\n dentry_unlink_inode (fs/dcache.c:412:3)\n __dentry_kill (fs/dcache.c:615:3)\n shrink_kill (fs/dcache.c:1060:12)\n shrink_dentry_list (fs/dcache.c:1087:3)\n prune_dcache_sb (fs/dcache.c:1168:2)\n super_cache_scan (fs/super.c:221:10)\n do_shrink_slab (mm/shrinker.c:435:9)\n shrink_slab (mm/shrinker.c:626:10)\n shrink_node (mm/vmscan.c:5951:2)\n shrink_zones (mm/vmscan.c:6195:3)\n do_try_to_free_pages (mm/vmscan.c:6257:3)\n do_swap_page (mm/memory.c:4136:11)\n handle_pte_fault (mm/memory.c:5562:10)\n handle_mm_fault (mm/memory.c:5870:9)\n do_user_addr_fault (arch/x86/mm/fault.c:1338:10)\n handle_page_fault (arch/x86/mm/fault.c:1481:3)\n exc_page_fault (arch/x86/mm/fault.c:1539:2)\n asm_exc_page_fault+0x22/0x27\n\nFix this deadlock by allocating ff-\u003erelease_args and grabbing the\nreference on the inode when preparing the file for release even if the\nserver does not implement open. The inode reference will be dropped when\nthe last reference on the fuse file is dropped (see fuse_file_put() -\u003e\nfuse_release_end())."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:00.860Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd"
},
{
"url": "https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a"
},
{
"url": "https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f"
},
{
"url": "https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6"
},
{
"url": "https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411"
},
{
"url": "https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50"
}
],
"title": "fuse: fix readahead reclaim deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68821",
"datePublished": "2026-01-13T15:29:24.014Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-05-23T16:03:00.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23160 (GCVE-0-2026-23160)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
octeon_ep: Fix memory leak in octep_device_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeon_ep: Fix memory leak in octep_device_setup()
In octep_device_setup(), if octep_ctrl_net_init() fails, the function
returns directly without unmapping the mapped resources and freeing the
allocated configuration memory.
Fix this by jumping to the unsupported_dev label, which performs the
necessary cleanup. This aligns with the error handling logic of other
paths in this function.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
577f0d1b1c5f3282fa2011177b0af692a7c21aee , < 5058d3f8f17202e673f90af1446252322bd0850f
(git)
Affected: 577f0d1b1c5f3282fa2011177b0af692a7c21aee , < fdfd28e13c244d7c3345e74f339fd1b67605b694 (git) Affected: 577f0d1b1c5f3282fa2011177b0af692a7c21aee , < d753f3c3f9d7a6e6dbb4d3a97b73007d71624551 (git) Affected: 577f0d1b1c5f3282fa2011177b0af692a7c21aee , < 8016dc5ee19a77678c264f8ba368b1e873fa705b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5058d3f8f17202e673f90af1446252322bd0850f",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
},
{
"lessThan": "fdfd28e13c244d7c3345e74f339fd1b67605b694",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
},
{
"lessThan": "d753f3c3f9d7a6e6dbb4d3a97b73007d71624551",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
},
{
"lessThan": "8016dc5ee19a77678c264f8ba368b1e873fa705b",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Fix memory leak in octep_device_setup()\n\nIn octep_device_setup(), if octep_ctrl_net_init() fails, the function\nreturns directly without unmapping the mapped resources and freeing the\nallocated configuration memory.\n\nFix this by jumping to the unsupported_dev label, which performs the\nnecessary cleanup. This aligns with the error handling logic of other\npaths in this function.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:22.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5058d3f8f17202e673f90af1446252322bd0850f"
},
{
"url": "https://git.kernel.org/stable/c/fdfd28e13c244d7c3345e74f339fd1b67605b694"
},
{
"url": "https://git.kernel.org/stable/c/d753f3c3f9d7a6e6dbb4d3a97b73007d71624551"
},
{
"url": "https://git.kernel.org/stable/c/8016dc5ee19a77678c264f8ba368b1e873fa705b"
}
],
"title": "octeon_ep: Fix memory leak in octep_device_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23160",
"datePublished": "2026-02-14T16:01:25.900Z",
"dateReserved": "2026-01-13T15:37:45.979Z",
"dateUpdated": "2026-05-11T22:01:22.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71109 (GCVE-0-2025-71109)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
Summary
In the Linux kernel, the following vulnerability has been resolved:
MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of
dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used,
and this macro can generate more than 2 instructions. At the same
time, the code in ftrace assumes that no more than 2 instructions can
be generated, which is why it stores them in an int[2] array. However,
as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA)
causes a buffer overflow when _mcount is beyond 32 bits. This leads to
corruption of the variables located in the __read_mostly section.
This corruption was observed because the variable
__cpu_primary_thread_mask was corrupted, causing a hang very early
during boot.
This fix prevents the corruption by avoiding the generation of
instructions if they could exceed 2 instructions in
length. Fortunately, insn_la_mcount is only used if the instrumented
code is located outside the kernel code section, so dynamic ftrace can
still be used, albeit in a more limited scope. This is still
preferable to corrupting memory and/or crashing the kernel.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e424054000878d7eb11e44289242886d6e219d22 , < e3e33ac2eb69d595079a1a1e444c2fb98efdd42d
(git)
Affected: e424054000878d7eb11e44289242886d6e219d22 , < 7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150 (git) Affected: e424054000878d7eb11e44289242886d6e219d22 , < 36dac9a3dda1f2bae343191bc16b910c603cac25 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3e33ac2eb69d595079a1a1e444c2fb98efdd42d",
"status": "affected",
"version": "e424054000878d7eb11e44289242886d6e219d22",
"versionType": "git"
},
{
"lessThan": "7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150",
"status": "affected",
"version": "e424054000878d7eb11e44289242886d6e219d22",
"versionType": "git"
},
{
"lessThan": "36dac9a3dda1f2bae343191bc16b910c603cac25",
"status": "affected",
"version": "e424054000878d7eb11e44289242886d6e219d22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits\n\nSince commit e424054000878 (\"MIPS: Tracing: Reduce the overhead of\ndynamic Function Tracer\"), the macro UASM_i_LA_mostly has been used,\nand this macro can generate more than 2 instructions. At the same\ntime, the code in ftrace assumes that no more than 2 instructions can\nbe generated, which is why it stores them in an int[2] array. However,\nas previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA)\ncauses a buffer overflow when _mcount is beyond 32 bits. This leads to\ncorruption of the variables located in the __read_mostly section.\n\nThis corruption was observed because the variable\n__cpu_primary_thread_mask was corrupted, causing a hang very early\nduring boot.\n\nThis fix prevents the corruption by avoiding the generation of\ninstructions if they could exceed 2 instructions in\nlength. Fortunately, insn_la_mcount is only used if the instrumented\ncode is located outside the kernel code section, so dynamic ftrace can\nstill be used, albeit in a more limited scope. This is still\npreferable to corrupting memory and/or crashing the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:59.597Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d"
},
{
"url": "https://git.kernel.org/stable/c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150"
},
{
"url": "https://git.kernel.org/stable/c/36dac9a3dda1f2bae343191bc16b910c603cac25"
}
],
"title": "MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71109",
"datePublished": "2026-01-14T15:05:57.236Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-05-11T21:54:59.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23133 (GCVE-0-2026-23133)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
wifi: ath10k: fix dma_free_coherent() pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < e2dda298ef809aa201ea7c0904c4d064f6c497cb
(git)
Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < fc8da65f9fe1bc6802f8240b342cfff4f5c7e841 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < b0ad924332a96550a84b8c0ae5483e7042d65fa9 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 1928851334ecfd6e0d663121ab69ac639d4217a6 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 5d6fa4d2c9799c09389588da5118a72d97d87e92 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 07f363f305793baecad41816f73056252f3df61e (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:17.367538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:10.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2dda298ef809aa201ea7c0904c4d064f6c497cb",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "fc8da65f9fe1bc6802f8240b342cfff4f5c7e841",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "b0ad924332a96550a84b8c0ae5483e7042d65fa9",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "1928851334ecfd6e0d663121ab69ac639d4217a6",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "5d6fa4d2c9799c09389588da5118a72d97d87e92",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "07f363f305793baecad41816f73056252f3df61e",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:46.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2dda298ef809aa201ea7c0904c4d064f6c497cb"
},
{
"url": "https://git.kernel.org/stable/c/fc8da65f9fe1bc6802f8240b342cfff4f5c7e841"
},
{
"url": "https://git.kernel.org/stable/c/b0ad924332a96550a84b8c0ae5483e7042d65fa9"
},
{
"url": "https://git.kernel.org/stable/c/1928851334ecfd6e0d663121ab69ac639d4217a6"
},
{
"url": "https://git.kernel.org/stable/c/5d6fa4d2c9799c09389588da5118a72d97d87e92"
},
{
"url": "https://git.kernel.org/stable/c/07f363f305793baecad41816f73056252f3df61e"
},
{
"url": "https://git.kernel.org/stable/c/9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f"
}
],
"title": "wifi: ath10k: fix dma_free_coherent() pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23133",
"datePublished": "2026-02-14T15:14:33.102Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-06-11T18:44:10.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23057 (GCVE-0-2026-23057)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
vsock/virtio: Coalesce only linear skb
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: Coalesce only linear skb
vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb
(with a spare tail room) is followed by a small skb (length limited by
GOOD_COPY_LEN = 128), an attempt is made to join them.
Since the introduction of MSG_ZEROCOPY support, assumption that a small skb
will always be linear is incorrect. In the zerocopy case, data is lost and
the linear skb is appended with uninitialized kernel memory.
Of all 3 supported virtio-based transports, only loopback-transport is
affected. G2H virtio-transport rx queue operates on explicitly linear skbs;
see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G
vhost-transport may allocate non-linear skbs, but only for sizes that are
not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in
virtio_vsock_alloc_skb().
Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0
guarantees last_skb is linear.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
581512a6dc939ef122e49336626ae159f3b8a345 , < 568e9cd8ed7ca9bf748c7687ba6501f29d30e59f
(git)
Affected: 581512a6dc939ef122e49336626ae159f3b8a345 , < 63ef9b300bd09e24c57050c5dbe68feedce42e72 (git) Affected: 581512a6dc939ef122e49336626ae159f3b8a345 , < 0386bd321d0f95d041a7b3d7b07643411b044a96 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "568e9cd8ed7ca9bf748c7687ba6501f29d30e59f",
"status": "affected",
"version": "581512a6dc939ef122e49336626ae159f3b8a345",
"versionType": "git"
},
{
"lessThan": "63ef9b300bd09e24c57050c5dbe68feedce42e72",
"status": "affected",
"version": "581512a6dc939ef122e49336626ae159f3b8a345",
"versionType": "git"
},
{
"lessThan": "0386bd321d0f95d041a7b3d7b07643411b044a96",
"status": "affected",
"version": "581512a6dc939ef122e49336626ae159f3b8a345",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Coalesce only linear skb\n\nvsock/virtio common tries to coalesce buffers in rx queue: if a linear skb\n(with a spare tail room) is followed by a small skb (length limited by\nGOOD_COPY_LEN = 128), an attempt is made to join them.\n\nSince the introduction of MSG_ZEROCOPY support, assumption that a small skb\nwill always be linear is incorrect. In the zerocopy case, data is lost and\nthe linear skb is appended with uninitialized kernel memory.\n\nOf all 3 supported virtio-based transports, only loopback-transport is\naffected. G2H virtio-transport rx queue operates on explicitly linear skbs;\nsee virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G\nvhost-transport may allocate non-linear skbs, but only for sizes that are\nnot considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in\nvirtio_vsock_alloc_skb().\n\nEnsure only linear skbs are coalesced. Note that skb_tailroom(last_skb) \u003e 0\nguarantees last_skb is linear."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:10.131Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f"
},
{
"url": "https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72"
},
{
"url": "https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96"
}
],
"title": "vsock/virtio: Coalesce only linear skb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23057",
"datePublished": "2026-02-04T16:07:40.550Z",
"dateReserved": "2026-01-13T15:37:45.951Z",
"dateUpdated": "2026-05-11T21:59:10.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22996 (GCVE-0-2026-22996)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
mlx5e_priv is an unstable structure that can be memset(0) if profile
attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to
reference the netdev and mdev associated with that struct. Instead,
store netdev directly into mlx5e_dev and get mdev from the containing
mlx5_adev aux device structure.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg:
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000520
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_remove+0x68/0x130
RSP: 0018:ffffc900034838f0 EFLAGS: 00010246
RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10
R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0
R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400
FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0
Call Trace:
<TASK>
device_release_driver_internal+0x19c/0x200
bus_remove_device+0xc6/0x130
device_del+0x160/0x3d0
? devl_param_driverinit_value_get+0x2d/0x90
mlx5_detach_device+0x89/0xe0
mlx5_unload_one_devl_locked+0x3a/0x70
mlx5_devlink_reload_down+0xc8/0x220
devlink_reload+0x7d/0x260
devlink_nl_reload_doit+0x45b/0x5a0
genl_family_rcv_msg_doit+0xe8/0x140
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d7eb57687f358cd498ea3624519236af8db97e , < dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe
(git)
Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < a3d4f87d41f5140f1cf5c02fce5cdad2637f6244 (git) Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 123eda2e5b1638e298e3a66bb1e64a8da92de5e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "a3d4f87d41f5140f1cf5c02fce5cdad2637f6244",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "123eda2e5b1638e298e3a66bb1e64a8da92de5e1",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don\u0027t store mlx5e_priv in mlx5e_dev devlink priv\n\nmlx5e_priv is an unstable structure that can be memset(0) if profile\nattaching fails, mlx5e_priv in mlx5e_dev devlink private is used to\nreference the netdev and mdev associated with that struct. Instead,\nstore netdev directly into mlx5e_dev and get mdev from the containing\nmlx5_adev aux device structure.\n\nThis fixes a kernel oops in mlx5e_remove when switchdev mode fails due\nto change profile failure.\n\n$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev\nError: mlx5_core: Failed setting eswitch to offloads.\ndmesg:\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n\n$ devlink dev reload pci/0000:00:03.0 ==\u003e oops\n\nBUG: kernel NULL pointer dereference, address: 0000000000000520\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_remove+0x68/0x130\nRSP: 0018:ffffc900034838f0 EFLAGS: 00010246\nRAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10\nR10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0\nR13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400\nFS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0\nCall Trace:\n \u003cTASK\u003e\n device_release_driver_internal+0x19c/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x160/0x3d0\n ? devl_param_driverinit_value_get+0x2d/0x90\n mlx5_detach_device+0x89/0xe0\n mlx5_unload_one_devl_locked+0x3a/0x70\n mlx5_devlink_reload_down+0xc8/0x220\n devlink_reload+0x7d/0x260\n devlink_nl_reload_doit+0x45b/0x5a0\n genl_family_rcv_msg_doit+0xe8/0x140"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:59.278Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe"
},
{
"url": "https://git.kernel.org/stable/c/a3d4f87d41f5140f1cf5c02fce5cdad2637f6244"
},
{
"url": "https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1"
}
],
"title": "net/mlx5e: Don\u0027t store mlx5e_priv in mlx5e_dev devlink priv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22996",
"datePublished": "2026-01-25T14:36:11.195Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-05-11T21:57:59.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23258 (GCVE-0-2026-23258)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-11 22:03
VLAI?
EPSS
Title
net: liquidio: Initialize netdev pointer before queue setup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Initialize netdev pointer before queue setup
In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().
However, the pointer to this structure is stored in oct->props[i].netdev
only after the calls to netif_set_real_num_rx_queues() and
netif_set_real_num_tx_queues().
If either of these functions fails, setup_nic_devices() returns an error
without freeing the allocated netdev. Since oct->props[i].netdev is still
NULL at this point, the cleanup function liquidio_destroy_nic_device()
will fail to find and free the netdev, resulting in a memory leak.
Fix this by initializing oct->props[i].netdev before calling the queue
setup functions. This ensures that the netdev is properly accessible for
cleanup in case of errors.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c33c997346c34ea7b89aec99524ad9632a2f1e0c , < be109646cdaecab262f6276303b1763468c94378
(git)
Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < c81a8515fb8c8fb5d0dbc21f48337494bf1d60df (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < a0e57c0b68c9e6f9a8fd7c1167861a5a730eb2f4 (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < c0ed6c77ec34050971fd0df2a94dfdea66d09331 (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < 1d4590fde856cb94bd9a46e795c29d8288c238fc (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < d028147ae06407cb355245db1774793600670169 (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < 926ede0c85e1e57c97d64d9612455267d597bb2c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be109646cdaecab262f6276303b1763468c94378",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "c81a8515fb8c8fb5d0dbc21f48337494bf1d60df",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "a0e57c0b68c9e6f9a8fd7c1167861a5a730eb2f4",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "c0ed6c77ec34050971fd0df2a94dfdea66d09331",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "1d4590fde856cb94bd9a46e795c29d8288c238fc",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "d028147ae06407cb355245db1774793600670169",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "926ede0c85e1e57c97d64d9612455267d597bb2c",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Initialize netdev pointer before queue setup\n\nIn setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().\nHowever, the pointer to this structure is stored in oct-\u003eprops[i].netdev\nonly after the calls to netif_set_real_num_rx_queues() and\nnetif_set_real_num_tx_queues().\n\nIf either of these functions fails, setup_nic_devices() returns an error\nwithout freeing the allocated netdev. Since oct-\u003eprops[i].netdev is still\nNULL at this point, the cleanup function liquidio_destroy_nic_device()\nwill fail to find and free the netdev, resulting in a memory leak.\n\nFix this by initializing oct-\u003eprops[i].netdev before calling the queue\nsetup functions. This ensures that the netdev is properly accessible for\ncleanup in case of errors.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:22.860Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be109646cdaecab262f6276303b1763468c94378"
},
{
"url": "https://git.kernel.org/stable/c/c81a8515fb8c8fb5d0dbc21f48337494bf1d60df"
},
{
"url": "https://git.kernel.org/stable/c/a0e57c0b68c9e6f9a8fd7c1167861a5a730eb2f4"
},
{
"url": "https://git.kernel.org/stable/c/c0ed6c77ec34050971fd0df2a94dfdea66d09331"
},
{
"url": "https://git.kernel.org/stable/c/1d4590fde856cb94bd9a46e795c29d8288c238fc"
},
{
"url": "https://git.kernel.org/stable/c/d028147ae06407cb355245db1774793600670169"
},
{
"url": "https://git.kernel.org/stable/c/926ede0c85e1e57c97d64d9612455267d597bb2c"
}
],
"title": "net: liquidio: Initialize netdev pointer before queue setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23258",
"datePublished": "2026-03-18T17:41:05.080Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-11T22:03:22.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68337 (GCVE-0-2025-68337)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-06-16 16:56
VLAI?
EPSS
Title
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
Call Trace:
<TASK>
__ext4_journal_get_create_access+0x42/0x170
ext4_getblk+0x319/0x6f0
ext4_bread+0x11/0x100
ext4_append+0x1e6/0x4a0
ext4_init_new_dir+0x145/0x1d0
ext4_mkdir+0x326/0x920
vfs_mkdir+0x45c/0x740
do_mkdirat+0x234/0x2f0
__x64_sys_mkdir+0xd6/0x120
do_syscall_64+0x5f/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue occurs with us in errors=continue mode when accompanied by
storage failures. There have been many inconsistencies in the file system
data.
In the case of file system data inconsistency, for example, if the block
bitmap of a referenced block is not set, it can lead to the situation where
a block being committed is allocated and used again. As a result, the
following condition will not be satisfied then trigger BUG_ON. Of course,
it is entirely possible to construct a problematic image that can trigger
this BUG_ON through specific operations. In fact, I have constructed such
an image and easily reproduced this issue.
Therefore, J_ASSERT() holds true only under ideal conditions, but it may
not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
directly in abnormal situations would cause the system to crash, which is
clearly not what we want. So here we directly trigger a JBD abort instead
of immediately invoking BUG_ON.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
470decc613ab2048b619a01028072d932d9086ee , < 71bbe06c40fc59b5b15661eca8ff307f4176d7f9
(git)
Affected: 470decc613ab2048b619a01028072d932d9086ee , < ed62fd8c15d41c4127ad16b8219b63124f5962bc (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < 3faac6531d4818cd6be45e5bbf32937bbbc795c0 (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4 (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < a2a7f854d154a3e9232fec80782dad951655f52f (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < bf34c72337e40c4670cceeb79b353356933a254b (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < aa1703f3f706ea0867fb1991dcac709c9ec94cfb (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < 986835bf4d11032bba4ab8414d18fce038c61bb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:56:17.316148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:56:28.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71bbe06c40fc59b5b15661eca8ff307f4176d7f9",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "ed62fd8c15d41c4127ad16b8219b63124f5962bc",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "3faac6531d4818cd6be45e5bbf32937bbbc795c0",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "a2a7f854d154a3e9232fec80782dad951655f52f",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "bf34c72337e40c4670cceeb79b353356933a254b",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "aa1703f3f706ea0867fb1991dcac709c9ec94cfb",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "986835bf4d11032bba4ab8414d18fce038c61bb4",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted\n\nThere\u0027s issue when file system corrupted:\n------------[ cut here ]------------\nkernel BUG at fs/jbd2/transaction.c:1289!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next\nRIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0\nRSP: 0018:ffff888117aafa30 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534\nRDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010\nRBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028\nR10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __ext4_journal_get_create_access+0x42/0x170\n ext4_getblk+0x319/0x6f0\n ext4_bread+0x11/0x100\n ext4_append+0x1e6/0x4a0\n ext4_init_new_dir+0x145/0x1d0\n ext4_mkdir+0x326/0x920\n vfs_mkdir+0x45c/0x740\n do_mkdirat+0x234/0x2f0\n __x64_sys_mkdir+0xd6/0x120\n do_syscall_64+0x5f/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue occurs with us in errors=continue mode when accompanied by\nstorage failures. There have been many inconsistencies in the file system\ndata.\nIn the case of file system data inconsistency, for example, if the block\nbitmap of a referenced block is not set, it can lead to the situation where\na block being committed is allocated and used again. As a result, the\nfollowing condition will not be satisfied then trigger BUG_ON. Of course,\nit is entirely possible to construct a problematic image that can trigger\nthis BUG_ON through specific operations. In fact, I have constructed such\nan image and easily reproduced this issue.\nTherefore, J_ASSERT() holds true only under ideal conditions, but it may\nnot necessarily be satisfied in exceptional scenarios. Using J_ASSERT()\ndirectly in abnormal situations would cause the system to crash, which is\nclearly not what we want. So here we directly trigger a JBD abort instead\nof immediately invoking BUG_ON."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:14.542Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71bbe06c40fc59b5b15661eca8ff307f4176d7f9"
},
{
"url": "https://git.kernel.org/stable/c/ed62fd8c15d41c4127ad16b8219b63124f5962bc"
},
{
"url": "https://git.kernel.org/stable/c/3faac6531d4818cd6be45e5bbf32937bbbc795c0"
},
{
"url": "https://git.kernel.org/stable/c/b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4"
},
{
"url": "https://git.kernel.org/stable/c/a2a7f854d154a3e9232fec80782dad951655f52f"
},
{
"url": "https://git.kernel.org/stable/c/bf34c72337e40c4670cceeb79b353356933a254b"
},
{
"url": "https://git.kernel.org/stable/c/aa1703f3f706ea0867fb1991dcac709c9ec94cfb"
},
{
"url": "https://git.kernel.org/stable/c/986835bf4d11032bba4ab8414d18fce038c61bb4"
}
],
"title": "jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68337",
"datePublished": "2025-12-22T16:14:14.145Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-06-16T16:56:28.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68264 (GCVE-0-2025-68264)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-06-16 16:57
VLAI?
EPSS
Title
ext4: refresh inline data size before write operations
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: refresh inline data size before write operations
The cached ei->i_inline_size can become stale between the initial size
check and when ext4_update_inline_data()/ext4_create_inline_data() use
it. Although ext4_get_max_inline_size() reads the correct value at the
time of the check, concurrent xattr operations can modify i_inline_size
before ext4_write_lock_xattr() is acquired.
This causes ext4_update_inline_data() and ext4_create_inline_data() to
work with stale capacity values, leading to a BUG_ON() crash in
ext4_write_inline_data():
kernel BUG at fs/ext4/inline.c:1331!
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
The race window:
1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)
2. Size check passes for 50-byte write
3. [Another thread adds xattr, i_inline_size changes to 40]
4. ext4_write_lock_xattr() acquires lock
5. ext4_update_inline_data() uses stale i_inline_size = 60
6. Attempts to write 50 bytes but only 40 bytes actually available
7. BUG_ON() triggers
Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock()
immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()
and ext4_create_inline_data() work with current values that are protected
from concurrent modifications.
This is similar to commit a54c4613dac1 ("ext4: fix race writing to an
inline_data file while its xattrs are changing") which fixed i_inline_off
staleness. This patch addresses the related i_inline_size staleness issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
67cf5b09a46f72e048501b84996f2f77bc42e947 , < 54ab81ae5f218452e64470cd8a8139bb5880fe2b
(git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 43bf001f0fe4e59bba47c897505222f959f4a1cc (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 89c2c41f0974e530b2d032c3695095aa0559adb1 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 1687a055a555347b002f406676a1aaae4668f242 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < ca43ea29b4c4d2764aec8a26cffcfb677a871e6e (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 58df743faf21ceb1880f930aa5dd428e2a5e415d (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 892e1cf17555735e9d021ab036c36bc7b58b0e3b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:56:49.901585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:57:20.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54ab81ae5f218452e64470cd8a8139bb5880fe2b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "43bf001f0fe4e59bba47c897505222f959f4a1cc",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "89c2c41f0974e530b2d032c3695095aa0559adb1",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "1687a055a555347b002f406676a1aaae4668f242",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "ca43ea29b4c4d2764aec8a26cffcfb677a871e6e",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "58df743faf21ceb1880f930aa5dd428e2a5e415d",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "892e1cf17555735e9d021ab036c36bc7b58b0e3b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refresh inline data size before write operations\n\nThe cached ei-\u003ei_inline_size can become stale between the initial size\ncheck and when ext4_update_inline_data()/ext4_create_inline_data() use\nit. Although ext4_get_max_inline_size() reads the correct value at the\ntime of the check, concurrent xattr operations can modify i_inline_size\nbefore ext4_write_lock_xattr() is acquired.\n\nThis causes ext4_update_inline_data() and ext4_create_inline_data() to\nwork with stale capacity values, leading to a BUG_ON() crash in\next4_write_inline_data():\n\n kernel BUG at fs/ext4/inline.c:1331!\n BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nThe race window:\n1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)\n2. Size check passes for 50-byte write\n3. [Another thread adds xattr, i_inline_size changes to 40]\n4. ext4_write_lock_xattr() acquires lock\n5. ext4_update_inline_data() uses stale i_inline_size = 60\n6. Attempts to write 50 bytes but only 40 bytes actually available\n7. BUG_ON() triggers\n\nFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()\nimmediately after acquiring xattr_sem. This ensures ext4_update_inline_data()\nand ext4_create_inline_data() work with current values that are protected\nfrom concurrent modifications.\n\nThis is similar to commit a54c4613dac1 (\"ext4: fix race writing to an\ninline_data file while its xattrs are changing\") which fixed i_inline_off\nstaleness. This patch addresses the related i_inline_size staleness issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:50:00.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54ab81ae5f218452e64470cd8a8139bb5880fe2b"
},
{
"url": "https://git.kernel.org/stable/c/43bf001f0fe4e59bba47c897505222f959f4a1cc"
},
{
"url": "https://git.kernel.org/stable/c/89c2c41f0974e530b2d032c3695095aa0559adb1"
},
{
"url": "https://git.kernel.org/stable/c/1687a055a555347b002f406676a1aaae4668f242"
},
{
"url": "https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b"
},
{
"url": "https://git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6e"
},
{
"url": "https://git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415d"
},
{
"url": "https://git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3b"
}
],
"title": "ext4: refresh inline data size before write operations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68264",
"datePublished": "2025-12-16T14:45:06.268Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-06-16T16:57:20.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31504 (GCVE-0-2026-31504)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:10
VLAI?
EPSS
Title
net: fix fanout UAF in packet_release() via NETDEV_UP race
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix fanout UAF in packet_release() via NETDEV_UP race
`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.
The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.
This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < ee642b1962caa9aa231c01abbd58bc453ae6b66e
(git)
Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 42cfd7898eeed290c9fb73f732af1f7d6b0a703e (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 1b4c03f8892d955385c202009af7485364731bb9 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 654386baef228c2992dbf604c819e4c7c35fc71b (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 75fe6db23705a1d55160081f7b37db9665b1880b (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < ceccbfc6de720ad633519a226715989cfb065af1 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 42156f93d123436f2a27c468f18c966b7e5db796 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee642b1962caa9aa231c01abbd58bc453ae6b66e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42cfd7898eeed290c9fb73f732af1f7d6b0a703e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "1b4c03f8892d955385c202009af7485364731bb9",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "654386baef228c2992dbf604c819e4c7c35fc71b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "75fe6db23705a1d55160081f7b37db9665b1880b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "ceccbfc6de720ad633519a226715989cfb065af1",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42156f93d123436f2a27c468f18c966b7e5db796",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group\u0027s `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po-\u003enum` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po-\u003enum` is still non-zero and `po-\u003eifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f-\u003earr[]` and increments `f-\u003enum_members`,\nbut does NOT increment `f-\u003esk_ref`.\n\nThe fix sets `po-\u003enum` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:01.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"
},
{
"url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"
},
{
"url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"
},
{
"url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"
},
{
"url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"
},
{
"url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"
},
{
"url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"
},
{
"url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"
}
],
"title": "net: fix fanout UAF in packet_release() via NETDEV_UP race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31504",
"datePublished": "2026-04-22T13:54:23.862Z",
"dateReserved": "2026-03-09T15:48:24.105Z",
"dateUpdated": "2026-05-11T22:10:01.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47333 (GCVE-0-2026-47333)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:28 – Updated: 2026-05-29 03:55
VLAI?
EPSS
Title
Out-of-bounds read in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.
Severity ?
7.8 (High)
CWE
- CWE-125 - Out-of-bounds read
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T03:55:52.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:28:28.221Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=635fa30ed9e944bdb7e811fb8a8906286b4b4f06"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Out-of-bounds read in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47333",
"datePublished": "2026-05-28T18:28:28.221Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-29T03:55:52.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68804 (GCVE-0-2025-68804)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
After unbinding the driver, another kthread `cros_ec_console_log_work`
is still accessing the device, resulting an UAF and crash.
The driver doesn't unregister the EC device in .remove() which should
shutdown sub-devices synchronously. Fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26a14267aff218c60b89007fdb44ca392ba6122c , < 27037916db38e6b78a0242031d3b93d997b84020
(git)
Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < e1da6e399df976dd04c7c73ec008bc81da368a95 (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 8dc1f5a85286290dbf04dd5951d020570f49779b (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 393b8f9bedc7806acb9c47cefdbdb223b4b6164b (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 4701493ba37654b3c38b526f6591cf0b02aa172f (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 24a2062257bbdfc831de5ed21c27b04b5bdf2437 (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 944edca81e7aea15f83cf9a13a6ab67f711e8abd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27037916db38e6b78a0242031d3b93d997b84020",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "e1da6e399df976dd04c7c73ec008bc81da368a95",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "8dc1f5a85286290dbf04dd5951d020570f49779b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "393b8f9bedc7806acb9c47cefdbdb223b4b6164b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "4701493ba37654b3c38b526f6591cf0b02aa172f",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "24a2062257bbdfc831de5ed21c27b04b5bdf2437",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "944edca81e7aea15f83cf9a13a6ab67f711e8abd",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver\n\nAfter unbinding the driver, another kthread `cros_ec_console_log_work`\nis still accessing the device, resulting an UAF and crash.\n\nThe driver doesn\u0027t unregister the EC device in .remove() which should\nshutdown sub-devices synchronously. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:39.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020"
},
{
"url": "https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95"
},
{
"url": "https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b"
},
{
"url": "https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b"
},
{
"url": "https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f"
},
{
"url": "https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437"
},
{
"url": "https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd"
}
],
"title": "platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68804",
"datePublished": "2026-01-13T15:29:12.418Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-05-11T21:53:39.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23103 (GCVE-0-2026-23103)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-16 20:21
VLAI?
EPSS
Title
ipvlan: Make the addrs_lock be per port
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvlan: Make the addrs_lock be per port
Make the addrs_lock be per port, not per ipvlan dev.
Initial code seems to be written in the assumption,
that any address change must occur under RTNL.
But it is not so for the case of IPv6. So
1) Introduce per-port addrs_lock.
2) It was needed to fix places where it was forgotten
to take lock (ipvlan_open/ipvlan_close)
This appears to be a very minor problem though.
Since it's highly unlikely that ipvlan_add_addr() will
be called on 2 CPU simultaneously. But nevertheless,
this could cause:
1) False-negative of ipvlan_addr_busy(): one interface
iterated through all port->ipvlans + ipvlan->addrs
under some ipvlan spinlock, and another added IP
under its own lock. Though this is only possible
for IPv6, since looks like only ipvlan_addr6_event() can be
called without rtnl_lock.
2) Race since ipvlan_ht_addr_add(port) is called under
different ipvlan->addrs_lock locks
This should not affect performance, since add/remove IP
is a rare situation and spinlock is not taken on fast
paths.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8230819494b3bf284ca7262ac5f877333147b937 , < 3c149b662cbb202a450e81f938e702ba333864ad
(git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 70feb16e3fbfb10b15de1396557c38e99f1ab8df (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 88f83e6c9cdb46b8c8ddd0ba01393362963cf589 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 04ba6de6eff61238e5397c14ac26a6578c7735a5 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 1f300c10d92c547c3a7d978e1212ff52f18256ed (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 6a81e2db096913d7e43aada1c350c1282e76db39 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < d3ba32162488283c0a4c5bedd8817aec91748802 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:21:03.730200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:21:13.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan.h",
"drivers/net/ipvlan/ipvlan_core.c",
"drivers/net/ipvlan/ipvlan_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c149b662cbb202a450e81f938e702ba333864ad",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "70feb16e3fbfb10b15de1396557c38e99f1ab8df",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "88f83e6c9cdb46b8c8ddd0ba01393362963cf589",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "04ba6de6eff61238e5397c14ac26a6578c7735a5",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "1f300c10d92c547c3a7d978e1212ff52f18256ed",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "6a81e2db096913d7e43aada1c350c1282e76db39",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "d3ba32162488283c0a4c5bedd8817aec91748802",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan.h",
"drivers/net/ipvlan/ipvlan_core.c",
"drivers/net/ipvlan/ipvlan_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it\u0027s highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port-\u003eipvlans + ipvlan-\u003eaddrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan-\u003eaddrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:10.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad"
},
{
"url": "https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df"
},
{
"url": "https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589"
},
{
"url": "https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5"
},
{
"url": "https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed"
},
{
"url": "https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39"
},
{
"url": "https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802"
}
],
"title": "ipvlan: Make the addrs_lock be per port",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23103",
"datePublished": "2026-02-04T16:08:24.771Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-06-16T20:21:13.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23113 (GCVE-0-2026-23113)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Currently this is checked before running the pending work. Normally this
is quite fine, as work items either end up blocking (which will create a
new worker for other items), or they complete fairly quickly. But syzbot
reports an issue where io-wq takes seemingly forever to exit, and with a
bit of debugging, this turns out to be because it queues a bunch of big
(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't
support ->read_iter(), loop_rw_iter() ends up handling them. Each read
returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of
these pending, processing the whole chain can take a long time. Easily
longer than the syzbot uninterruptible sleep timeout of 140 seconds.
This then triggers a complaint off the io-wq exit path:
INFO: task syz.4.135:6326 blocked for more than 143 seconds.
Not tainted syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1139/0x6150 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6960
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
io_wq_exit_workers io_uring/io-wq.c:1328 [inline]
io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356
io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203
io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2ce/0x2bd0 kernel/exit.c:911
do_group_exit+0xd3/0x2a0 kernel/exit.c:1112
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa02738f749
RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098
RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98
There's really nothing wrong here, outside of processing these reads
will take a LONG time. However, we can speed up the exit by checking the
IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will
exit the ring after queueing up all of these reads. Then once the first
item is processed, io-wq will simply cancel the rest. That should avoid
syzbot running into this complaint again.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 27e47500fac23d15b7dc93ff650bc4844d2581bd
(git)
Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < d05d99573f81a091547b1778b9a50120f5d6c68a (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 85eb83694a91c89d9abe615d717c0053c3efa714 (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 2e8ca1078b14142db2ce51cbd18ff9971560046b (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < bdf0bf73006ea8af9327cdb85cfdff4c23a5f966 (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 10dc959398175736e495f71c771f8641e1ca1907 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27e47500fac23d15b7dc93ff650bc4844d2581bd",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "d05d99573f81a091547b1778b9a50120f5d6c68a",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "85eb83694a91c89d9abe615d717c0053c3efa714",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "2e8ca1078b14142db2ce51cbd18ff9971560046b",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "bdf0bf73006ea8af9327cdb85cfdff4c23a5f966",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "10dc959398175736e495f71c771f8641e1ca1907",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop\n\nCurrently this is checked before running the pending work. Normally this\nis quite fine, as work items either end up blocking (which will create a\nnew worker for other items), or they complete fairly quickly. But syzbot\nreports an issue where io-wq takes seemingly forever to exit, and with a\nbit of debugging, this turns out to be because it queues a bunch of big\n(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn\u0027t\nsupport -\u003eread_iter(), loop_rw_iter() ends up handling them. Each read\nreturns 16MB of data read, which takes 20 (!!) seconds. With a bunch of\nthese pending, processing the whole chain can take a long time. Easily\nlonger than the syzbot uninterruptible sleep timeout of 140 seconds.\nThis then triggers a complaint off the io-wq exit path:\n\nINFO: task syz.4.135:6326 blocked for more than 143 seconds.\n Not tainted syzkaller #0\n Blocked by coredump.\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5256 [inline]\n __schedule+0x1139/0x6150 kernel/sched/core.c:6863\n __schedule_loop kernel/sched/core.c:6945 [inline]\n schedule+0xe7/0x3a0 kernel/sched/core.c:6960\n schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75\n do_wait_for_common kernel/sched/completion.c:100 [inline]\n __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121\n io_wq_exit_workers io_uring/io-wq.c:1328 [inline]\n io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356\n io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203\n io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651\n io_uring_files_cancel include/linux/io_uring.h:19 [inline]\n do_exit+0x2ce/0x2bd0 kernel/exit.c:911\n do_group_exit+0xd3/0x2a0 kernel/exit.c:1112\n get_signal+0x2671/0x26d0 kernel/signal.c:3034\n arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337\n __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]\n exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa02738f749\nRSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca\nRAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749\nRDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098\nRBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98\n\nThere\u0027s really nothing wrong here, outside of processing these reads\nwill take a LONG time. However, we can speed up the exit by checking the\nIO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will\nexit the ring after queueing up all of these reads. Then once the first\nitem is processed, io-wq will simply cancel the rest. That should avoid\nsyzbot running into this complaint again."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:22.445Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27e47500fac23d15b7dc93ff650bc4844d2581bd"
},
{
"url": "https://git.kernel.org/stable/c/d05d99573f81a091547b1778b9a50120f5d6c68a"
},
{
"url": "https://git.kernel.org/stable/c/85eb83694a91c89d9abe615d717c0053c3efa714"
},
{
"url": "https://git.kernel.org/stable/c/2e8ca1078b14142db2ce51cbd18ff9971560046b"
},
{
"url": "https://git.kernel.org/stable/c/bdf0bf73006ea8af9327cdb85cfdff4c23a5f966"
},
{
"url": "https://git.kernel.org/stable/c/10dc959398175736e495f71c771f8641e1ca1907"
}
],
"title": "io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23113",
"datePublished": "2026-02-14T15:09:46.379Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-05-11T22:00:22.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23101 (GCVE-0-2026-23101)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
leds: led-class: Only Add LED to leds_list when it is fully ready
Summary
In the Linux kernel, the following vulnerability has been resolved:
leds: led-class: Only Add LED to leds_list when it is fully ready
Before this change the LED was added to leds_list before led_init_core()
gets called adding it the list before led_classdev.set_brightness_work gets
initialized.
This leaves a window where led_trigger_register() of a LED's default
trigger will call led_trigger_set() which calls led_set_brightness()
which in turn will end up queueing the *uninitialized*
led_classdev.set_brightness_work.
This race gets hit by the lenovo-thinkpad-t14s EC driver which registers
2 LEDs with a default trigger provided by snd_ctl_led.ko in quick
succession. The first led_classdev_register() causes an async modprobe of
snd_ctl_led to run and that async modprobe manages to exactly hit
the window where the second LED is on the leds_list without led_init_core()
being called for it, resulting in:
------------[ cut here ]------------
WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390
Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025
...
Call trace:
__flush_work+0x344/0x390 (P)
flush_work+0x2c/0x50
led_trigger_set+0x1c8/0x340
led_trigger_register+0x17c/0x1c0
led_trigger_register_simple+0x84/0xe8
snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
do_one_initcall+0x5c/0x318
do_init_module+0x9c/0x2b8
load_module+0x7e0/0x998
Close the race window by moving the adding of the LED to leds_list to
after the led_init_core() call.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d23a22a74fded23a12434c9463fe66cec2b0afcd , < f7a6df659af777058833802c29b3b7974db5e78a
(git)
Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < d117fdcb21b05c0e0460261d017b92303cd9ba77 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < e90c861411fc84629a240384b0a72830539d3386 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < 2757f7748ce2d0fa44112024907bafb37e104d6e (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < da565bf98c9ad0eabcb09fc97859e0b52f98b7c3 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < 78822628165f3d817382f67f91129161159ca234 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < d1883cefd31752f0504b94c3bcfa1f6d511d6e87 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:07.068971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:08.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7a6df659af777058833802c29b3b7974db5e78a",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "d117fdcb21b05c0e0460261d017b92303cd9ba77",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "e90c861411fc84629a240384b0a72830539d3386",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "2757f7748ce2d0fa44112024907bafb37e104d6e",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "da565bf98c9ad0eabcb09fc97859e0b52f98b7c3",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "78822628165f3d817382f67f91129161159ca234",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "d1883cefd31752f0504b94c3bcfa1f6d511d6e87",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-class: Only Add LED to leds_list when it is fully ready\n\nBefore this change the LED was added to leds_list before led_init_core()\ngets called adding it the list before led_classdev.set_brightness_work gets\ninitialized.\n\nThis leaves a window where led_trigger_register() of a LED\u0027s default\ntrigger will call led_trigger_set() which calls led_set_brightness()\nwhich in turn will end up queueing the *uninitialized*\nled_classdev.set_brightness_work.\n\nThis race gets hit by the lenovo-thinkpad-t14s EC driver which registers\n2 LEDs with a default trigger provided by snd_ctl_led.ko in quick\nsuccession. The first led_classdev_register() causes an async modprobe of\nsnd_ctl_led to run and that async modprobe manages to exactly hit\nthe window where the second LED is on the leds_list without led_init_core()\nbeing called for it, resulting in:\n\n ------------[ cut here ]------------\n WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390\n Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025\n ...\n Call trace:\n __flush_work+0x344/0x390 (P)\n flush_work+0x2c/0x50\n led_trigger_set+0x1c8/0x340\n led_trigger_register+0x17c/0x1c0\n led_trigger_register_simple+0x84/0xe8\n snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]\n do_one_initcall+0x5c/0x318\n do_init_module+0x9c/0x2b8\n load_module+0x7e0/0x998\n\nClose the race window by moving the adding of the LED to leds_list to\nafter the led_init_core() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:04.278Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a"
},
{
"url": "https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77"
},
{
"url": "https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386"
},
{
"url": "https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e"
},
{
"url": "https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3"
},
{
"url": "https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234"
},
{
"url": "https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87"
}
],
"title": "leds: led-class: Only Add LED to leds_list when it is fully ready",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23101",
"datePublished": "2026-02-04T16:08:23.329Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-06-11T18:44:08.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23216 (GCVE-0-2026-23216)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:21 – Updated: 2026-06-11 17:53
VLAI?
EPSS
Title
scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
In iscsit_dec_conn_usage_count(), the function calls complete() while
holding the conn->conn_usage_lock. As soon as complete() is invoked, the
waiter (such as iscsit_close_connection()) may wake up and proceed to free
the iscsit_conn structure.
If the waiter frees the memory before the current thread reaches
spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function
attempts to release a lock within the already-freed connection structure.
Fix this by releasing the spinlock before calling complete().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e48354ce078c079996f89d715dfa44814b4eba01 , < ba684191437380a07b27666eb4e72748be1ea201
(git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 8518f072fc92921418cd9ed4268dd4f3e9a8fd75 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 275016a551ba1a068a3bd6171b18611726b67110 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 73b487d44bf4f92942629d578381f89c326ff77f (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 48fe983e92de2c59d143fe38362ad17ba23ec7f3 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 3835e49e146a4e6e7787b29465f1a23379b6ec44 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 9411a89e9e7135cc459178fa77a3f1d6191ae903 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:21.955601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:37.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba684191437380a07b27666eb4e72748be1ea201",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "8518f072fc92921418cd9ed4268dd4f3e9a8fd75",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "275016a551ba1a068a3bd6171b18611726b67110",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "73b487d44bf4f92942629d578381f89c326ff77f",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "48fe983e92de2c59d143fe38362ad17ba23ec7f3",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "3835e49e146a4e6e7787b29465f1a23379b6ec44",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "9411a89e9e7135cc459178fa77a3f1d6191ae903",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()\n\nIn iscsit_dec_conn_usage_count(), the function calls complete() while\nholding the conn-\u003econn_usage_lock. As soon as complete() is invoked, the\nwaiter (such as iscsit_close_connection()) may wake up and proceed to free\nthe iscsit_conn structure.\n\nIf the waiter frees the memory before the current thread reaches\nspin_unlock_bh(), it results in a KASAN slab-use-after-free as the function\nattempts to release a lock within the already-freed connection structure.\n\nFix this by releasing the spinlock before calling complete()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:34.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba684191437380a07b27666eb4e72748be1ea201"
},
{
"url": "https://git.kernel.org/stable/c/8518f072fc92921418cd9ed4268dd4f3e9a8fd75"
},
{
"url": "https://git.kernel.org/stable/c/275016a551ba1a068a3bd6171b18611726b67110"
},
{
"url": "https://git.kernel.org/stable/c/73b487d44bf4f92942629d578381f89c326ff77f"
},
{
"url": "https://git.kernel.org/stable/c/48fe983e92de2c59d143fe38362ad17ba23ec7f3"
},
{
"url": "https://git.kernel.org/stable/c/3835e49e146a4e6e7787b29465f1a23379b6ec44"
},
{
"url": "https://git.kernel.org/stable/c/9411a89e9e7135cc459178fa77a3f1d6191ae903"
}
],
"title": "scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23216",
"datePublished": "2026-02-18T14:21:53.699Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-06-11T17:53:37.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71268 (GCVE-0-2025-71268)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:40 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
btrfs: fix reservation leak in some error paths when inserting inline extent
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix reservation leak in some error paths when inserting inline extent
If we fail to allocate a path or join a transaction, we return from
__cow_file_range_inline() without freeing the reserved qgroup data,
resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()
in such cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
94ed938aba557aa798acf496f09afb289b619fcd , < f7156512c8166d385f574b9ec030479aa7b1e8c9
(git)
Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < 28b97fcbbf523779688e8de5fe55bf2dae3859f6 (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913 (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < 28768bd3abf9995a93f6e01bfce01c60622964dd (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < c1c050f92d8f6aac4e17f7f2230160794fceef0c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7156512c8166d385f574b9ec030479aa7b1e8c9",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "28b97fcbbf523779688e8de5fe55bf2dae3859f6",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "28768bd3abf9995a93f6e01bfce01c60622964dd",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "c1c050f92d8f6aac4e17f7f2230160794fceef0c",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix reservation leak in some error paths when inserting inline extent\n\nIf we fail to allocate a path or join a transaction, we return from\n__cow_file_range_inline() without freeing the reserved qgroup data,\nresulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()\nin such cases."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:06.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7156512c8166d385f574b9ec030479aa7b1e8c9"
},
{
"url": "https://git.kernel.org/stable/c/28b97fcbbf523779688e8de5fe55bf2dae3859f6"
},
{
"url": "https://git.kernel.org/stable/c/f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913"
},
{
"url": "https://git.kernel.org/stable/c/28768bd3abf9995a93f6e01bfce01c60622964dd"
},
{
"url": "https://git.kernel.org/stable/c/c1c050f92d8f6aac4e17f7f2230160794fceef0c"
}
],
"title": "btrfs: fix reservation leak in some error paths when inserting inline extent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71268",
"datePublished": "2026-03-18T17:40:58.080Z",
"dateReserved": "2026-03-17T09:08:18.457Z",
"dateUpdated": "2026-05-11T21:57:06.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71075 (GCVE-0-2025-71075)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
scsi: aic94xx: fix use-after-free in device removal path
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: aic94xx: fix use-after-free in device removal path
The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.
When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.
The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2908d778ab3e244900c310974e1fc1c69066e450 , < c8f6f88cd1df35155258285c4f43268b361819df
(git)
Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 278455a82245a572aeb218a6212a416a98e418de (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < b3e655e52b98a1d3df41c8e42035711e083099f8 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < e354793a7ab9bb0934ea699a9d57bcd1b48fc27b (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < a41dc180b6e1229ae49ca290ae14d82101c148c3 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 751c19635c2bfaaf2836a533caa3663633066dcf (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < f6ab594672d4cba08540919a4e6be2e202b60007 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:46.291525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:15.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8f6f88cd1df35155258285c4f43268b361819df",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "278455a82245a572aeb218a6212a416a98e418de",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "b3e655e52b98a1d3df41c8e42035711e083099f8",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "e354793a7ab9bb0934ea699a9d57bcd1b48fc27b",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "a41dc180b6e1229ae49ca290ae14d82101c148c3",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "751c19635c2bfaaf2836a533caa3663633066dcf",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "f6ab594672d4cba08540919a4e6be2e202b60007",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aic94xx: fix use-after-free in device removal path\n\nThe asd_pci_remove() function fails to synchronize with pending tasklets\nbefore freeing the asd_ha structure, leading to a potential\nuse-after-free vulnerability.\n\nWhen a device removal is triggered (via hot-unplug or module unload),\nrace condition can occur.\n\nThe fix adds tasklet_kill() before freeing the asd_ha structure,\nensuring all scheduled tasklets complete before cleanup proceeds."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:15.327Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df"
},
{
"url": "https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de"
},
{
"url": "https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8"
},
{
"url": "https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b"
},
{
"url": "https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3"
},
{
"url": "https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf"
},
{
"url": "https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007"
}
],
"title": "scsi: aic94xx: fix use-after-free in device removal path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71075",
"datePublished": "2026-01-13T15:31:28.075Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-06-11T18:44:15.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68816 (GCVE-0-2025-68816)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 19:11
VLAI?
EPSS
Title
net/mlx5: fw_tracer, Validate format string parameters
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: fw_tracer, Validate format string parameters
Add validation for format string parameters in the firmware tracer to
prevent potential security vulnerabilities and crashes from malformed
format strings received from firmware.
The firmware tracer receives format strings from the device firmware and
uses them to format trace messages. Without proper validation, bad
firmware could provide format strings with invalid format specifiers
(e.g., %s, %p, %n) that could lead to crashes, or other undefined
behavior.
Add mlx5_tracer_validate_params() to validate that all format specifiers
in trace strings are limited to safe integer/hex formats (%x, %d, %i,
%u, %llx, %lx, etc.). Reject strings containing other format types that
could be used to access arbitrary memory or cause crashes.
Invalid format strings are added to the trace output for visibility with
"BAD_FORMAT: " prefix.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
70dd6fdb8987b14f7b6105f6be0617299e459398 , < 95624b731c490a4b849844269193a233d6d556a0
(git)
Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 768d559f466cdd72849110a7ecd76a21d52dcfe3 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 8ac688c0e430dab19f6a9b70df94b1f635612c1a (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 45bd283b1d69e2c97cddcb9956f0e0261fc4efd7 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 8c35c2448086870509ede43947845be0833251f0 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < b35966042d20b14e2d83330049f77deec5229749 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:11:19.183424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:11:38.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95624b731c490a4b849844269193a233d6d556a0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "768d559f466cdd72849110a7ecd76a21d52dcfe3",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8ac688c0e430dab19f6a9b70df94b1f635612c1a",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "45bd283b1d69e2c97cddcb9956f0e0261fc4efd7",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8c35c2448086870509ede43947845be0833251f0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "b35966042d20b14e2d83330049f77deec5229749",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fw_tracer, Validate format string parameters\n\nAdd validation for format string parameters in the firmware tracer to\nprevent potential security vulnerabilities and crashes from malformed\nformat strings received from firmware.\n\nThe firmware tracer receives format strings from the device firmware and\nuses them to format trace messages. Without proper validation, bad\nfirmware could provide format strings with invalid format specifiers\n(e.g., %s, %p, %n) that could lead to crashes, or other undefined\nbehavior.\n\nAdd mlx5_tracer_validate_params() to validate that all format specifiers\nin trace strings are limited to safe integer/hex formats (%x, %d, %i,\n%u, %llx, %lx, etc.). Reject strings containing other format types that\ncould be used to access arbitrary memory or cause crashes.\nInvalid format strings are added to the trace output for visibility with\n\"BAD_FORMAT: \" prefix."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:52.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0"
},
{
"url": "https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3"
},
{
"url": "https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d"
},
{
"url": "https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a"
},
{
"url": "https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7"
},
{
"url": "https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0"
},
{
"url": "https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749"
}
],
"title": "net/mlx5: fw_tracer, Validate format string parameters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68816",
"datePublished": "2026-01-13T15:29:20.464Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-06-16T19:11:38.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23093 (GCVE-0-2026-23093)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
ksmbd: smbd: fix dma_unmap_sg() nents
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: smbd: fix dma_unmap_sg() nents
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6ececffd3e9fe93a87738625dc0671165d27bf96 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 4d1e9a4a450aae47277763562122cc80ed703ab2 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 70ba85e439221a5d6dda34a3004db6640f0525e6 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < d1943bc9dc9508f5933788a76f8a35d10e43a646 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 98e3e2b561bc88f4dd218d1c05890672874692f6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "6ececffd3e9fe93a87738625dc0671165d27bf96",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "4d1e9a4a450aae47277763562122cc80ed703ab2",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "70ba85e439221a5d6dda34a3004db6640f0525e6",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "d1943bc9dc9508f5933788a76f8a35d10e43a646",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "98e3e2b561bc88f4dd218d1c05890672874692f6",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbd: fix dma_unmap_sg() nents\n\nThe dma_unmap_sg() functions should be called with the same nents as the\ndma_map_sg(), not the value the map function returned."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:51.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec"
},
{
"url": "https://git.kernel.org/stable/c/6ececffd3e9fe93a87738625dc0671165d27bf96"
},
{
"url": "https://git.kernel.org/stable/c/4d1e9a4a450aae47277763562122cc80ed703ab2"
},
{
"url": "https://git.kernel.org/stable/c/70ba85e439221a5d6dda34a3004db6640f0525e6"
},
{
"url": "https://git.kernel.org/stable/c/d1943bc9dc9508f5933788a76f8a35d10e43a646"
},
{
"url": "https://git.kernel.org/stable/c/98e3e2b561bc88f4dd218d1c05890672874692f6"
}
],
"title": "ksmbd: smbd: fix dma_unmap_sg() nents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23093",
"datePublished": "2026-02-04T16:08:16.159Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-05-11T21:59:51.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23119 (GCVE-0-2026-23119)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
bonding: provide a net pointer to __skb_flow_dissect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: provide a net pointer to __skb_flow_dissect()
After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect")
we have to provide a net pointer to __skb_flow_dissect(),
either via skb->dev, skb->sk, or a user provided pointer.
In the following case, syzbot was able to cook a bare skb.
WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053
Call Trace:
<TASK>
bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]
__bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157
bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]
bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]
bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515
xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388
bpf_prog_run_xdp include/net/xdp.h:700 [inline]
bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421
bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390
bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
__sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
58deb77cc52da9360d20676e68dd215742cbe473 , < 8e53780732ee881394406f79da5263b81eb48f7e
(git)
Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 3be945abdd228fd00f6afcf8d137002867a4651b (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < f4faaa1297ecf3255a8591fff2633df05bd5ec84 (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 0efee0b992f28bd5ee01c7a86ef6a307c42eb907 (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < de97735a40a144974bf3896ee4cc0270db2e47db (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 5f9b329096596b7e53e07d041d7fca4cbe1be752 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:46.406465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:05.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e53780732ee881394406f79da5263b81eb48f7e",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "3be945abdd228fd00f6afcf8d137002867a4651b",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "f4faaa1297ecf3255a8591fff2633df05bd5ec84",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "0efee0b992f28bd5ee01c7a86ef6a307c42eb907",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "de97735a40a144974bf3896ee4cc0270db2e47db",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "5f9b329096596b7e53e07d041d7fca4cbe1be752",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: provide a net pointer to __skb_flow_dissect()\n\nAfter 3cbf4ffba5ee (\"net: plumb network namespace into __skb_flow_dissect\")\nwe have to provide a net pointer to __skb_flow_dissect(),\neither via skb-\u003edev, skb-\u003esk, or a user provided pointer.\n\nIn the following case, syzbot was able to cook a bare skb.\n\nWARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053\nCall Trace:\n \u003cTASK\u003e\n bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]\n __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157\n bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]\n bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]\n bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515\n xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388\n bpf_prog_run_xdp include/net/xdp.h:700 [inline]\n bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421\n bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390\n bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703\n __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182\n __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:29.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e53780732ee881394406f79da5263b81eb48f7e"
},
{
"url": "https://git.kernel.org/stable/c/3be945abdd228fd00f6afcf8d137002867a4651b"
},
{
"url": "https://git.kernel.org/stable/c/f4faaa1297ecf3255a8591fff2633df05bd5ec84"
},
{
"url": "https://git.kernel.org/stable/c/0efee0b992f28bd5ee01c7a86ef6a307c42eb907"
},
{
"url": "https://git.kernel.org/stable/c/bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa"
},
{
"url": "https://git.kernel.org/stable/c/de97735a40a144974bf3896ee4cc0270db2e47db"
},
{
"url": "https://git.kernel.org/stable/c/5f9b329096596b7e53e07d041d7fca4cbe1be752"
}
],
"title": "bonding: provide a net pointer to __skb_flow_dissect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23119",
"datePublished": "2026-02-14T15:09:50.517Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-06-11T18:44:05.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23049 (GCVE-0-2026-23049)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
The connector type for the DataImage SCF0700C48GGU18 panel is missing and
devm_drm_panel_bridge_add() requires connector type to be set. This leads
to a warning and a backtrace in the kernel log and panel does not work:
"
WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8
"
The warning is triggered by a check for valid connector type in
devm_drm_panel_bridge_add(). If there is no valid connector type
set for a panel, the warning is printed and panel is not added.
Fill in the missing connector type to fix the warning and make
the panel operational once again.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97ceb1fb08b6a2f78aa44a7c229ca280964860c0 , < f4c330b4499e7334ec6fce535574e09d55843d71
(git)
Affected: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 , < bb309377eece5317207d71fd833f99cca4727fbd (git) Affected: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 , < 83e0d8d22e7ee3151af1951595104887eebed6ab (git) Affected: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 , < bc0b17bdba3838e9e17e7e9adc968384ac99938b (git) Affected: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 , < 04218cd68d1502000823c8288f37b4f171dcdcae (git) Affected: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 , < f7940d3ec1dc6bf719eddc69d4b8e52cc2201896 (git) Affected: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 , < 6ab3d4353bf75005eaa375677c9fed31148154d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-simple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4c330b4499e7334ec6fce535574e09d55843d71",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "bb309377eece5317207d71fd833f99cca4727fbd",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "83e0d8d22e7ee3151af1951595104887eebed6ab",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "bc0b17bdba3838e9e17e7e9adc968384ac99938b",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "04218cd68d1502000823c8288f37b4f171dcdcae",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "f7940d3ec1dc6bf719eddc69d4b8e52cc2201896",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "6ab3d4353bf75005eaa375677c9fed31148154d6",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-simple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel\n\nThe connector type for the DataImage SCF0700C48GGU18 panel is missing and\ndevm_drm_panel_bridge_add() requires connector type to be set. This leads\nto a warning and a backtrace in the kernel log and panel does not work:\n\"\nWARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8\n\"\nThe warning is triggered by a check for valid connector type in\ndevm_drm_panel_bridge_add(). If there is no valid connector type\nset for a panel, the warning is printed and panel is not added.\nFill in the missing connector type to fix the warning and make\nthe panel operational once again."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:00.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4c330b4499e7334ec6fce535574e09d55843d71"
},
{
"url": "https://git.kernel.org/stable/c/bb309377eece5317207d71fd833f99cca4727fbd"
},
{
"url": "https://git.kernel.org/stable/c/83e0d8d22e7ee3151af1951595104887eebed6ab"
},
{
"url": "https://git.kernel.org/stable/c/bc0b17bdba3838e9e17e7e9adc968384ac99938b"
},
{
"url": "https://git.kernel.org/stable/c/04218cd68d1502000823c8288f37b4f171dcdcae"
},
{
"url": "https://git.kernel.org/stable/c/f7940d3ec1dc6bf719eddc69d4b8e52cc2201896"
},
{
"url": "https://git.kernel.org/stable/c/6ab3d4353bf75005eaa375677c9fed31148154d6"
}
],
"title": "drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23049",
"datePublished": "2026-02-04T16:04:18.076Z",
"dateReserved": "2026-01-13T15:37:45.949Z",
"dateUpdated": "2026-05-11T21:59:00.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23170 (GCVE-0-2026-23170)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
drm/imx/tve: fix probe device leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/imx/tve: fix probe device leak
Make sure to drop the reference taken to the DDC device during probe on
probe failure (e.g. probe deferral) and on driver unbind.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fcbc51e54d2aa9d402206601f4894251049e5d77 , < f212652982c6725986cfa42fbf10d1dfa92c010e
(git)
Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 52755c5680ce333b33d0750a200fbc99420ed2b2 (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1 (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 9a15d3fdc22d48f597792aee0cf1bf0947fc62e6 (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 77365382585b40559d63538d09e26e4b2af28fbc (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < ca68745e820ecd210e3ab018497c9e6b69025c4b (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < e535c23513c63f02f67e3e09e0787907029efeaf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/ipuv3/imx-tve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f212652982c6725986cfa42fbf10d1dfa92c010e",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "52755c5680ce333b33d0750a200fbc99420ed2b2",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "9a15d3fdc22d48f597792aee0cf1bf0947fc62e6",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "77365382585b40559d63538d09e26e4b2af28fbc",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "ca68745e820ecd210e3ab018497c9e6b69025c4b",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "e535c23513c63f02f67e3e09e0787907029efeaf",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/ipuv3/imx-tve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imx/tve: fix probe device leak\n\nMake sure to drop the reference taken to the DDC device during probe on\nprobe failure (e.g. probe deferral) and on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:40.668Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f212652982c6725986cfa42fbf10d1dfa92c010e"
},
{
"url": "https://git.kernel.org/stable/c/52755c5680ce333b33d0750a200fbc99420ed2b2"
},
{
"url": "https://git.kernel.org/stable/c/4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1"
},
{
"url": "https://git.kernel.org/stable/c/9a15d3fdc22d48f597792aee0cf1bf0947fc62e6"
},
{
"url": "https://git.kernel.org/stable/c/77365382585b40559d63538d09e26e4b2af28fbc"
},
{
"url": "https://git.kernel.org/stable/c/ca68745e820ecd210e3ab018497c9e6b69025c4b"
},
{
"url": "https://git.kernel.org/stable/c/e535c23513c63f02f67e3e09e0787907029efeaf"
}
],
"title": "drm/imx/tve: fix probe device leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23170",
"datePublished": "2026-02-14T16:01:32.833Z",
"dateReserved": "2026-01-13T15:37:45.982Z",
"dateUpdated": "2026-05-11T22:01:40.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23056 (GCVE-0-2026-23056)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
uacce: implement mremap in uacce_vm_ops to return -EPERM
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: implement mremap in uacce_vm_ops to return -EPERM
The current uacce_vm_ops does not support the mremap operation of
vm_operations_struct. Implement .mremap to return -EPERM to remind
users.
The reason we need to explicitly disable mremap is that when the
driver does not implement .mremap, it uses the default mremap
method. This could lead to a risk scenario:
An application might first mmap address p1, then mremap to p2,
followed by munmap(p1), and finally munmap(p2). Since the default
mremap copies the original vma's vm_private_data (i.e., q) to the
new vma, both munmap operations would trigger vma_close, causing
q->qfr to be freed twice(qfr will be set to null here, so repeated
release is ok).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
015d239ac0142ad0e26567fd890ef8d171f13709 , < 78d99f062d42e3af2ca46bde1a8e46e0dfd372e3
(git)
Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < ebfa85658a39b49ec3901ceea7535b73aa0429e6 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 4c042bc71474dbe417c268f4bfb8ec196f802f07 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < a407ddd61b3e6afc5ccfcd1478797171cf5686ee (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < ba29b59d124e725e0377f09b2044909c91d657a1 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 02695347be532b628f22488300d40c4eba48b9b7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78d99f062d42e3af2ca46bde1a8e46e0dfd372e3",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "ebfa85658a39b49ec3901ceea7535b73aa0429e6",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "4c042bc71474dbe417c268f4bfb8ec196f802f07",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "a407ddd61b3e6afc5ccfcd1478797171cf5686ee",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "ba29b59d124e725e0377f09b2044909c91d657a1",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "02695347be532b628f22488300d40c4eba48b9b7",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: implement mremap in uacce_vm_ops to return -EPERM\n\nThe current uacce_vm_ops does not support the mremap operation of\nvm_operations_struct. Implement .mremap to return -EPERM to remind\nusers.\n\nThe reason we need to explicitly disable mremap is that when the\ndriver does not implement .mremap, it uses the default mremap\nmethod. This could lead to a risk scenario:\n\nAn application might first mmap address p1, then mremap to p2,\nfollowed by munmap(p1), and finally munmap(p2). Since the default\nmremap copies the original vma\u0027s vm_private_data (i.e., q) to the\nnew vma, both munmap operations would trigger vma_close, causing\nq-\u003eqfr to be freed twice(qfr will be set to null here, so repeated\nrelease is ok)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:08.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3"
},
{
"url": "https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6"
},
{
"url": "https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f"
},
{
"url": "https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07"
},
{
"url": "https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee"
},
{
"url": "https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1"
},
{
"url": "https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7"
}
],
"title": "uacce: implement mremap in uacce_vm_ops to return -EPERM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23056",
"datePublished": "2026-02-04T16:07:34.787Z",
"dateReserved": "2026-01-13T15:37:45.951Z",
"dateUpdated": "2026-05-11T21:59:08.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68773 (GCVE-0-2025-68773)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
with even size") failed to make sure that the size is really even
before switching to 16 bit mode. Until recently the problem went
unnoticed because kernfs uses a pre-allocated bounce buffer of size
PAGE_SIZE for reading EEPROM.
But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
introduced an additional dynamically allocated bounce buffer whose size
is exactly the size of the transfer, leading to a buffer overrun in
the fsl-cpm driver when that size is odd.
Add the missing length parity verification and remain in 8 bit mode
when the length is not even.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60afe299bb541a928ba39bcb4ae8d3e428d1c5a5 , < c8f1d35076b78df61ace737e41cc1f4b7b63236c
(git)
Affected: 4badd33929c05ed314794b95f1af1308f7222be8 , < 9c34a4a2ead00979d203a8c16bea87f0ef5291d8 (git) Affected: 7f6738e003b364783f3019fdf6e7645bc8dd1643 , < 837a23a11e0f734f096c7c7b0778d0e625e3dc87 (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 3dd6d01384823e1bd8602873153d6fc4337ac4fe (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 743cebcbd1b2609ec5057ab474979cef73d1b681 (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < be0b613198e6bfa104ad520397cab82ad3ec1771 (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 1417927df8049a0194933861e9b098669a95c762 (git) Affected: 42c04316d9275ec267d36e5e9064cd56c9884148 (git) Affected: dc120f2d35b030390a2bc0f94dd5f37e900cae91 (git) Affected: b558275c1b040f0e5aa56c862241f9212b6118c3 (git) Affected: b9d9e8856f1c83e4277403f9b4c369b322ebcb12 (git) Affected: 36a6d0f66c874666caf4e8be155b1be30f6231be (git) Affected: 5.10.181 , < 5.10.248 (semver) Affected: 5.15.114 , < 5.15.198 (semver) Affected: 6.1.29 , < 6.1.160 (semver) Affected: 4.14.316 , < 4.15 (semver) Affected: 4.19.284 , < 4.20 (semver) Affected: 5.4.244 , < 5.5 (semver) Affected: 6.2.16 , < 6.3 (semver) Affected: 6.3.3 , < 6.4 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8f1d35076b78df61ace737e41cc1f4b7b63236c",
"status": "affected",
"version": "60afe299bb541a928ba39bcb4ae8d3e428d1c5a5",
"versionType": "git"
},
{
"lessThan": "9c34a4a2ead00979d203a8c16bea87f0ef5291d8",
"status": "affected",
"version": "4badd33929c05ed314794b95f1af1308f7222be8",
"versionType": "git"
},
{
"lessThan": "837a23a11e0f734f096c7c7b0778d0e625e3dc87",
"status": "affected",
"version": "7f6738e003b364783f3019fdf6e7645bc8dd1643",
"versionType": "git"
},
{
"lessThan": "3dd6d01384823e1bd8602873153d6fc4337ac4fe",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "743cebcbd1b2609ec5057ab474979cef73d1b681",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "be0b613198e6bfa104ad520397cab82ad3ec1771",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "1417927df8049a0194933861e9b098669a95c762",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"status": "affected",
"version": "42c04316d9275ec267d36e5e9064cd56c9884148",
"versionType": "git"
},
{
"status": "affected",
"version": "dc120f2d35b030390a2bc0f94dd5f37e900cae91",
"versionType": "git"
},
{
"status": "affected",
"version": "b558275c1b040f0e5aa56c862241f9212b6118c3",
"versionType": "git"
},
{
"status": "affected",
"version": "b9d9e8856f1c83e4277403f9b4c369b322ebcb12",
"versionType": "git"
},
{
"status": "affected",
"version": "36a6d0f66c874666caf4e8be155b1be30f6231be",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThan": "6.3",
"status": "affected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThan": "6.4",
"status": "affected",
"version": "6.3.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-cpm: Check length parity before switching to 16 bit mode\n\nCommit fc96ec826bce (\"spi: fsl-cpm: Use 16 bit mode for large transfers\nwith even size\") failed to make sure that the size is really even\nbefore switching to 16 bit mode. Until recently the problem went\nunnoticed because kernfs uses a pre-allocated bounce buffer of size\nPAGE_SIZE for reading EEPROM.\n\nBut commit 8ad6249c51d0 (\"eeprom: at25: convert to spi-mem API\")\nintroduced an additional dynamically allocated bounce buffer whose size\nis exactly the size of the transfer, leading to a buffer overrun in\nthe fsl-cpm driver when that size is odd.\n\nAdd the missing length parity verification and remain in 8 bit mode\nwhen the length is not even."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:52.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c"
},
{
"url": "https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8"
},
{
"url": "https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87"
},
{
"url": "https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe"
},
{
"url": "https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681"
},
{
"url": "https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771"
},
{
"url": "https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762"
}
],
"title": "spi: fsl-cpm: Check length parity before switching to 16 bit mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68773",
"datePublished": "2026-01-13T15:28:50.686Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-23T16:02:52.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68770 (GCVE-0-2025-68770)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
bnxt_en: Fix XDP_TX path
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix XDP_TX path
For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not
correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be
looping within NAPI and some event flags may be set in earlier
iterations. In particular, if BNXT_TX_EVENT is set earlier indicating
some XDP_TX packets are ready and pending, it will be cleared if it is
XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we
successfully call __bnxt_xmit_xdp(). But if the TX ring has no more
room, the flag will not be set. This will cause the TX producer to be
ahead but the driver will not hit the TX doorbell.
For multi-buf XDP_TX, there is no need to clear the event flags and set
BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in
bnxt_rx_pkt().
The visible symptom of this is that the RX ring associated with the
TX XDP ring will eventually become empty and all packets will be dropped.
Because this condition will cause the driver to not refill the RX ring
seeing that the TX ring has forever pending XDP_TX packets.
The fix is to only clear BNXT_RX_EVENT when we have successfully
called __bnxt_xmit_xdp().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7f0a168b0441ef7fd6b46563efb2706c58ac2a4c , < 4b83902a1e67ff327ab5c6c65021a03e72c081d6
(git)
Affected: 7f0a168b0441ef7fd6b46563efb2706c58ac2a4c , < f17e0c1208485b24d61271bc1ddc8f2087e71561 (git) Affected: 7f0a168b0441ef7fd6b46563efb2706c58ac2a4c , < 0373d5c387f24de749cc22e694a14b3a7c7eb515 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b83902a1e67ff327ab5c6c65021a03e72c081d6",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
},
{
"lessThan": "f17e0c1208485b24d61271bc1ddc8f2087e71561",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
},
{
"lessThan": "0373d5c387f24de749cc22e694a14b3a7c7eb515",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix XDP_TX path\n\nFor XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not\ncorrect. __bnxt_poll_work() -\u003e bnxt_rx_pkt() -\u003e bnxt_rx_xdp() may be\nlooping within NAPI and some event flags may be set in earlier\niterations. In particular, if BNXT_TX_EVENT is set earlier indicating\nsome XDP_TX packets are ready and pending, it will be cleared if it is\nXDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we\nsuccessfully call __bnxt_xmit_xdp(). But if the TX ring has no more\nroom, the flag will not be set. This will cause the TX producer to be\nahead but the driver will not hit the TX doorbell.\n\nFor multi-buf XDP_TX, there is no need to clear the event flags and set\nBNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in\nbnxt_rx_pkt().\n\nThe visible symptom of this is that the RX ring associated with the\nTX XDP ring will eventually become empty and all packets will be dropped.\nBecause this condition will cause the driver to not refill the RX ring\nseeing that the TX ring has forever pending XDP_TX packets.\n\nThe fix is to only clear BNXT_RX_EVENT when we have successfully\ncalled __bnxt_xmit_xdp()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:00.881Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6"
},
{
"url": "https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561"
},
{
"url": "https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515"
}
],
"title": "bnxt_en: Fix XDP_TX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68770",
"datePublished": "2026-01-13T15:28:48.604Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:00.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68783 (GCVE-0-2025-68783)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
ALSA: usb-mixer: us16x08: validate meter packet indices
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-mixer: us16x08: validate meter packet indices
get_meter_levels_from_urb() parses the 64-byte meter packets sent by
the device and fills the per-channel arrays meter_level[],
comp_level[] and master_level[] in struct snd_us16x08_meter_store.
Currently the function derives the channel index directly from the
meter packet (MUB2(meter_urb, s) - 1) and uses it to index those
arrays without validating the range. If the packet contains a
negative or out-of-range channel number, the driver may write past
the end of these arrays.
Introduce a local channel variable and validate it before updating the
arrays. We reject negative indices, limit meter_level[] and
comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]
updates with ARRAY_SIZE(master_level).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 53461710a95e15ac1f6542450943a492ecf8e550
(git)
Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 2168866396bd28ec4f3c8da0fbc7d08b5bd4f053 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < cde47f4ccad6751ac36b7471572ddf38ee91870c (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 2f21a7cbaaa93926f5be15bc095b9c57c35748d9 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < a8ad320efb663be30b794e3dd3e829301c0d0ed3 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < eaa95228b8a56c4880a182c0350d67922b22408f (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53461710a95e15ac1f6542450943a492ecf8e550",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2168866396bd28ec4f3c8da0fbc7d08b5bd4f053",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "cde47f4ccad6751ac36b7471572ddf38ee91870c",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2f21a7cbaaa93926f5be15bc095b9c57c35748d9",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "a8ad320efb663be30b794e3dd3e829301c0d0ed3",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "eaa95228b8a56c4880a182c0350d67922b22408f",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-mixer: us16x08: validate meter packet indices\n\nget_meter_levels_from_urb() parses the 64-byte meter packets sent by\nthe device and fills the per-channel arrays meter_level[],\ncomp_level[] and master_level[] in struct snd_us16x08_meter_store.\n\nCurrently the function derives the channel index directly from the\nmeter packet (MUB2(meter_urb, s) - 1) and uses it to index those\narrays without validating the range. If the packet contains a\nnegative or out-of-range channel number, the driver may write past\nthe end of these arrays.\n\nIntroduce a local channel variable and validate it before updating the\narrays. We reject negative indices, limit meter_level[] and\ncomp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]\nupdates with ARRAY_SIZE(master_level)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:16.125Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550"
},
{
"url": "https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053"
},
{
"url": "https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c"
},
{
"url": "https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9"
},
{
"url": "https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3"
},
{
"url": "https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f"
},
{
"url": "https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e"
}
],
"title": "ALSA: usb-mixer: us16x08: validate meter packet indices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68783",
"datePublished": "2026-01-13T15:28:57.609Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-05-11T21:53:16.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71130 (GCVE-0-2025-71130)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
Initialize the eb.vma array with values of 0 when the eb structure is
first set up. In particular, this sets the eb->vma[i].vma pointers to
NULL, simplifying cleanup and getting rid of the bug described below.
During the execution of eb_lookup_vmas(), the eb->vma array is
successively filled up with struct eb_vma objects. This process includes
calling eb_add_vma(), which might fail; however, even in the event of
failure, eb->vma[i].vma is set for the currently processed buffer.
If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which
prompts a call to eb_release_vmas() to clean up the mess. Since
eb_lookup_vmas() might fail during processing any (possibly not first)
buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know
at what point did the lookup function fail.
In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper
function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is
set to NULL in case i915_gem_object_userptr_submit_init() fails; the
current one needs to be cleaned up by eb_release_vmas() at this point,
so the next one is set. If eb_add_vma() fails, neither the current nor
the next vma is set to NULL, which is a source of a NULL deref bug
described in the issue linked in the Closes tag.
When entering eb_lookup_vmas(), the vma pointers are set to the slab
poison value, instead of NULL. This doesn't matter for the actual
lookup, since it gets overwritten anyway, however the eb_release_vmas()
function only recognizes NULL as the stopping value, hence the pointers
are being set to NULL as they go in case of intermediate failure. This
patch changes the approach to filling them all with NULL at the start
instead, rather than handling that manually during failure.
(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
544460c33821b44c2f0c643121303c3dc3f66ef1 , < 25d69e07770745992387c016613fd7ac8eaf9893
(git)
Affected: 544460c33821b44c2f0c643121303c3dc3f66ef1 , < 0336188cc85d0eab8463bd1bbd4ded4e9602de8b (git) Affected: 544460c33821b44c2f0c643121303c3dc3f66ef1 , < 24d55ac8e31d2f8197bfad71ffcb3bae21ed7117 (git) Affected: 544460c33821b44c2f0c643121303c3dc3f66ef1 , < 63f23aa2fbb823c8b15a29269fde220d227ce5b3 (git) Affected: 544460c33821b44c2f0c643121303c3dc3f66ef1 , < 4fe2bd195435e71c117983d87f278112c5ab364c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25d69e07770745992387c016613fd7ac8eaf9893",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "0336188cc85d0eab8463bd1bbd4ded4e9602de8b",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "24d55ac8e31d2f8197bfad71ffcb3bae21ed7117",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "63f23aa2fbb823c8b15a29269fde220d227ce5b3",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "4fe2bd195435e71c117983d87f278112c5ab364c",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer\n\nInitialize the eb.vma array with values of 0 when the eb structure is\nfirst set up. In particular, this sets the eb-\u003evma[i].vma pointers to\nNULL, simplifying cleanup and getting rid of the bug described below.\n\nDuring the execution of eb_lookup_vmas(), the eb-\u003evma array is\nsuccessively filled up with struct eb_vma objects. This process includes\ncalling eb_add_vma(), which might fail; however, even in the event of\nfailure, eb-\u003evma[i].vma is set for the currently processed buffer.\n\nIf eb_add_vma() fails, eb_lookup_vmas() returns with an error, which\nprompts a call to eb_release_vmas() to clean up the mess. Since\neb_lookup_vmas() might fail during processing any (possibly not first)\nbuffer, eb_release_vmas() checks whether a buffer\u0027s vma is NULL to know\nat what point did the lookup function fail.\n\nIn eb_lookup_vmas(), eb-\u003evma[i].vma is set to NULL if either the helper\nfunction eb_lookup_vma() or eb_validate_vma() fails. eb-\u003evma[i+1].vma is\nset to NULL in case i915_gem_object_userptr_submit_init() fails; the\ncurrent one needs to be cleaned up by eb_release_vmas() at this point,\nso the next one is set. If eb_add_vma() fails, neither the current nor\nthe next vma is set to NULL, which is a source of a NULL deref bug\ndescribed in the issue linked in the Closes tag.\n\nWhen entering eb_lookup_vmas(), the vma pointers are set to the slab\npoison value, instead of NULL. This doesn\u0027t matter for the actual\nlookup, since it gets overwritten anyway, however the eb_release_vmas()\nfunction only recognizes NULL as the stopping value, hence the pointers\nare being set to NULL as they go in case of intermediate failure. This\npatch changes the approach to filling them all with NULL at the start\ninstead, rather than handling that manually during failure.\n\n(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:33.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25d69e07770745992387c016613fd7ac8eaf9893"
},
{
"url": "https://git.kernel.org/stable/c/0336188cc85d0eab8463bd1bbd4ded4e9602de8b"
},
{
"url": "https://git.kernel.org/stable/c/24d55ac8e31d2f8197bfad71ffcb3bae21ed7117"
},
{
"url": "https://git.kernel.org/stable/c/63f23aa2fbb823c8b15a29269fde220d227ce5b3"
},
{
"url": "https://git.kernel.org/stable/c/4fe2bd195435e71c117983d87f278112c5ab364c"
}
],
"title": "drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71130",
"datePublished": "2026-01-14T15:07:46.508Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-05-11T21:55:33.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23005 (GCVE-0-2026-23005)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in
response to a guest WRMSR, clear XFD-disabled features in the saved (or to
be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for
features that are disabled via the guest's XFD. Because the kernel
executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1
will cause XRSTOR to #NM and panic the kernel.
E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV:
------------[ cut here ]------------
WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848
Modules linked in: kvm_intel kvm irqbypass
CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:exc_device_not_available+0x101/0x110
Call Trace:
<TASK>
asm_exc_device_not_available+0x1a/0x20
RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90
switch_fpu_return+0x4a/0xb0
kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm]
kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]
__x64_sys_ioctl+0x8f/0xd0
do_syscall_64+0x62/0x940
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1,
and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's
call to fpu_update_guest_xfd().
and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE:
------------[ cut here ]------------
WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867
Modules linked in: kvm_intel kvm irqbypass
CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:exc_device_not_available+0x101/0x110
Call Trace:
<TASK>
asm_exc_device_not_available+0x1a/0x20
RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90
fpu_swap_kvm_fpstate+0x6b/0x120
kvm_load_guest_fpu+0x30/0x80 [kvm]
kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm]
kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]
__x64_sys_ioctl+0x8f/0xd0
do_syscall_64+0x62/0x940
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
The new behavior is consistent with the AMX architecture. Per Intel's SDM,
XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD
(and non-compacted XSAVE saves the initial configuration of the state
component):
If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i,
the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1;
instead, it operates as if XINUSE[i] = 0 (and the state component was
in its initial state): it saves bit i of XSTATE_BV field of the XSAVE
header as 0; in addition, XSAVE saves the initial configuration of the
state component (the other instructions do not save state component i).
Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using
a constant XFD based on the set of enabled features when XSAVEing for
a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled
features can only happen in the above interrupt case, or in similar
scenarios involving preemption on preemptible kernels, because
fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the
outgoing FPU state with the current XFD; and that is (on all but the
first WRMSR to XFD) the guest XFD.
Therefore, XFD can only go out of sync with XSTATE_BV in the above
interrupt case, or in similar scenarios involving preemption on
preemptible kernels, and it we can consider it (de facto) part of KVM
ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features.
[Move clea
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
820a6ee944e74e57255ac2e90916ecdaade57b95 , < b5995c01ba53d84182ecb9492fc4d91cfe8a362d
(git)
Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < 1e2848bda819af569dfe7ab186223855e092a2cb (git) Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < f577508cc8a0adb8b4ebe9480bba7683b6149930 (git) Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < eea6f395ca502c4528314c8112da9b5d65f685eb (git) Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < b45f721775947a84996deb5c661602254ce25ce6 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:31.188844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:24.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/core.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5995c01ba53d84182ecb9492fc4d91cfe8a362d",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "1e2848bda819af569dfe7ab186223855e092a2cb",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "f577508cc8a0adb8b4ebe9480bba7683b6149930",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "eea6f395ca502c4528314c8112da9b5d65f685eb",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "b45f721775947a84996deb5c661602254ce25ce6",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/core.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1\n\nWhen loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in\nresponse to a guest WRMSR, clear XFD-disabled features in the saved (or to\nbe restored) XSTATE_BV to ensure KVM doesn\u0027t attempt to load state for\nfeatures that are disabled via the guest\u0027s XFD. Because the kernel\nexecutes XRSTOR with the guest\u0027s XFD, saving XSTATE_BV[i]=1 with XFD[i]=1\nwill cause XRSTOR to #NM and panic the kernel.\n\nE.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \u003cTASK\u003e\n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n switch_fpu_return+0x4a/0xb0\n kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nThis can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1,\nand a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler\u0027s\ncall to fpu_update_guest_xfd().\n\nand if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \u003cTASK\u003e\n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n fpu_swap_kvm_fpstate+0x6b/0x120\n kvm_load_guest_fpu+0x30/0x80 [kvm]\n kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nThe new behavior is consistent with the AMX architecture. Per Intel\u0027s SDM,\nXSAVE saves XSTATE_BV as \u00270\u0027 for components that are disabled via XFD\n(and non-compacted XSAVE saves the initial configuration of the state\ncomponent):\n\n If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i,\n the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1;\n instead, it operates as if XINUSE[i] = 0 (and the state component was\n in its initial state): it saves bit i of XSTATE_BV field of the XSAVE\n header as 0; in addition, XSAVE saves the initial configuration of the\n state component (the other instructions do not save state component i).\n\nAlternatively, KVM could always do XRSTOR with XFD=0, e.g. by using\na constant XFD based on the set of enabled features when XSAVEing for\na struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled\nfeatures can only happen in the above interrupt case, or in similar\nscenarios involving preemption on preemptible kernels, because\nfpu_swap_kvm_fpstate()\u0027s call to save_fpregs_to_fpstate() saves the\noutgoing FPU state with the current XFD; and that is (on all but the\nfirst WRMSR to XFD) the guest XFD.\n\nTherefore, XFD can only go out of sync with XSTATE_BV in the above\ninterrupt case, or in similar scenarios involving preemption on\npreemptible kernels, and it we can consider it (de facto) part of KVM\nABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features.\n\n[Move clea\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:09.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5995c01ba53d84182ecb9492fc4d91cfe8a362d"
},
{
"url": "https://git.kernel.org/stable/c/1e2848bda819af569dfe7ab186223855e092a2cb"
},
{
"url": "https://git.kernel.org/stable/c/f577508cc8a0adb8b4ebe9480bba7683b6149930"
},
{
"url": "https://git.kernel.org/stable/c/eea6f395ca502c4528314c8112da9b5d65f685eb"
},
{
"url": "https://git.kernel.org/stable/c/b45f721775947a84996deb5c661602254ce25ce6"
}
],
"title": "x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23005",
"datePublished": "2026-01-25T14:36:19.021Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-06-11T18:44:24.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23257 (GCVE-0-2026-23257)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-11 22:03
VLAI?
EPSS
Title
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
In setup_nic_devices(), the initialization loop jumps to the label
setup_nic_dev_free on failure. The current cleanup loop while(i--)
skip the failing index i, causing a memory leak.
Fix this by changing the loop to iterate from the current index i
down to 0.
Also, decrement i in the devlink_alloc failure path to point to the
last successfully allocated index.
Compile tested only. Issue found using code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d
(git)
Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < d86c58eb005eb99da402452f3db7a6e0eae32815 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < f1216b80c9040a904d2ad7c8cd24ca0ff1f36932 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < a0d2389c8cdc1f05de5eb8663bffe9ed05dca769 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < f86bd16280a0f88b538394e0565c56ce4756da99 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < 293eaad0d6d6b2a37a458c7deb7be345349cd963 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < 8558aef4e8a1a83049ab906d21d391093cfa7e7f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "d86c58eb005eb99da402452f3db7a6e0eae32815",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "f1216b80c9040a904d2ad7c8cd24ca0ff1f36932",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "a0d2389c8cdc1f05de5eb8663bffe9ed05dca769",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "f86bd16280a0f88b538394e0565c56ce4756da99",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "293eaad0d6d6b2a37a458c7deb7be345349cd963",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "8558aef4e8a1a83049ab906d21d391093cfa7e7f",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup\n\nIn setup_nic_devices(), the initialization loop jumps to the label\nsetup_nic_dev_free on failure. The current cleanup loop while(i--)\nskip the failing index i, causing a memory leak.\n\nFix this by changing the loop to iterate from the current index i\ndown to 0.\n\nAlso, decrement i in the devlink_alloc failure path to point to the\nlast successfully allocated index.\n\nCompile tested only. Issue found using code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:21.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d"
},
{
"url": "https://git.kernel.org/stable/c/d86c58eb005eb99da402452f3db7a6e0eae32815"
},
{
"url": "https://git.kernel.org/stable/c/f1216b80c9040a904d2ad7c8cd24ca0ff1f36932"
},
{
"url": "https://git.kernel.org/stable/c/a0d2389c8cdc1f05de5eb8663bffe9ed05dca769"
},
{
"url": "https://git.kernel.org/stable/c/f86bd16280a0f88b538394e0565c56ce4756da99"
},
{
"url": "https://git.kernel.org/stable/c/293eaad0d6d6b2a37a458c7deb7be345349cd963"
},
{
"url": "https://git.kernel.org/stable/c/8558aef4e8a1a83049ab906d21d391093cfa7e7f"
}
],
"title": "net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23257",
"datePublished": "2026-03-18T17:41:04.078Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-11T22:03:21.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23182 (GCVE-0-2026-23182)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
spi: tegra: Fix a memory leak in tegra_slink_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra: Fix a memory leak in tegra_slink_probe()
In tegra_slink_probe(), when platform_get_irq() fails, it directly
returns from the function with an error code, which causes a memory leak.
Replace it with a goto label to ensure proper cleanup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b64683f5d7282f7b160e9867e33cdac00b5c792b , < 6a04dc650cef8d52a1ccb4ae245dbe318ffff32e
(git)
Affected: 5c25f89c00b97844d0427f0f96818a15714bd609 , < 327b71326cc1834bc031e8f52a470a18dfd9caa6 (git) Affected: 46ee23101f32a1ced5335d5407d5ecffd160ccdf , < 126a09f4fcd2b895a818ca43fde078d907c1ac9a (git) Affected: eb9913b511f10968a02cfa5329a896855dd152a3 , < 075415ae18b5b3e4d0187962d538653154216fe7 (git) Affected: eb9913b511f10968a02cfa5329a896855dd152a3 , < b8eec12aa666c11f8a6ad1488c568f85c58875fa (git) Affected: eb9913b511f10968a02cfa5329a896855dd152a3 , < 41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc (git) Affected: 4eb8065494ca19caba3f45fc83941fd568a8c3cd (git) Affected: 5.15.139 , < 5.15.200 (semver) Affected: 6.1.63 , < 6.1.163 (semver) Affected: 6.6.2 , < 6.6.124 (semver) Affected: 6.5.12 , < 6.6 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra20-slink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a04dc650cef8d52a1ccb4ae245dbe318ffff32e",
"status": "affected",
"version": "b64683f5d7282f7b160e9867e33cdac00b5c792b",
"versionType": "git"
},
{
"lessThan": "327b71326cc1834bc031e8f52a470a18dfd9caa6",
"status": "affected",
"version": "5c25f89c00b97844d0427f0f96818a15714bd609",
"versionType": "git"
},
{
"lessThan": "126a09f4fcd2b895a818ca43fde078d907c1ac9a",
"status": "affected",
"version": "46ee23101f32a1ced5335d5407d5ecffd160ccdf",
"versionType": "git"
},
{
"lessThan": "075415ae18b5b3e4d0187962d538653154216fe7",
"status": "affected",
"version": "eb9913b511f10968a02cfa5329a896855dd152a3",
"versionType": "git"
},
{
"lessThan": "b8eec12aa666c11f8a6ad1488c568f85c58875fa",
"status": "affected",
"version": "eb9913b511f10968a02cfa5329a896855dd152a3",
"versionType": "git"
},
{
"lessThan": "41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc",
"status": "affected",
"version": "eb9913b511f10968a02cfa5329a896855dd152a3",
"versionType": "git"
},
{
"status": "affected",
"version": "4eb8065494ca19caba3f45fc83941fd568a8c3cd",
"versionType": "git"
},
{
"lessThan": "5.15.200",
"status": "affected",
"version": "5.15.139",
"versionType": "semver"
},
{
"lessThan": "6.1.163",
"status": "affected",
"version": "6.1.63",
"versionType": "semver"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.2",
"versionType": "semver"
},
{
"lessThan": "6.6",
"status": "affected",
"version": "6.5.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra20-slink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra: Fix a memory leak in tegra_slink_probe()\n\nIn tegra_slink_probe(), when platform_get_irq() fails, it directly\nreturns from the function with an error code, which causes a memory leak.\n\nReplace it with a goto label to ensure proper cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:03.906Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a04dc650cef8d52a1ccb4ae245dbe318ffff32e"
},
{
"url": "https://git.kernel.org/stable/c/327b71326cc1834bc031e8f52a470a18dfd9caa6"
},
{
"url": "https://git.kernel.org/stable/c/126a09f4fcd2b895a818ca43fde078d907c1ac9a"
},
{
"url": "https://git.kernel.org/stable/c/075415ae18b5b3e4d0187962d538653154216fe7"
},
{
"url": "https://git.kernel.org/stable/c/b8eec12aa666c11f8a6ad1488c568f85c58875fa"
},
{
"url": "https://git.kernel.org/stable/c/41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc"
}
],
"title": "spi: tegra: Fix a memory leak in tegra_slink_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23182",
"datePublished": "2026-02-14T16:27:12.806Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-05-23T16:04:03.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68733 (GCVE-0-2025-68733)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
smack: fix bug: unprivileged task can create labels
Summary
In the Linux kernel, the following vulnerability has been resolved:
smack: fix bug: unprivileged task can create labels
If an unprivileged task is allowed to relabel itself
(/smack/relabel-self is not empty),
it can freely create new labels by writing their
names into own /proc/PID/attr/smack/current
This occurs because do_setattr() imports
the provided label in advance,
before checking "relabel-self" list.
This change ensures that the "relabel-self" list
is checked before importing the label.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
38416e53936ecf896948fdeffc36b76979117952 , < c80173233014a360c13fa5cc79d36bfe6e53a8ed
(git)
Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 6b1e45e13546c9ea0b1d99097993ac0aafae90b1 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 4a7a7621619a366712fb9cefcb6e69f956c247ce (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < f8fd5491100f920847a3338d5fba22db19c72773 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < ac9fce2efabad37c338aac86fbe100f77a080e59 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 64aa81250171b6bb6803e97ea7a5d73bfa061f6e (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < 60e8d49989410a7ade60f5dadfcd979c117d05c0 (git) Affected: 38416e53936ecf896948fdeffc36b76979117952 , < c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c80173233014a360c13fa5cc79d36bfe6e53a8ed",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "6b1e45e13546c9ea0b1d99097993ac0aafae90b1",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "4a7a7621619a366712fb9cefcb6e69f956c247ce",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "f8fd5491100f920847a3338d5fba22db19c72773",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "ac9fce2efabad37c338aac86fbe100f77a080e59",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "64aa81250171b6bb6803e97ea7a5d73bfa061f6e",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "60e8d49989410a7ade60f5dadfcd979c117d05c0",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmack: fix bug: unprivileged task can create labels\n\nIf an unprivileged task is allowed to relabel itself\n(/smack/relabel-self is not empty),\nit can freely create new labels by writing their\nnames into own /proc/PID/attr/smack/current\n\nThis occurs because do_setattr() imports\nthe provided label in advance,\nbefore checking \"relabel-self\" list.\n\nThis change ensures that the \"relabel-self\" list\nis checked before importing the label."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:17.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c80173233014a360c13fa5cc79d36bfe6e53a8ed"
},
{
"url": "https://git.kernel.org/stable/c/6b1e45e13546c9ea0b1d99097993ac0aafae90b1"
},
{
"url": "https://git.kernel.org/stable/c/4a7a7621619a366712fb9cefcb6e69f956c247ce"
},
{
"url": "https://git.kernel.org/stable/c/f8fd5491100f920847a3338d5fba22db19c72773"
},
{
"url": "https://git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59"
},
{
"url": "https://git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6e"
},
{
"url": "https://git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0"
},
{
"url": "https://git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3"
}
],
"title": "smack: fix bug: unprivileged task can create labels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68733",
"datePublished": "2025-12-24T10:33:15.347Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-05-11T21:52:17.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23035 (GCVE-0-2026-23035)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-05-11 21:58
VLAI?
EPSS
Title
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
mlx5e_priv is an unstable structure that can be memset(0) if profile
attaching fails.
Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a
valid netdev.
On mlx5e_remove: Check validity of priv->profile, before attempting
to cleanup any resources that might be not there.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg:
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000370
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100
RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286
RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0
RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10
R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0
R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400
FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0
Call Trace:
<TASK>
mlx5e_remove+0x57/0x110
device_release_driver_internal+0x19c/0x200
bus_remove_device+0xc6/0x130
device_del+0x160/0x3d0
? devl_param_driverinit_value_get+0x2d/0x90
mlx5_detach_device+0x89/0xe0
mlx5_unload_one_devl_locked+0x3a/0x70
mlx5_devlink_reload_down+0xc8/0x220
devlink_reload+0x7d/0x260
devlink_nl_reload_doit+0x45b/0x5a0
genl_family_rcv_msg_doit+0xe8/0x140
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d7eb57687f358cd498ea3624519236af8db97e , < a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02
(git)
Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 66a25f6b7c0bfd84e6d27b536f5d24116dbd52da (git) Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 4ef8512e1427111f7ba92b4a847d181ff0aeec42 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "66a25f6b7c0bfd84e6d27b536f5d24116dbd52da",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "4ef8512e1427111f7ba92b4a847d181ff0aeec42",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv\n\nmlx5e_priv is an unstable structure that can be memset(0) if profile\nattaching fails.\n\nPass netdev to mlx5e_destroy_netdev() to guarantee it will work on a\nvalid netdev.\n\nOn mlx5e_remove: Check validity of priv-\u003eprofile, before attempting\nto cleanup any resources that might be not there.\n\nThis fixes a kernel oops in mlx5e_remove when switchdev mode fails due\nto change profile failure.\n\n$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev\nError: mlx5_core: Failed setting eswitch to offloads.\ndmesg:\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n\n$ devlink dev reload pci/0000:00:03.0 ==\u003e oops\n\nBUG: kernel NULL pointer dereference, address: 0000000000000370\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100\nRSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286\nRAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0\nRBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10\nR10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0\nR13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400\nFS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0\nCall Trace:\n \u003cTASK\u003e\n mlx5e_remove+0x57/0x110\n device_release_driver_internal+0x19c/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x160/0x3d0\n ? devl_param_driverinit_value_get+0x2d/0x90\n mlx5_detach_device+0x89/0xe0\n mlx5_unload_one_devl_locked+0x3a/0x70\n mlx5_devlink_reload_down+0xc8/0x220\n devlink_reload+0x7d/0x260\n devlink_nl_reload_doit+0x45b/0x5a0\n genl_family_rcv_msg_doit+0xe8/0x140"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:44.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02"
},
{
"url": "https://git.kernel.org/stable/c/66a25f6b7c0bfd84e6d27b536f5d24116dbd52da"
},
{
"url": "https://git.kernel.org/stable/c/4ef8512e1427111f7ba92b4a847d181ff0aeec42"
}
],
"title": "net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23035",
"datePublished": "2026-01-31T11:42:29.960Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-05-11T21:58:44.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23150 (GCVE-0-2026-23150)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
syzbot reported various memory leaks related to NFC, struct
nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
The leading log hinted that nfc_llcp_send_ui_frame() failed
to allocate skb due to sock_error(sk) being -ENXIO.
ENXIO is set by nfc_llcp_socket_release() when struct
nfc_llcp_local is destroyed by local_cleanup().
The problem is that there is no synchronisation between
nfc_llcp_send_ui_frame() and local_cleanup(), and skb
could be put into local->tx_queue after it was purged in
local_cleanup():
CPU1 CPU2
---- ----
nfc_llcp_send_ui_frame() local_cleanup()
|- do { '
|- pdu = nfc_alloc_send_skb(..., &err)
| .
| |- nfc_llcp_socket_release(local, false, ENXIO);
| |- skb_queue_purge(&local->tx_queue); |
| ' |
|- skb_queue_tail(&local->tx_queue, pdu); |
... |
|- pdu = nfc_alloc_send_skb(..., &err) |
^._________________________________.'
local_cleanup() is called for struct nfc_llcp_local only
after nfc_llcp_remove_local() unlinks it from llcp_devices.
If we hold local->tx_queue.lock then, we can synchronise
the thread and nfc_llcp_send_ui_frame().
Let's do that and check list_empty(&local->list) before
queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
[0]:
[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff8881272f6800 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942766
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc da58d84d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810fbd9800 (size 240):
comm "syz.0.17", pid 6096, jiffies 4294942850
hex dump (first 32 bytes):
68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
backtrace (crc 6cc652b1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/sk
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
94f418a206648c9be6fd84d6681d6956b8f8b106 , < ab660cb8e17aa93426d1e821c2cce60e4b9bc56a
(git)
Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 6734ff1ac6beba1d0c22dc9a3dc1849b773b511f (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < f8d002626d434f5fea9085e2557711c16a15cec6 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 61858cbce6ca4bef9ed116c689a4be9520841339 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 165c34fb6068ff153e3fc99a932a80a9d5755709 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab660cb8e17aa93426d1e821c2cce60e4b9bc56a",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "6734ff1ac6beba1d0c22dc9a3dc1849b773b511f",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "f8d002626d434f5fea9085e2557711c16a15cec6",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "61858cbce6ca4bef9ed116c689a4be9520841339",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "165c34fb6068ff153e3fc99a932a80a9d5755709",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local-\u003etx_queue after it was purged in\nlocal_cleanup():\n\n CPU1 CPU2\n ---- ----\n nfc_llcp_send_ui_frame() local_cleanup()\n |- do { \u0027\n |- pdu = nfc_alloc_send_skb(..., \u0026err)\n | .\n | |- nfc_llcp_socket_release(local, false, ENXIO);\n | |- skb_queue_purge(\u0026local-\u003etx_queue); |\n | \u0027 |\n |- skb_queue_tail(\u0026local-\u003etx_queue, pdu); |\n ... |\n |- pdu = nfc_alloc_send_skb(..., \u0026err) |\n ^._________________________________.\u0027\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local-\u003etx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet\u0027s do that and check list_empty(\u0026local-\u003elist) before\nqueuing skb to local-\u003etx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n comm \"syz.0.17\", pid 6096, jiffies 4294942766\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 \u0027..@............\n backtrace (crc da58d84d):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n kmalloc_noprof include/linux/slab.h:961 [inline]\n sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n sk_alloc+0x36/0x360 net/core/sock.c:2295\n nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n __sock_create+0x1a9/0x340 net/socket.c:1605\n sock_create net/socket.c:1663 [inline]\n __sys_socket_create net/socket.c:1700 [inline]\n __sys_socket+0xb9/0x1a0 net/socket.c:1747\n __do_sys_socket net/socket.c:1761 [inline]\n __se_sys_socket net/socket.c:1759 [inline]\n __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n comm \"syz.0.17\", pid 6096, jiffies 4294942850\n hex dump (first 32 bytes):\n 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......\n 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/\u0027....\n backtrace (crc 6cc652b1):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:10.727Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a"
},
{
"url": "https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc"
},
{
"url": "https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f"
},
{
"url": "https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6"
},
{
"url": "https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5"
},
{
"url": "https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339"
},
{
"url": "https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709"
}
],
"title": "nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23150",
"datePublished": "2026-02-14T16:01:18.968Z",
"dateReserved": "2026-01-13T15:37:45.976Z",
"dateUpdated": "2026-05-11T22:01:10.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71160 (GCVE-0-2025-71160)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:23 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
netfilter: nf_tables: avoid chain re-validation if possible
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: avoid chain re-validation if possible
Hamza Mahfooz reports cpu soft lock-ups in
nft_chain_validate():
watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]
[..]
RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]
[..]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_table_validate+0x6b/0xb0 [nf_tables]
nf_tables_validate+0x8b/0xa0 [nf_tables]
nf_tables_commit+0x1df/0x1eb0 [nf_tables]
[..]
Currently nf_tables will traverse the entire table (chain graph), starting
from the entry points (base chains), exploring all possible paths
(chain jumps). But there are cases where we could avoid revalidation.
Consider:
1 input -> j2 -> j3
2 input -> j2 -> j3
3 input -> j1 -> j2 -> j3
Then the second rule does not need to revalidate j2, and, by extension j3,
because this was already checked during validation of the first rule.
We need to validate it only for rule 3.
This is needed because chain loop detection also ensures we do not exceed
the jump stack: Just because we know that j2 is cycle free, its last jump
might now exceed the allowed stack size. We also need to update all
reachable chains with the new largest observed call depth.
Care has to be taken to revalidate even if the chain depth won't be an
issue: chain validation also ensures that expressions are not called from
invalid base chains. For example, the masquerade expression can only be
called from NAT postrouting base chains.
Therefore we also need to keep record of the base chain context (type,
hooknum) and revalidate if the chain becomes reachable from a different
hook location.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a654de8fdc1815676ab750e70cab231fc814c29f , < 53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1
(git)
Affected: a654de8fdc1815676ab750e70cab231fc814c29f , < 14fa3d1927f1382f86e3f70a51f26005c8e3cff6 (git) Affected: a654de8fdc1815676ab750e70cab231fc814c29f , < 09d6074995c186e449979fe6c1b0f1a69cf9bd3b (git) Affected: a654de8fdc1815676ab750e70cab231fc814c29f , < 8e1a1bc4f5a42747c08130b8242ebebd1210b32f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
},
{
"lessThan": "14fa3d1927f1382f86e3f70a51f26005c8e3cff6",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
},
{
"lessThan": "09d6074995c186e449979fe6c1b0f1a69cf9bd3b",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
},
{
"lessThan": "8e1a1bc4f5a42747c08130b8242ebebd1210b32f",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: avoid chain re-validation if possible\n\nHamza Mahfooz reports cpu soft lock-ups in\nnft_chain_validate():\n\n watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]\n[..]\n RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]\n[..]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_table_validate+0x6b/0xb0 [nf_tables]\n nf_tables_validate+0x8b/0xa0 [nf_tables]\n nf_tables_commit+0x1df/0x1eb0 [nf_tables]\n[..]\n\nCurrently nf_tables will traverse the entire table (chain graph), starting\nfrom the entry points (base chains), exploring all possible paths\n(chain jumps). But there are cases where we could avoid revalidation.\n\nConsider:\n1 input -\u003e j2 -\u003e j3\n2 input -\u003e j2 -\u003e j3\n3 input -\u003e j1 -\u003e j2 -\u003e j3\n\nThen the second rule does not need to revalidate j2, and, by extension j3,\nbecause this was already checked during validation of the first rule.\nWe need to validate it only for rule 3.\n\nThis is needed because chain loop detection also ensures we do not exceed\nthe jump stack: Just because we know that j2 is cycle free, its last jump\nmight now exceed the allowed stack size. We also need to update all\nreachable chains with the new largest observed call depth.\n\nCare has to be taken to revalidate even if the chain depth won\u0027t be an\nissue: chain validation also ensures that expressions are not called from\ninvalid base chains. For example, the masquerade expression can only be\ncalled from NAT postrouting base chains.\n\nTherefore we also need to keep record of the base chain context (type,\nhooknum) and revalidate if the chain becomes reachable from a different\nhook location."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:07.768Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1"
},
{
"url": "https://git.kernel.org/stable/c/14fa3d1927f1382f86e3f70a51f26005c8e3cff6"
},
{
"url": "https://git.kernel.org/stable/c/09d6074995c186e449979fe6c1b0f1a69cf9bd3b"
},
{
"url": "https://git.kernel.org/stable/c/8e1a1bc4f5a42747c08130b8242ebebd1210b32f"
}
],
"title": "netfilter: nf_tables: avoid chain re-validation if possible",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71160",
"datePublished": "2026-01-23T15:23:58.652Z",
"dateReserved": "2026-01-13T15:30:19.665Z",
"dateUpdated": "2026-05-11T21:56:07.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68371 (GCVE-0-2025-68371)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
scsi: smartpqi: Fix device resources accessed after device removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Fix device resources accessed after device removal
Correct possible race conditions during device removal.
Previously, a scheduled work item to reset a LUN could still execute
after the device was removed, leading to use-after-free and other
resource access issues.
This race condition occurs because the abort handler may schedule a LUN
reset concurrently with device removal via sdev_destroy(), leading to
use-after-free and improper access to freed resources.
- Check in the device reset handler if the device is still present in
the controller's SCSI device list before running; if not, the reset
is skipped.
- Cancel any pending TMF work that has not started in sdev_destroy().
- Ensure device freeing in sdev_destroy() is done while holding the
LUN reset mutex to avoid races with ongoing resets.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2
(git)
Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 6d2390653d82cad0e1ba2676e536dd99678f6ef1 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < eccc02ba1747501d92bb2049e3ce378ba372f641 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < 1a5c5a2f88e839af5320216a02ffb075b668596a (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < b518e86d1a70a88f6592a7c396cf1b93493d1aab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "6d2390653d82cad0e1ba2676e536dd99678f6ef1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "eccc02ba1747501d92bb2049e3ce378ba372f641",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "1a5c5a2f88e839af5320216a02ffb075b668596a",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "b518e86d1a70a88f6592a7c396cf1b93493d1aab",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix device resources accessed after device removal\n\nCorrect possible race conditions during device removal.\n\nPreviously, a scheduled work item to reset a LUN could still execute\nafter the device was removed, leading to use-after-free and other\nresource access issues.\n\nThis race condition occurs because the abort handler may schedule a LUN\nreset concurrently with device removal via sdev_destroy(), leading to\nuse-after-free and improper access to freed resources.\n\n - Check in the device reset handler if the device is still present in\n the controller\u0027s SCSI device list before running; if not, the reset\n is skipped.\n\n - Cancel any pending TMF work that has not started in sdev_destroy().\n\n - Ensure device freeing in sdev_destroy() is done while holding the\n LUN reset mutex to avoid races with ongoing resets."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:54.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2"
},
{
"url": "https://git.kernel.org/stable/c/6d2390653d82cad0e1ba2676e536dd99678f6ef1"
},
{
"url": "https://git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641"
},
{
"url": "https://git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1"
},
{
"url": "https://git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596a"
},
{
"url": "https://git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aab"
}
],
"title": "scsi: smartpqi: Fix device resources accessed after device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68371",
"datePublished": "2025-12-24T10:33:01.896Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-05-11T21:51:54.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71119 (GCVE-0-2025-71119)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
powerpc/kexec: Enable SMT before waking offline CPUs
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kexec: Enable SMT before waking offline CPUs
If SMT is disabled or a partial SMT state is enabled, when a new kernel
image is loaded for kexec, on reboot the following warning is observed:
kexec: Waking offline cpu 228.
WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc
[snip]
NIP kexec_prepare_cpus+0x1b0/0x1bc
LR kexec_prepare_cpus+0x1a0/0x1bc
Call Trace:
kexec_prepare_cpus+0x1a0/0x1bc (unreliable)
default_machine_kexec+0x160/0x19c
machine_kexec+0x80/0x88
kernel_kexec+0xd0/0x118
__do_sys_reboot+0x210/0x2c4
system_call_exception+0x124/0x320
system_call_vectored_common+0x15c/0x2ec
This occurs as add_cpu() fails due to cpu_bootable() returning false for
CPUs that fail the cpu_smt_thread_allowed() check or non primary
threads if SMT is disabled.
Fix the issue by enabling SMT and resetting the number of SMT threads to
the number of threads per core, before attempting to wake up all present
CPUs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
482fa21635c8832db022cd2d649db26b8e6170ac , < 7cccd82a0e4aad192fd74fc60e61ed9aed5857a3
(git)
Affected: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 , < d790ef0c4819424ee0c2f448c0a8154c5ca369d1 (git) Affected: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 , < f0c0a681ffb77b8c5290c88c02d968199663939b (git) Affected: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 , < 0d5c9e901ad40bd39b38e119c0454b52d7663930 (git) Affected: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 , < c2296a1e42418556efbeb5636c4fa6aa6106713a (git) Affected: 15141adf85b14a7cff7abba1cb983f0bf17e3b36 (git) Affected: 6.1.72 , < 6.1.160 (semver) Affected: 6.5.12 , < 6.6 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kexec/core_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7cccd82a0e4aad192fd74fc60e61ed9aed5857a3",
"status": "affected",
"version": "482fa21635c8832db022cd2d649db26b8e6170ac",
"versionType": "git"
},
{
"lessThan": "d790ef0c4819424ee0c2f448c0a8154c5ca369d1",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"lessThan": "f0c0a681ffb77b8c5290c88c02d968199663939b",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"lessThan": "0d5c9e901ad40bd39b38e119c0454b52d7663930",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"lessThan": "c2296a1e42418556efbeb5636c4fa6aa6106713a",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"status": "affected",
"version": "15141adf85b14a7cff7abba1cb983f0bf17e3b36",
"versionType": "git"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.72",
"versionType": "semver"
},
{
"lessThan": "6.6",
"status": "affected",
"version": "6.5.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kexec/core_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kexec: Enable SMT before waking offline CPUs\n\nIf SMT is disabled or a partial SMT state is enabled, when a new kernel\nimage is loaded for kexec, on reboot the following warning is observed:\n\nkexec: Waking offline cpu 228.\nWARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc\n[snip]\n NIP kexec_prepare_cpus+0x1b0/0x1bc\n LR kexec_prepare_cpus+0x1a0/0x1bc\n Call Trace:\n kexec_prepare_cpus+0x1a0/0x1bc (unreliable)\n default_machine_kexec+0x160/0x19c\n machine_kexec+0x80/0x88\n kernel_kexec+0xd0/0x118\n __do_sys_reboot+0x210/0x2c4\n system_call_exception+0x124/0x320\n system_call_vectored_common+0x15c/0x2ec\n\nThis occurs as add_cpu() fails due to cpu_bootable() returning false for\nCPUs that fail the cpu_smt_thread_allowed() check or non primary\nthreads if SMT is disabled.\n\nFix the issue by enabling SMT and resetting the number of SMT threads to\nthe number of threads per core, before attempting to wake up all present\nCPUs."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:13.930Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7cccd82a0e4aad192fd74fc60e61ed9aed5857a3"
},
{
"url": "https://git.kernel.org/stable/c/d790ef0c4819424ee0c2f448c0a8154c5ca369d1"
},
{
"url": "https://git.kernel.org/stable/c/f0c0a681ffb77b8c5290c88c02d968199663939b"
},
{
"url": "https://git.kernel.org/stable/c/0d5c9e901ad40bd39b38e119c0454b52d7663930"
},
{
"url": "https://git.kernel.org/stable/c/c2296a1e42418556efbeb5636c4fa6aa6106713a"
}
],
"title": "powerpc/kexec: Enable SMT before waking offline CPUs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71119",
"datePublished": "2026-01-14T15:06:06.536Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-05-23T16:03:13.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23030 (GCVE-0-2026-23030)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
The for_each_available_child_of_node() calls of_node_put() to
release child_np in each success loop. After breaking from the
loop with the child_np has been released, the code will jump to
the put_child label and will call the of_node_put() again if the
devm_request_threaded_irq() fails. These cause a double free bug.
Fix by returning directly to avoid the duplicate of_node_put().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < b97b2c9808c9a97e0ce30216fa12096d8b0eaa75
(git)
Affected: ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < ebae26dd15140b840cf65be5e1c0daee949ba70b (git) Affected: ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < 027d42b97e6eb827c3438ebc09bab7efaee9270d (git) Affected: ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5 (git) Affected: ed2b5a8e6b98d042b323afbe177a5dc618921b31 , < e07dea3de508cd6950c937cec42de7603190e1ca (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:51.068Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/rockchip/phy-rockchip-inno-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b97b2c9808c9a97e0ce30216fa12096d8b0eaa75",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
},
{
"lessThan": "ebae26dd15140b840cf65be5e1c0daee949ba70b",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
},
{
"lessThan": "027d42b97e6eb827c3438ebc09bab7efaee9270d",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
},
{
"lessThan": "efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
},
{
"lessThan": "e07dea3de508cd6950c937cec42de7603190e1ca",
"status": "affected",
"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/rockchip/phy-rockchip-inno-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()\n\nThe for_each_available_child_of_node() calls of_node_put() to\nrelease child_np in each success loop. After breaking from the\nloop with the child_np has been released, the code will jump to\nthe put_child label and will call the of_node_put() again if the\ndevm_request_threaded_irq() fails. These cause a double free bug.\n\nFix by returning directly to avoid the duplicate of_node_put()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:38.861Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b97b2c9808c9a97e0ce30216fa12096d8b0eaa75"
},
{
"url": "https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b"
},
{
"url": "https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d"
},
{
"url": "https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5"
},
{
"url": "https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca"
}
],
"title": "phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23030",
"datePublished": "2026-01-31T11:42:08.525Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-06-02T13:00:51.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23080 (GCVE-0-2026-23080)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
51f3baad7de943780ce0c17bd7975df567dd6e14 , < 8b34c611a4feb81921bc4728c091e4e3ba0270c0
(git)
Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 59153b6388e05609144ad56a9b354e9100a91983 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 179f6f0cf5ae489743273b7c1644324c0c477ea9 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 94c9f6f7b953f6382fef4bdc48c046b861b8868f (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < d374d715e338dfc3804aaa006fa6e470ffebb264 (git) Affected: 51f3baad7de943780ce0c17bd7975df567dd6e14 , < 710a7529fb13c5a470258ff5508ed3c498d54729 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b34c611a4feb81921bc4728c091e4e3ba0270c0",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "59153b6388e05609144ad56a9b354e9100a91983",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "179f6f0cf5ae489743273b7c1644324c0c477ea9",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "94c9f6f7b953f6382fef4bdc48c046b861b8868f",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "d374d715e338dfc3804aaa006fa6e470ffebb264",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "710a7529fb13c5a470258ff5508ed3c498d54729",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn mcba_usb_probe() -\u003e mcba_usb_start(), the URBs for USB-in transfers are\nallocated, added to the priv-\u003erx_submitted anchor and submitted. In the\ncomplete callback mcba_usb_read_bulk_callback(), the URBs are processed and\nresubmitted. In mcba_usb_close() -\u003e mcba_urb_unlink() the URBs are freed by\ncalling usb_kill_anchored_urbs(\u0026priv-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nmcba_usb_read_bulk_callback()to the priv-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:36.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0"
},
{
"url": "https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60"
},
{
"url": "https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983"
},
{
"url": "https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9"
},
{
"url": "https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f"
},
{
"url": "https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264"
},
{
"url": "https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729"
}
],
"title": "can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23080",
"datePublished": "2026-02-04T16:08:04.982Z",
"dateReserved": "2026-01-13T15:37:45.959Z",
"dateUpdated": "2026-05-11T21:59:36.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23096 (GCVE-0-2026-23096)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
uacce: fix cdev handling in the cleanup path
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: fix cdev handling in the cleanup path
When cdev_device_add fails, it internally releases the cdev memory,
and if cdev_device_del is then executed, it will cause a hang error.
To fix it, we check the return value of cdev_device_add() and clear
uacce->cdev to avoid calling cdev_device_del in the uacce_remove.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
015d239ac0142ad0e26567fd890ef8d171f13709 , < c94c7188d325bc5137d447d67a2f18f7d4f2f4a3
(git)
Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 1bc3e51367c420e6db31f41efa874c7a8e12194a (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 819d647406200d0e83e56fd2df8f451b11290559 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < d9031575a2f8aabc53af3025dd79af313a2e046b (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 98d67a1bd6caddd0a8b8c82a0b925742cf500936 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < bd2393ed7712513e7e2dbcb6e21464a67ff9e702 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < a3bece3678f6c88db1f44c602b2a63e84b4040ac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c94c7188d325bc5137d447d67a2f18f7d4f2f4a3",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "1bc3e51367c420e6db31f41efa874c7a8e12194a",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "819d647406200d0e83e56fd2df8f451b11290559",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "d9031575a2f8aabc53af3025dd79af313a2e046b",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "98d67a1bd6caddd0a8b8c82a0b925742cf500936",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "bd2393ed7712513e7e2dbcb6e21464a67ff9e702",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "a3bece3678f6c88db1f44c602b2a63e84b4040ac",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix cdev handling in the cleanup path\n\nWhen cdev_device_add fails, it internally releases the cdev memory,\nand if cdev_device_del is then executed, it will cause a hang error.\nTo fix it, we check the return value of cdev_device_add() and clear\nuacce-\u003ecdev to avoid calling cdev_device_del in the uacce_remove."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:55.485Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c94c7188d325bc5137d447d67a2f18f7d4f2f4a3"
},
{
"url": "https://git.kernel.org/stable/c/1bc3e51367c420e6db31f41efa874c7a8e12194a"
},
{
"url": "https://git.kernel.org/stable/c/819d647406200d0e83e56fd2df8f451b11290559"
},
{
"url": "https://git.kernel.org/stable/c/d9031575a2f8aabc53af3025dd79af313a2e046b"
},
{
"url": "https://git.kernel.org/stable/c/98d67a1bd6caddd0a8b8c82a0b925742cf500936"
},
{
"url": "https://git.kernel.org/stable/c/bd2393ed7712513e7e2dbcb6e21464a67ff9e702"
},
{
"url": "https://git.kernel.org/stable/c/a3bece3678f6c88db1f44c602b2a63e84b4040ac"
}
],
"title": "uacce: fix cdev handling in the cleanup path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23096",
"datePublished": "2026-02-04T16:08:18.785Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-05-11T21:59:55.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43503 (GCVE-0-2026-43503)
Vulnerability from cvelistv5 – Published: 2026-05-23 11:44 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
net: skbuff: propagate shared-frag marker through frag-transfer helpers
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: propagate shared-frag marker through frag-transfer helpers
Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail
to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when
moving frags from source to destination. __pskb_copy_fclone() defers
the rest of the shinfo metadata to skb_copy_header() after copying
frag descriptors, but that helper only carries over gso_{size,segs,
type} and never touches skb_shinfo()->flags; skb_shift() moves frag
descriptors directly and leaves flags untouched. As a result, the
destination skb keeps a reference to the same externally-owned or
page-cache-backed pages while reporting skb_has_shared_frag() as
false.
The mismatch is harmful in any in-place writer that uses
skb_has_shared_frag() to decide whether shared pages must be detoured
through skb_cow_data(). ESP input is one such writer (esp4.c,
esp6.c), and a single nft 'dup to <local>' rule -- or any other
nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
skb in esp_input() with the marker stripped, letting an unprivileged
user write into the page cache of a root-owned read-only file via
authencesn-ESN stray writes.
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
were actually moved from the source. skb_copy() and skb_copy_expand()
share skb_copy_header() too but linearize all paged data into freshly
allocated head storage and emerge with nr_frags == 0, so
skb_has_shared_frag() returns false on its own; they need no change.
The same omission exists in skb_gro_receive() and skb_gro_receive_list().
The former moves the incoming skb's frag descriptors into the
accumulator's last sub-skb via two paths (a direct frag-move loop and
the head_frag + memcpy path); the latter chains the incoming skb whole
onto p's frag_list. Downstream skb_segment() reads only
skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's
shinfo as the nskb -- both p and lp must carry the marker.
The same omission also exists in tcp_clone_payload(), which builds an
MTU probe skb by moving frag descriptors from skbs on sk_write_queue
into a freshly allocated nskb. The helper falls into the same family
and warrants the same fix for consistency; no TCP TX-side in-place
writer is currently known to reach a user page through this gap, but
a future consumer depending on the marker would regress silently.
The same omission exists in skb_segment(): the per-iteration flag
merge takes only head_skb's flag, and the inner switch that rebinds
frag_skb to list_skb on head_skb-frags exhaustion does not fold the
new frag_skb's flag into nskb. Fold frag_skb's flag at both sites
so segments drawing frags from frag_list members carry the marker.
Severity ?
8.8 (High)
CWE
- CWE-664 - Improper Control of a Resource Through its Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < fbeab9555564a1b98e8582cd106dfe46c4606991
(git)
Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 179f1852bdedc300e373e807cc102cd81feff196 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 12401fcfb01f53ccc63ab0a3246570fe8f3105ee (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 989214c66884d70716d83dc1d0bf5e16287bf349 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < ff375cc75f9167168db38e0464a482d5fbc8d81d (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 9bc9d6d6967a2239aa57af2aa53554eddd640d20 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 48f6a5356a33dd78e7144ae1faef95ffc990aae0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s networking (skbuff) component. When skb_try_coalesce() attaches paged fragments, it can lose the SKBFL_SHARED_FRAG marker. This can lead to the Encapsulating Security Payload (ESP) input decrypting data in place over page-cache backed fragments, potentially resulting in data corruption."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-664",
"description": "Improper Control of a Resource Through its Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:13.320Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43503"
},
{
"name": "RHBZ#2480902",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480902"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43503.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19540"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21695"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21690"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21656"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21702"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23240"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20299"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19705"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20593"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20054"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19666"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23470"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20130"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20051"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19521"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23471"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23469"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24814"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23468"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19664"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19711"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19875"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:19540: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:21695: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:21690: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:20087: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:21656: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:21702: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:23240: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:20299: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19705: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:20593: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:20054: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20129: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19666: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:23470: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:20130: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20051: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19521: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23471: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23469: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:24814: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:23468: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19664: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:19711: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19875: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-23T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-23T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: net: skbuff: propagate shared-frag marker through frag-transfer helpers",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/core/skbuff.c",
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbeab9555564a1b98e8582cd106dfe46c4606991",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "179f1852bdedc300e373e807cc102cd81feff196",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "12401fcfb01f53ccc63ab0a3246570fe8f3105ee",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "989214c66884d70716d83dc1d0bf5e16287bf349",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "ff375cc75f9167168db38e0464a482d5fbc8d81d",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "9bc9d6d6967a2239aa57af2aa53554eddd640d20",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "48f6a5356a33dd78e7144ae1faef95ffc990aae0",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/core/skbuff.c",
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.257",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.208",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.174",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: propagate shared-frag marker through frag-transfer helpers\n\nTwo frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail\nto propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()-\u003eflags when\nmoving frags from source to destination. __pskb_copy_fclone() defers\nthe rest of the shinfo metadata to skb_copy_header() after copying\nfrag descriptors, but that helper only carries over gso_{size,segs,\ntype} and never touches skb_shinfo()-\u003eflags; skb_shift() moves frag\ndescriptors directly and leaves flags untouched. As a result, the\ndestination skb keeps a reference to the same externally-owned or\npage-cache-backed pages while reporting skb_has_shared_frag() as\nfalse.\n\nThe mismatch is harmful in any in-place writer that uses\nskb_has_shared_frag() to decide whether shared pages must be detoured\nthrough skb_cow_data(). ESP input is one such writer (esp4.c,\nesp6.c), and a single nft \u0027dup to \u003clocal\u003e\u0027 rule -- or any other\nnf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()\u0027d\nskb in esp_input() with the marker stripped, letting an unprivileged\nuser write into the page cache of a root-owned read-only file via\nauthencesn-ESN stray writes.\n\nSet SKBFL_SHARED_FRAG on the destination whenever frag descriptors\nwere actually moved from the source. skb_copy() and skb_copy_expand()\nshare skb_copy_header() too but linearize all paged data into freshly\nallocated head storage and emerge with nr_frags == 0, so\nskb_has_shared_frag() returns false on its own; they need no change.\n\nThe same omission exists in skb_gro_receive() and skb_gro_receive_list().\nThe former moves the incoming skb\u0027s frag descriptors into the\naccumulator\u0027s last sub-skb via two paths (a direct frag-move loop and\nthe head_frag + memcpy path); the latter chains the incoming skb whole\nonto p\u0027s frag_list. Downstream skb_segment() reads only\nskb_shinfo(p)-\u003eflags, and skb_segment_list() reuses each sub-skb\u0027s\nshinfo as the nskb -- both p and lp must carry the marker.\n\nThe same omission also exists in tcp_clone_payload(), which builds an\nMTU probe skb by moving frag descriptors from skbs on sk_write_queue\ninto a freshly allocated nskb. The helper falls into the same family\nand warrants the same fix for consistency; no TCP TX-side in-place\nwriter is currently known to reach a user page through this gap, but\na future consumer depending on the marker would regress silently.\n\nThe same omission exists in skb_segment(): the per-iteration flag\nmerge takes only head_skb\u0027s flag, and the inner switch that rebinds\nfrag_skb to list_skb on head_skb-frags exhaustion does not fold the\nnew frag_skb\u0027s flag into nskb. Fold frag_skb\u0027s flag at both sites\nso segments drawing frags from frag_list members carry the marker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:45:49.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991"
},
{
"url": "https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196"
},
{
"url": "https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee"
},
{
"url": "https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349"
},
{
"url": "https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8"
},
{
"url": "https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d"
},
{
"url": "https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20"
},
{
"url": "https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0"
}
],
"title": "net: skbuff: propagate shared-frag marker through frag-transfer helpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43503",
"datePublished": "2026-05-23T11:44:01.103Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-07-03T12:05:13.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45998 (GCVE-0-2026-45998)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:55 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
rxrpc: Fix potential UAF after skb_unshare() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix potential UAF after skb_unshare() failure
If skb_unshare() fails to unshare a packet due to allocation failure in
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
will be NULL'd out. This will likely cause the call to
trace_rxrpc_rx_done() to oops.
Fix this by moving the unsharing down to where rxrpc_input_call_event()
calls rxrpc_input_call_packet(). There are a number of places prior to
that where we ignore DATA packets for a variety of reasons (such as the
call already being complete) for which an unshare is then avoided.
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.
Severity ?
CWE
- CWE-825 - Expired Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d1faf7a0ca3c0b327cf064c80e4e775532c9319 , < e3bf143b1e98fb3d6d9e6825bcd683974d478e8c
(git)
Affected: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 , < bf20f46d94f1db38e6ffc0ca204a5fe0de01b495 (git) Affected: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 , < 996b0487b3cdda4c91811dbb1c9564626bc840bd (git) Affected: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 , < 8fde6296c4d4da2be7ab761305ab7f232b94eefd (git) Affected: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 , < 1f2740150f904bfa60e4bad74d65add3ccb5e7f8 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s `rxrpc` subsystem. This vulnerability arises when the system attempts to unshare a packet buffer, and the operation fails due to an allocation issue. This failure can lead to a Use-After-Free (UAF) condition, where the system attempts to access memory that has been freed, potentially causing a system crash."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:04.687Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-45998"
},
{
"name": "RHBZ#2482024",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482024"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45998.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34911"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34911: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: rxrpc: Fix potential UAF after skb_unshare() failure",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/rxrpc.h",
"net/rxrpc/ar-internal.h",
"net/rxrpc/call_event.c",
"net/rxrpc/io_thread.c",
"net/rxrpc/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3bf143b1e98fb3d6d9e6825bcd683974d478e8c",
"status": "affected",
"version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
"versionType": "git"
},
{
"lessThan": "bf20f46d94f1db38e6ffc0ca204a5fe0de01b495",
"status": "affected",
"version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
"versionType": "git"
},
{
"lessThan": "996b0487b3cdda4c91811dbb1c9564626bc840bd",
"status": "affected",
"version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
"versionType": "git"
},
{
"lessThan": "8fde6296c4d4da2be7ab761305ab7f232b94eefd",
"status": "affected",
"version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
"versionType": "git"
},
{
"lessThan": "1f2740150f904bfa60e4bad74d65add3ccb5e7f8",
"status": "affected",
"version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/rxrpc.h",
"net/rxrpc/ar-internal.h",
"net/rxrpc/call_event.c",
"net/rxrpc/io_thread.c",
"net/rxrpc/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix potential UAF after skb_unshare() failure\n\nIf skb_unshare() fails to unshare a packet due to allocation failure in\nrxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())\nwill be NULL\u0027d out. This will likely cause the call to\ntrace_rxrpc_rx_done() to oops.\n\nFix this by moving the unsharing down to where rxrpc_input_call_event()\ncalls rxrpc_input_call_packet(). There are a number of places prior to\nthat where we ignore DATA packets for a variety of reasons (such as the\ncall already being complete) for which an unshare is then avoided.\n\nAnd with that, rxrpc_input_packet() doesn\u0027t need to take a pointer to the\npointer to the packet, so change that to just a pointer."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:47:06.713Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c"
},
{
"url": "https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495"
},
{
"url": "https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd"
},
{
"url": "https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd"
},
{
"url": "https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8"
}
],
"title": "rxrpc: Fix potential UAF after skb_unshare() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45998",
"datePublished": "2026-05-27T12:55:52.756Z",
"dateReserved": "2026-05-13T15:03:33.091Z",
"dateUpdated": "2026-07-03T12:05:04.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23084 (GCVE-0-2026-23084)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is
set to false, the driver may request the PMAC_ID from the firmware of the
network card, and this function will store that PMAC_ID at the provided
address pmac_id. This is the contract of this function.
However, there is a location within the driver where both
pmac_id_valid == false and pmac_id == NULL are being passed. This could
result in dereferencing a NULL pointer.
To resolve this issue, it is necessary to pass the address of a stub
variable to the function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95046b927a54f461766f83a212c6a93bc5fd2e67 , < 4cba480c9b9a3861a515262225cb53a1f5978344
(git)
Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 92c6dc181a18e6e0ddb872ed35cb48a9274829e4 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 6c3e00888dbec887125a08b51a705b9b163fcdd1 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < e206fb415db36bad52bb90c08d46ce71ffbe8a80 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 47ffb4dcffe336f4a7bd0f3284be7aadc6484698 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 31410a01a86bcb98c798d01061abf1f789c4f75a (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 8215794403d264739cc676668087512950b2ff31 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:28.786911Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:12.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cba480c9b9a3861a515262225cb53a1f5978344",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "92c6dc181a18e6e0ddb872ed35cb48a9274829e4",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "6c3e00888dbec887125a08b51a705b9b163fcdd1",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "e206fb415db36bad52bb90c08d46ce71ffbe8a80",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "47ffb4dcffe336f4a7bd0f3284be7aadc6484698",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "31410a01a86bcb98c798d01061abf1f789c4f75a",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "8215794403d264739cc676668087512950b2ff31",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list\n\nWhen the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is\nset to false, the driver may request the PMAC_ID from the firmware of the\nnetwork card, and this function will store that PMAC_ID at the provided\naddress pmac_id. This is the contract of this function.\n\nHowever, there is a location within the driver where both\npmac_id_valid == false and pmac_id == NULL are being passed. This could\nresult in dereferencing a NULL pointer.\n\nTo resolve this issue, it is necessary to pass the address of a stub\nvariable to the function."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:41.422Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344"
},
{
"url": "https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4"
},
{
"url": "https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1"
},
{
"url": "https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80"
},
{
"url": "https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698"
},
{
"url": "https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a"
},
{
"url": "https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31"
}
],
"title": "be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23084",
"datePublished": "2026-02-04T16:08:08.456Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-06-11T18:44:12.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23151 (GCVE-0-2026-23151)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
are not freed after being removed from the pending list.
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
mgmt_pending_foreach() calls with individual command handling but missed
adding mgmt_pending_free() calls in both error and success paths of
set_ssp_complete(). Other completion functions like set_le_complete()
were fixed correctly in the same commit.
This causes a memory leak of the mgmt_pending_cmd structure and its
associated parameter data for each SSP command that completes.
Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
the memory leak. Also fix the same issue in set_advertising_complete().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0b60eb04b8524e1b4b3f07fea0d16fda9a677d9a , < d7e42dc47beb48851bc0008c1e1b79126de9d975
(git)
Affected: d71b98f253b079cbadc83266383f26fe7e9e103b , < 1850a558d116d7e3e2ef36d06a56f59b640cc214 (git) Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 3b6318505378828ee415d6ef678db6a74c077504 (git) Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 (git) Affected: 87a1f16f07c6c43771754075e08f45b41d237421 (git) Affected: 6.12.59 , < 6.12.69 (semver) Affected: 6.16.10 , < 6.17 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7e42dc47beb48851bc0008c1e1b79126de9d975",
"status": "affected",
"version": "0b60eb04b8524e1b4b3f07fea0d16fda9a677d9a",
"versionType": "git"
},
{
"lessThan": "1850a558d116d7e3e2ef36d06a56f59b640cc214",
"status": "affected",
"version": "d71b98f253b079cbadc83266383f26fe7e9e103b",
"versionType": "git"
},
{
"lessThan": "3b6318505378828ee415d6ef678db6a74c077504",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"lessThan": "1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"status": "affected",
"version": "87a1f16f07c6c43771754075e08f45b41d237421",
"versionType": "git"
},
{
"lessThan": "6.12.69",
"status": "affected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThan": "6.17",
"status": "affected",
"version": "6.16.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:00.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7e42dc47beb48851bc0008c1e1b79126de9d975"
},
{
"url": "https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214"
},
{
"url": "https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504"
},
{
"url": "https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2"
}
],
"title": "Bluetooth: MGMT: Fix memory leak in set_ssp_complete",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23151",
"datePublished": "2026-02-14T16:01:19.663Z",
"dateReserved": "2026-01-13T15:37:45.976Z",
"dateUpdated": "2026-05-23T16:04:00.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71120 (GCVE-0-2025-71120)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5866efa8cbfbadf3905072798e96652faf02dbe8 , < a8f1e445ce3545c90d69c9e8ff8f7821825fe810
(git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < f9e53f69ac3bc4ef568b08d3542edac02e83fefd (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 7452d53f293379e2c38cfa8ad0694aa46fc4788b (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < a2c6f25ab98b423f99ccd94874d655b8bcb01a19 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 1c8bb965e9b0559ff0f5690615a527c30f651dd8 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < d4b69a6186b215d2dc1ebcab965ed88e8d41768d (git) Affected: 66ed7b413d31c6ff23901ac4443b1cc1af2f6113 (git) Affected: 7be8c165dc81564705e8e0b72d398ef708f67eaa (git) Affected: 4.19.99 , < 4.20 (semver) Affected: 5.4.15 , < 5.5 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:25.150500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:22.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8f1e445ce3545c90d69c9e8ff8f7821825fe810",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "f9e53f69ac3bc4ef568b08d3542edac02e83fefd",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "7452d53f293379e2c38cfa8ad0694aa46fc4788b",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "a2c6f25ab98b423f99ccd94874d655b8bcb01a19",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "1c8bb965e9b0559ff0f5690615a527c30f651dd8",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "d4b69a6186b215d2dc1ebcab965ed88e8d41768d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"status": "affected",
"version": "66ed7b413d31c6ff23901ac4443b1cc1af2f6113",
"versionType": "git"
},
{
"status": "affected",
"version": "7be8c165dc81564705e8e0b72d398ef708f67eaa",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.99",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.15",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:14.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810"
},
{
"url": "https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d"
},
{
"url": "https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd"
},
{
"url": "https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b"
},
{
"url": "https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19"
},
{
"url": "https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8"
},
{
"url": "https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d"
}
],
"title": "SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71120",
"datePublished": "2026-01-14T15:06:07.194Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-06-11T18:44:22.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38591 (GCVE-0-2025-38591)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
bpf: Reject narrower access to pointer ctx fields
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject narrower access to pointer ctx fields
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. Note that for the
"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
is aligned, so the cnt may not be 0 because it matches the
offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
the target_size stays 0 and the verifier errors with a kernel warning:
verifier bug: error during ctx access conversion(1)
This patch fixes that to return a proper "invalid bpf_context access
off=X size=Y" error on the load instruction.
The same issue affects multiple other fields in context structures that
allow narrow access. Some other non-affected fields (for sk_msg,
sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
consistency.
Note this syzkaller crash was reported in the "Closes" link below, which
used to be about a different bug, fixed in
commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
in insn_def_regno()"). Because syzbot somehow confused the two bugs,
the new crash and repro didn't get reported to the mailing list.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f96da09473b52c09125cc9bf7d7d4576ae8229e0 , < 7847c4140e06f6e87229faae22cc38525334c156
(git)
Affected: f96da09473b52c09125cc9bf7d7d4576ae8229e0 , < feae34c992eb7191862fb1594c704fbbf650fef8 (git) Affected: f96da09473b52c09125cc9bf7d7d4576ae8229e0 , < 33660d44e789edb4f303210c813fc56d56377a90 (git) Affected: f96da09473b52c09125cc9bf7d7d4576ae8229e0 , < 058a0da4f6d916a79b693384111bb80a90d73763 (git) Affected: f96da09473b52c09125cc9bf7d7d4576ae8229e0 , < 202900ceeef67458c964c2af6e1427c8e533ea7c (git) Affected: f96da09473b52c09125cc9bf7d7d4576ae8229e0 , < e09299225d5ba3916c91ef70565f7d2187e4cca0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:20.077651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:11.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cgroup.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7847c4140e06f6e87229faae22cc38525334c156",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "feae34c992eb7191862fb1594c704fbbf650fef8",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "33660d44e789edb4f303210c813fc56d56377a90",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "058a0da4f6d916a79b693384111bb80a90d73763",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "202900ceeef67458c964c2af6e1427c8e533ea7c",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "e09299225d5ba3916c91ef70565f7d2187e4cca0",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cgroup.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 = *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn\u0027t match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn-\u003eoff\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn\u0027t get reported to the mailing list."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:31:12.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156"
},
{
"url": "https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8"
},
{
"url": "https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90"
},
{
"url": "https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763"
},
{
"url": "https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c"
},
{
"url": "https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0"
}
],
"title": "bpf: Reject narrower access to pointer ctx fields",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38591",
"datePublished": "2025-08-19T17:03:12.508Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2026-06-11T18:44:11.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71111 (GCVE-0-2025-71111)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.
Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9873964d6eb24bd0205394f9b791de9eddbcb855 , < 3dceb68f6ad33156032ef4da21a93d84059cca6d
(git)
Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < bf5b03227f2e6d4360004886d268f9df8993ef8f (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < f2b579a0c37c0df19603d719894a942a295f634a (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < f94800fbc26ccf7c81eb791707b038a57aa39a18 (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < a9fb6e8835a22f5796c1182ed612daed3fd273af (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < c8cf0c2bdcccc6634b6915ff793b844e12436680 (git) Affected: 9873964d6eb24bd0205394f9b791de9eddbcb855 , < 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:13.069072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:20.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/w83791d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3dceb68f6ad33156032ef4da21a93d84059cca6d",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "bf5b03227f2e6d4360004886d268f9df8993ef8f",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "f2b579a0c37c0df19603d719894a942a295f634a",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "f94800fbc26ccf7c81eb791707b038a57aa39a18",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "a9fb6e8835a22f5796c1182ed612daed3fd273af",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "c8cf0c2bdcccc6634b6915ff793b844e12436680",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "670d7ef945d3a84683594429aea6ab2cdfa5ceb4",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/w83791d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83791d) Convert macros to functions to avoid TOCTOU\n\nThe macro FAN_FROM_REG evaluates its arguments multiple times. When used\nin lockless contexts involving shared driver data, this leads to\nTime-of-Check to Time-of-Use (TOCTOU) race conditions, potentially\ncausing divide-by-zero errors.\n\nConvert the macro to a static function. This guarantees that arguments\nare evaluated only once (pass-by-value), preventing the race\nconditions.\n\nAdditionally, in store_fan_div, move the calculation of the minimum\nlimit inside the update lock. This ensures that the read-modify-write\nsequence operates on consistent data.\n\nAdhere to the principle of minimal changes by only converting macros\nthat evaluate arguments multiple times and are used in lockless\ncontexts."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:03.314Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d"
},
{
"url": "https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f"
},
{
"url": "https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a"
},
{
"url": "https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18"
},
{
"url": "https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af"
},
{
"url": "https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680"
},
{
"url": "https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4"
}
],
"title": "hwmon: (w83791d) Convert macros to functions to avoid TOCTOU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71111",
"datePublished": "2026-01-14T15:05:58.649Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-06-11T18:44:20.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71064 (GCVE-0-2025-71064)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
net: hns3: using the num_tqps in the vf driver to apply for resources
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: using the num_tqps in the vf driver to apply for resources
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < c149decd8c18ae6acdd7a6041d74507835cf26e6
(git)
Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < bcefdb288eedac96fd2f583298927e9c6c481489 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 6cd8a2930df850f4600fe8c57d0662b376520281 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 1956d47a03eb625951e9e070db39fe2590e27510 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 429f946a7af3fbf08761d218746cd4afa80a7954 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 62f28d79a6186a602a9d926a2dbb5b12b6867df7 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < c2a16269742e176fccdd0ef9c016a233491a49ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c149decd8c18ae6acdd7a6041d74507835cf26e6",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "bcefdb288eedac96fd2f583298927e9c6c481489",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "6cd8a2930df850f4600fe8c57d0662b376520281",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "1956d47a03eb625951e9e070db39fe2590e27510",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "429f946a7af3fbf08761d218746cd4afa80a7954",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "62f28d79a6186a602a9d926a2dbb5b12b6867df7",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "c2a16269742e176fccdd0ef9c016a233491a49ad",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: using the num_tqps in the vf driver to apply for resources\n\nCurrently, hdev-\u003ehtqp is allocated using hdev-\u003enum_tqps, and kinfo-\u003etqp\nis allocated using kinfo-\u003enum_tqps. However, kinfo-\u003enum_tqps is set to\nmin(new_tqps, hdev-\u003enum_tqps); Therefore, kinfo-\u003enum_tqps may be smaller\nthan hdev-\u003enum_tqps, which causes some hdev-\u003ehtqp[i] to remain\nuninitialized in hclgevf_knic_setup().\n\nThus, this patch allocates hdev-\u003ehtqp and kinfo-\u003etqp using hdev-\u003enum_tqps,\nensuring that the lengths of hdev-\u003ehtqp and kinfo-\u003etqp are consistent\nand that all elements are properly initialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:02.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6"
},
{
"url": "https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489"
},
{
"url": "https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281"
},
{
"url": "https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510"
},
{
"url": "https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954"
},
{
"url": "https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7"
},
{
"url": "https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad"
}
],
"title": "net: hns3: using the num_tqps in the vf driver to apply for resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71064",
"datePublished": "2026-01-13T15:31:20.503Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-05-11T21:54:02.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71083 (GCVE-0-2025-71083)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
drm/ttm: Avoid NULL pointer deref for evicted BOs
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Avoid NULL pointer deref for evicted BOs
It is possible for a BO to exist that is not currently associated with a
resource, e.g. because it has been evicted.
When devcoredump tries to read the contents of all BOs for dumping, we need
to expect this as well -- in this case, ENODATA is recorded instead of the
buffer contents.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
09ac4fcb3f255e9225967c75f5893325c116cdbe , < 47a85604a761005d255ae38115ee630cc6931756
(git)
Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 4b9944493c6d92d7b29cfd83aaf3deb842b8da79 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 3d004f7341d4898889801ebb2ef61ffca610dd6f (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < b94182b3d7228aec18d069cba56d5982e9bfe1b1 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 491adc6a0f9903c32b05f284df1148de39e8e644 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:29.583670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:01.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47a85604a761005d255ae38115ee630cc6931756",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "4b9944493c6d92d7b29cfd83aaf3deb842b8da79",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "3d004f7341d4898889801ebb2ef61ffca610dd6f",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "b94182b3d7228aec18d069cba56d5982e9bfe1b1",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "491adc6a0f9903c32b05f284df1148de39e8e644",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Avoid NULL pointer deref for evicted BOs\n\nIt is possible for a BO to exist that is not currently associated with a\nresource, e.g. because it has been evicted.\n\nWhen devcoredump tries to read the contents of all BOs for dumping, we need\nto expect this as well -- in this case, ENODATA is recorded instead of the\nbuffer contents."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:24.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756"
},
{
"url": "https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79"
},
{
"url": "https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f"
},
{
"url": "https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0"
},
{
"url": "https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1"
},
{
"url": "https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644"
}
],
"title": "drm/ttm: Avoid NULL pointer deref for evicted BOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71083",
"datePublished": "2026-01-13T15:34:46.974Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-06-11T18:44:01.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23058 (GCVE-0-2026-23058)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In ems_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
ems_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in ems_usb_close().
Fix the memory leak by anchoring the URB in the
ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
702171adeed3607ee9603ec30ce081411e36ae42 , < e2c71030dc464d437110bcfb367c493fd402bddb
(git)
Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < f48eabd15194b216030b32445f44230df95f5fe0 (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 61e6d3674c3d1da1475dc207b3e75c55d678d18e (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8 (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 68c62b3e53901846b5f68c5a8bade72a5d9c0b87 (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 0ce73a0eb5a27070957b67fd74059b6da89cc516 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ems_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2c71030dc464d437110bcfb367c493fd402bddb",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "f48eabd15194b216030b32445f44230df95f5fe0",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "61e6d3674c3d1da1475dc207b3e75c55d678d18e",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "68c62b3e53901846b5f68c5a8bade72a5d9c0b87",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "0ce73a0eb5a27070957b67fd74059b6da89cc516",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ems_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn ems_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev-\u003erx_submitted anchor and submitted. In the complete callback\nems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nems_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(\u0026dev-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in ems_usb_close().\n\nFix the memory leak by anchoring the URB in the\nems_usb_read_bulk_callback() to the dev-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:11.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb"
},
{
"url": "https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0"
},
{
"url": "https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e"
},
{
"url": "https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8"
},
{
"url": "https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a"
},
{
"url": "https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87"
},
{
"url": "https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516"
}
],
"title": "can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23058",
"datePublished": "2026-02-04T16:07:41.337Z",
"dateReserved": "2026-01-13T15:37:45.952Z",
"dateUpdated": "2026-05-11T21:59:11.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23179 (GCVE-0-2026-23179)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
When the socket is closed while in TCP_LISTEN a callback is run to
flush all outstanding packets, which in turns calls
nvmet_tcp_listen_data_ready() with the sk_callback_lock held.
So we need to check if we are in TCP_LISTEN before attempting
to get the sk_callback_lock() to avoid a deadlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
675b453e024154dd547921c6e6d5b58747ba7e0e , < 6e0c7503a5803d568d56a9f9bca662cd94a14908
(git)
Affected: 675b453e024154dd547921c6e6d5b58747ba7e0e , < 1c90f930e7b410dd2d75a2a19a85e19c64e98ad5 (git) Affected: 675b453e024154dd547921c6e6d5b58747ba7e0e , < 2fa8961d3a6a1c2395d8d560ffed2c782681bade (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e0c7503a5803d568d56a9f9bca662cd94a14908",
"status": "affected",
"version": "675b453e024154dd547921c6e6d5b58747ba7e0e",
"versionType": "git"
},
{
"lessThan": "1c90f930e7b410dd2d75a2a19a85e19c64e98ad5",
"status": "affected",
"version": "675b453e024154dd547921c6e6d5b58747ba7e0e",
"versionType": "git"
},
{
"lessThan": "2fa8961d3a6a1c2395d8d560ffed2c782681bade",
"status": "affected",
"version": "675b453e024154dd547921c6e6d5b58747ba7e0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()\n\nWhen the socket is closed while in TCP_LISTEN a callback is run to\nflush all outstanding packets, which in turns calls\nnvmet_tcp_listen_data_ready() with the sk_callback_lock held.\nSo we need to check if we are in TCP_LISTEN before attempting\nto get the sk_callback_lock() to avoid a deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:51.043Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e0c7503a5803d568d56a9f9bca662cd94a14908"
},
{
"url": "https://git.kernel.org/stable/c/1c90f930e7b410dd2d75a2a19a85e19c64e98ad5"
},
{
"url": "https://git.kernel.org/stable/c/2fa8961d3a6a1c2395d8d560ffed2c782681bade"
}
],
"title": "nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23179",
"datePublished": "2026-02-14T16:27:10.778Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-05-11T22:01:51.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68325 (GCVE-0-2025-68325)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
de04ddd2980b48caa8d7e24a7db2742917a8b280 , < a3f4e3de41a3f115db35276c6b186ccbc913934a
(git)
Affected: 0dacfc5372e314d1219f03e64dde3ab495a5a25e , < 38abf6e931b169ea88d7529b49096f53a5dcf8fe (git) Affected: 710866fc0a64eafcb8bacd91bcb1329eb7e5035f , < fcb91be52eb6e92e00b533ebd7c77fecada537e1 (git) Affected: aa12ee1c1bd260943fd6ab556d8635811c332eeb , < d01f0e072dadb02fe10f436b940dd957aff0d7d4 (git) Affected: ff57186b2cc39766672c4c0332323933e5faaa88 , < 0b6216f9b3d1c33c76f74511026e5de5385ee520 (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 529c284cc2815c8350860e9a31722050fe7117cb (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 3ed6c458530a547ed0c9ea0b02b19bab620be88b (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 9fefc78f7f02d71810776fdeb119a05a946a27cc (git) Affected: 7689ab22de36f8db19095f6bdf11f28cfde92f5c (git) Affected: 62d591dde4defb1333d202410609c4ddeae060b3 (git) Affected: 5.10.241 , < 5.10.248 (semver) Affected: 5.15.190 , < 5.15.198 (semver) Affected: 6.1.149 , < 6.1.160 (semver) Affected: 6.6.103 , < 6.6.120 (semver) Affected: 6.12.44 , < 6.12.63 (semver) Affected: 5.4.297 , < 5.5 (semver) Affected: 6.16.4 , < 6.17 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3f4e3de41a3f115db35276c6b186ccbc913934a",
"status": "affected",
"version": "de04ddd2980b48caa8d7e24a7db2742917a8b280",
"versionType": "git"
},
{
"lessThan": "38abf6e931b169ea88d7529b49096f53a5dcf8fe",
"status": "affected",
"version": "0dacfc5372e314d1219f03e64dde3ab495a5a25e",
"versionType": "git"
},
{
"lessThan": "fcb91be52eb6e92e00b533ebd7c77fecada537e1",
"status": "affected",
"version": "710866fc0a64eafcb8bacd91bcb1329eb7e5035f",
"versionType": "git"
},
{
"lessThan": "d01f0e072dadb02fe10f436b940dd957aff0d7d4",
"status": "affected",
"version": "aa12ee1c1bd260943fd6ab556d8635811c332eeb",
"versionType": "git"
},
{
"lessThan": "0b6216f9b3d1c33c76f74511026e5de5385ee520",
"status": "affected",
"version": "ff57186b2cc39766672c4c0332323933e5faaa88",
"versionType": "git"
},
{
"lessThan": "529c284cc2815c8350860e9a31722050fe7117cb",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "3ed6c458530a547ed0c9ea0b02b19bab620be88b",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "9fefc78f7f02d71810776fdeb119a05a946a27cc",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"status": "affected",
"version": "7689ab22de36f8db19095f6bdf11f28cfde92f5c",
"versionType": "git"
},
{
"status": "affected",
"version": "62d591dde4defb1333d202410609c4ddeae060b3",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThan": "6.12.63",
"status": "affected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThan": "6.17",
"status": "affected",
"version": "6.16.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:41.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a"
},
{
"url": "https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe"
},
{
"url": "https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1"
},
{
"url": "https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4"
},
{
"url": "https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520"
},
{
"url": "https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb"
},
{
"url": "https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b"
},
{
"url": "https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc"
}
],
"title": "net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68325",
"datePublished": "2025-12-18T15:02:50.214Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-05-23T16:02:41.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22991 (GCVE-0-2026-22991)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-06-16 20:35
VLAI?
EPSS
Title
libceph: make free_choose_arg_map() resilient to partial allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make free_choose_arg_map() resilient to partial allocation
free_choose_arg_map() may dereference a NULL pointer if its caller fails
after a partial allocation.
For example, in decode_choose_args(), if allocation of arg_map->args
fails, execution jumps to the fail label and free_choose_arg_map() is
called. Since arg_map->size is updated to a non-zero value before memory
allocation, free_choose_arg_map() will iterate over arg_map->args and
dereference a NULL pointer.
To prevent this potential NULL pointer dereference and make
free_choose_arg_map() more resilient, add checks for pointers before
iterating.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5cf9c4a9959b6273675310d14a834ef14fbca37c , < 9b3730dabcf3764bfe3ff07caf55e641a0b45234
(git)
Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < 851241d3f78a5505224dc21c03d8692f530256b4 (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < ec1850f663da64842614c86b20fe734be070c2ba (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < 8081faaf089db5280c3be820948469f7c58ef8dd (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < f21c3fdb96833aac2f533506899fe38c19cf49d5 (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < e3fe30e57649c551757a02e1cad073c47e1e075e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:35:31.087945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:35:39.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b3730dabcf3764bfe3ff07caf55e641a0b45234",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "851241d3f78a5505224dc21c03d8692f530256b4",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "ec1850f663da64842614c86b20fe734be070c2ba",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "8081faaf089db5280c3be820948469f7c58ef8dd",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "f21c3fdb96833aac2f533506899fe38c19cf49d5",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "e3fe30e57649c551757a02e1cad073c47e1e075e",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map-\u003eargs\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map-\u003esize is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map-\u003eargs and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:53.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234"
},
{
"url": "https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4"
},
{
"url": "https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba"
},
{
"url": "https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd"
},
{
"url": "https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"
},
{
"url": "https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5"
},
{
"url": "https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e"
}
],
"title": "libceph: make free_choose_arg_map() resilient to partial allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22991",
"datePublished": "2026-01-23T15:24:12.191Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-06-16T20:35:39.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23126 (GCVE-0-2026-23126)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
netdevsim: fix a race issue related to the operation on bpf_bound_progs list
Summary
In the Linux kernel, the following vulnerability has been resolved:
netdevsim: fix a race issue related to the operation on bpf_bound_progs list
The netdevsim driver lacks a protection mechanism for operations on the
bpf_bound_progs list. When the nsim_bpf_create_prog() performs
list_add_tail, it is possible that nsim_bpf_destroy_prog() is
simultaneously performs list_del. Concurrent operations on the list may
lead to list corruption and trigger a kernel crash as follows:
[ 417.290971] kernel BUG at lib/list_debug.c:62!
[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1
[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 417.291007] Workqueue: events bpf_prog_free_deferred
[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0
[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8
[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246
[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000
[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180
[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003
[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20
[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000
[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000
[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0
[ 417.291088] PKRU: 55555554
[ 417.291091] Call Trace:
[ 417.291096] <TASK>
[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim]
[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80
[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0
[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0
[ 417.291178] process_one_work+0x18a/0x3a0
[ 417.291188] worker_thread+0x27b/0x3a0
[ 417.291197] ? __pfx_worker_thread+0x10/0x10
[ 417.291207] kthread+0xe5/0x120
[ 417.291214] ? __pfx_kthread+0x10/0x10
[ 417.291221] ret_from_fork+0x31/0x50
[ 417.291230] ? __pfx_kthread+0x10/0x10
[ 417.291236] ret_from_fork_asm+0x1a/0x30
[ 417.291246] </TASK>
Add a mutex lock, to prevent simultaneous addition and deletion operations
on the list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
31d3ad832948c75139b0e5b653912f7898a1d5d5 , < 3f560cfc7706029294132482fff5d1bc7884b70d
(git)
Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < f1f9cfd2f46a73b7de2982d01be822eac3a0efaa (git) Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < d77379ca82efcb2fe563359cc795027d680410db (git) Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < 68462ecc40ea8f780fb3c74ebfddd05506bb731b (git) Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < b97d5eedf4976cc94321243be83b39efe81a0e15 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:30.500855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:13.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/netdevsim/bpf.c",
"drivers/net/netdevsim/dev.c",
"drivers/net/netdevsim/netdevsim.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f560cfc7706029294132482fff5d1bc7884b70d",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "f1f9cfd2f46a73b7de2982d01be822eac3a0efaa",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "d77379ca82efcb2fe563359cc795027d680410db",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "68462ecc40ea8f780fb3c74ebfddd05506bb731b",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "b97d5eedf4976cc94321243be83b39efe81a0e15",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/netdevsim/bpf.c",
"drivers/net/netdevsim/dev.c",
"drivers/net/netdevsim/netdevsim.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: fix a race issue related to the operation on bpf_bound_progs list\n\nThe netdevsim driver lacks a protection mechanism for operations on the\nbpf_bound_progs list. When the nsim_bpf_create_prog() performs\nlist_add_tail, it is possible that nsim_bpf_destroy_prog() is\nsimultaneously performs list_del. Concurrent operations on the list may\nlead to list corruption and trigger a kernel crash as follows:\n\n[ 417.290971] kernel BUG at lib/list_debug.c:62!\n[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1\n[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 417.291007] Workqueue: events bpf_prog_free_deferred\n[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0\n[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8\n[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246\n[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000\n[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180\n[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003\n[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20\n[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000\n[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000\n[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0\n[ 417.291088] PKRU: 55555554\n[ 417.291091] Call Trace:\n[ 417.291096] \u003cTASK\u003e\n[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim]\n[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80\n[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0\n[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0\n[ 417.291178] process_one_work+0x18a/0x3a0\n[ 417.291188] worker_thread+0x27b/0x3a0\n[ 417.291197] ? __pfx_worker_thread+0x10/0x10\n[ 417.291207] kthread+0xe5/0x120\n[ 417.291214] ? __pfx_kthread+0x10/0x10\n[ 417.291221] ret_from_fork+0x31/0x50\n[ 417.291230] ? __pfx_kthread+0x10/0x10\n[ 417.291236] ret_from_fork_asm+0x1a/0x30\n[ 417.291246] \u003c/TASK\u003e\n\nAdd a mutex lock, to prevent simultaneous addition and deletion operations\non the list."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:37.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f560cfc7706029294132482fff5d1bc7884b70d"
},
{
"url": "https://git.kernel.org/stable/c/f1f9cfd2f46a73b7de2982d01be822eac3a0efaa"
},
{
"url": "https://git.kernel.org/stable/c/d77379ca82efcb2fe563359cc795027d680410db"
},
{
"url": "https://git.kernel.org/stable/c/68462ecc40ea8f780fb3c74ebfddd05506bb731b"
},
{
"url": "https://git.kernel.org/stable/c/b97d5eedf4976cc94321243be83b39efe81a0e15"
}
],
"title": "netdevsim: fix a race issue related to the operation on bpf_bound_progs list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23126",
"datePublished": "2026-02-14T15:09:55.552Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-06-11T18:44:13.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68372 (GCVE-0-2025-68372)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-06-16 19:28
VLAI?
EPSS
Title
nbd: defer config put in recv_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config put in recv_work
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and
NBD_CMD_RECONFIGURE:
nbd_genl_connect // conf_ref=2 (connect and recv_work A)
nbd_open // conf_ref=3
recv_work A done // conf_ref=2
NBD_CLEAR_SOCK // conf_ref=1
nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)
close nbd // conf_ref=1
recv_work B
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK:
nbd_genl_connect // conf_ref=2
nbd_open // conf_ref=3
NBD_CLEAR_SOCK // conf_ref=2
close nbd
nbd_release
config_put // conf_ref=1
recv_work
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the
waiter") moved nbd_config_put() to run before waking up the waiter in
recv_work, in order to ensure that nbd_start_device_ioctl() would not
be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly
calls flush_workqueue() to make sure all current works are finished.
Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is
held for the whole lifetime of the worker thread. This makes sure the
config cannot be freed while recv_work is still running, even if clear
+ reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last
nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=1 (trigger recv_work)
open nbd // nbd_refs=2
NBD_CLEAR_SOCK
close nbd
nbd_release
nbd_disconnect_and_put
flush_workqueue // recv_work done
nbd_config_put
nbd_put // nbd_refs=1
nbd_put // nbd_refs=0
queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=2 (trigger recv_work)
open nbd // nbd_refs=3
NBD_CLEAR_SOCK // conf_refs=2
close nbd
nbd_release
nbd_config_put // conf_refs=1
nbd_put // nbd_refs=2
recv_work done // conf_refs=0, nbd_refs=1
rmmod // nbd_refs=0
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 198aa230a6f8c1f6af7ed26b29180749c3e79e4d
(git)
Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < d3ba312675911ff9e3fefefd551751e153a9f0a9 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 3692884bd6187d89d41eef81e5a9724519fd01c1 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 6b69593f72e1bfba6ca47ca8d9b619341fded7d6 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 443a1721806b6ff6303b5229e9811d68172d622f (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 742012f6bf29553fdc460bf646a58df3a7b43d01 (git) Affected: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 , < 9517b82d8d422d426a988b213fdd45c6b417b86d (git) Affected: 0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8 (git) Affected: 2ef6f4bd60411934e3fc2715442c2afe70f84bf3 (git) Affected: 742fd49cf811ca164489e339b862e3fb8e240a73 (git) Affected: 14df8724aeeef338172e2a2d6efadc989921ca0f (git) Affected: 4.14.204 , < 4.15 (semver) Affected: 4.19.155 , < 4.20 (semver) Affected: 5.4.75 , < 5.5 (semver) Affected: 5.9.5 , < 5.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:28:28.671225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:28:42.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "198aa230a6f8c1f6af7ed26b29180749c3e79e4d",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "d3ba312675911ff9e3fefefd551751e153a9f0a9",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "3692884bd6187d89d41eef81e5a9724519fd01c1",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "6b69593f72e1bfba6ca47ca8d9b619341fded7d6",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "443a1721806b6ff6303b5229e9811d68172d622f",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "742012f6bf29553fdc460bf646a58df3a7b43d01",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "9517b82d8d422d426a988b213fdd45c6b417b86d",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"status": "affected",
"version": "0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8",
"versionType": "git"
},
{
"status": "affected",
"version": "2ef6f4bd60411934e3fc2715442c2afe70f84bf3",
"versionType": "git"
},
{
"status": "affected",
"version": "742fd49cf811ca164489e339b862e3fb8e240a73",
"versionType": "git"
},
{
"status": "affected",
"version": "14df8724aeeef338172e2a2d6efadc989921ca0f",
"versionType": "git"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.204",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.155",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.75",
"versionType": "semver"
},
{
"lessThan": "5.10",
"status": "affected",
"version": "5.9.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config put in recv_work\n\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\nNBD_CMD_RECONFIGURE:\n nbd_genl_connect // conf_ref=2 (connect and recv_work A)\n nbd_open\t // conf_ref=3\n recv_work A done // conf_ref=2\n NBD_CLEAR_SOCK // conf_ref=1\n nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\n close nbd\t // conf_ref=1\n recv_work B\n config_put // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nOr only running NBD_CLEAR_SOCK:\n nbd_genl_connect // conf_ref=2\n nbd_open \t // conf_ref=3\n NBD_CLEAR_SOCK // conf_ref=2\n close nbd\n nbd_release\n config_put // conf_ref=1\n recv_work\n config_put \t // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nCommit 87aac3a80af5 (\"nbd: call nbd_config_put() before notifying the\nwaiter\") moved nbd_config_put() to run before waking up the waiter in\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\nbe woken up while nbd-\u003etask_recv was still uncleared.\n\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\ncalls flush_workqueue() to make sure all current works are finished.\nTherefore, there is no need to move the config put ahead of the wakeup.\n\nMove nbd_config_put() to the end of recv_work, so that the reference is\nheld for the whole lifetime of the worker thread. This makes sure the\nconfig cannot be freed while recv_work is still running, even if clear\n+ reconfigure interleave.\n\nIn addition, we don\u0027t need to worry about recv_work dropping the last\nnbd_put (which causes deadlock):\n\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=1 (trigger recv_work)\n open nbd // nbd_refs=2\n NBD_CLEAR_SOCK\n close nbd\n nbd_release\n nbd_disconnect_and_put\n flush_workqueue // recv_work done\n nbd_config_put\n nbd_put // nbd_refs=1\n nbd_put // nbd_refs=0\n queue_work\n\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=2 (trigger recv_work)\n open nbd // nbd_refs=3\n NBD_CLEAR_SOCK // conf_refs=2\n close nbd\n nbd_release\n nbd_config_put // conf_refs=1\n nbd_put // nbd_refs=2\n recv_work done // conf_refs=0, nbd_refs=1\n rmmod // nbd_refs=0\n\nDepends-on: e2daec488c57 (\"nbd: Fix hungtask when nbd_config_put\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:46.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/198aa230a6f8c1f6af7ed26b29180749c3e79e4d"
},
{
"url": "https://git.kernel.org/stable/c/d3ba312675911ff9e3fefefd551751e153a9f0a9"
},
{
"url": "https://git.kernel.org/stable/c/3692884bd6187d89d41eef81e5a9724519fd01c1"
},
{
"url": "https://git.kernel.org/stable/c/1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509"
},
{
"url": "https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6"
},
{
"url": "https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f"
},
{
"url": "https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01"
},
{
"url": "https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d"
}
],
"title": "nbd: defer config put in recv_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68372",
"datePublished": "2025-12-24T10:33:02.679Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-06-16T19:28:42.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47327 (GCVE-0-2026-47327)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:27 – Updated: 2026-05-28 19:25
VLAI?
EPSS
Title
NULL pointer dereference in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.
Severity ?
CWE
- CWE-476 - NULL pointer dereference
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47327",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:20:39.267467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:25:26.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL pointer dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:27:20.987Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=7f3c4902c39432ce7ea0d384cb70eba282247fac"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NULL pointer dereference in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47327",
"datePublished": "2026-05-28T18:27:20.987Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-28T19:25:26.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23089 (GCVE-0-2026-23089)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees
mixer->id_elems but the controls already added to the card still
reference the freed memory. Later when snd_card_register() runs,
the OSS mixer layer calls their callbacks and hits a use-after-free read.
Call trace:
get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411
get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241
mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381
snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887
...
snd_card_register+0x4ed/0x6d0 sound/core/init.c:923
usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025
Fix by calling snd_ctl_remove() for all mixer controls before freeing
id_elems. We save the next pointer first because snd_ctl_remove()
frees the current element.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 51b1aa6fe7dc87356ba58df06afb9677c9b841ea
(git)
Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 56fb6efd5d04caf6f14994d51ec85393b9a896c6 (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 7009daeefa945973a530b2f605fe445fc03747af (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 7bff0156d13f0ad9436e5178b979b063d59f572a (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < e6f103a22b08daf5df2f4aa158081840e5910963 (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < dc1a5dd80af1ee1f29d8375b12dd7625f6294dad (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:33.270292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:02.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51b1aa6fe7dc87356ba58df06afb9677c9b841ea",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "56fb6efd5d04caf6f14994d51ec85393b9a896c6",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "7009daeefa945973a530b2f605fe445fc03747af",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "7bff0156d13f0ad9436e5178b979b063d59f572a",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "e6f103a22b08daf5df2f4aa158081840e5910963",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "dc1a5dd80af1ee1f29d8375b12dd7625f6294dad",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "930e69757b74c3ae083b0c3c7419bfe7f0edc7b2",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()\n\nWhen snd_usb_create_mixer() fails, snd_usb_mixer_free() frees\nmixer-\u003eid_elems but the controls already added to the card still\nreference the freed memory. Later when snd_card_register() runs,\nthe OSS mixer layer calls their callbacks and hits a use-after-free read.\n\nCall trace:\n get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411\n get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241\n mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381\n snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887\n ...\n snd_card_register+0x4ed/0x6d0 sound/core/init.c:923\n usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025\n\nFix by calling snd_ctl_remove() for all mixer controls before freeing\nid_elems. We save the next pointer first because snd_ctl_remove()\nfrees the current element."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:47.264Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea"
},
{
"url": "https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6"
},
{
"url": "https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af"
},
{
"url": "https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a"
},
{
"url": "https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963"
},
{
"url": "https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad"
},
{
"url": "https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2"
}
],
"title": "ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23089",
"datePublished": "2026-02-04T16:08:12.575Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-06-11T18:44:02.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71079 (GCVE-0-2025-71079)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
73a0d12114b4bc1a9def79a623264754b9df698e , < 2e0831e9fc46a06daa6d4d8d57a2738e343130c3
(git)
Affected: 8a9c61c3ef187d8891225f9b932390670a43a0d3 , < e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 8fc4632fb508432895430cd02b38086bdd649083 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < f3a8a7c1aa278f2378b2f3a10500c6674dffdfda (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 (git) Affected: 5ef16d2d172ee56714cff37cd005b98aba08ef5a (git) Affected: ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 (git) Affected: 47244ac0b65bd74cc70007d8e1bac68bd2baad19 (git) Affected: c45cea83e13699bdfd47842e04d09dd43af4c371 (git) Affected: 307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6 (git) Affected: 5.10.82 , < 5.10.248 (semver) Affected: 5.15.5 , < 5.15.198 (semver) Affected: 4.4.293 , < 4.5 (semver) Affected: 4.9.291 , < 4.10 (semver) Affected: 4.14.256 , < 4.15 (semver) Affected: 4.19.218 , < 4.20 (semver) Affected: 5.4.162 , < 5.5 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e0831e9fc46a06daa6d4d8d57a2738e343130c3",
"status": "affected",
"version": "73a0d12114b4bc1a9def79a623264754b9df698e",
"versionType": "git"
},
{
"lessThan": "e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012",
"status": "affected",
"version": "8a9c61c3ef187d8891225f9b932390670a43a0d3",
"versionType": "git"
},
{
"lessThan": "ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "6b93c8ab6f6cda8818983a4ae3fcf84b023037b4",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "8fc4632fb508432895430cd02b38086bdd649083",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "f3a8a7c1aa278f2378b2f3a10500c6674dffdfda",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"status": "affected",
"version": "5ef16d2d172ee56714cff37cd005b98aba08ef5a",
"versionType": "git"
},
{
"status": "affected",
"version": "ff169909eac9e00bf1aa0af739ba6ddfb1b1d135",
"versionType": "git"
},
{
"status": "affected",
"version": "47244ac0b65bd74cc70007d8e1bac68bd2baad19",
"versionType": "git"
},
{
"status": "affected",
"version": "c45cea83e13699bdfd47842e04d09dd43af4c371",
"versionType": "git"
},
{
"status": "affected",
"version": "307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.82",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.5",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.293",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.291",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.256",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.218",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.162",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.162",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write\n\nA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()\ndue to lock ordering inversion between device_lock and rfkill_global_mutex.\n\nThe problematic lock order is:\n\nThread A (rfkill_fop_write):\n rfkill_fop_write()\n mutex_lock(\u0026rfkill_global_mutex)\n rfkill_set_block()\n nfc_rfkill_set_block()\n nfc_dev_down()\n device_lock(\u0026dev-\u003edev) \u003c- waits for device_lock\n\nThread B (nfc_unregister_device):\n nfc_unregister_device()\n device_lock(\u0026dev-\u003edev)\n rfkill_unregister()\n mutex_lock(\u0026rfkill_global_mutex) \u003c- waits for rfkill_global_mutex\n\nThis creates a classic ABBA deadlock scenario.\n\nFix this by moving rfkill_unregister() and rfkill_destroy() outside the\ndevice_lock critical section. Store the rfkill pointer in a local variable\nbefore releasing the lock, then call rfkill_unregister() after releasing\ndevice_lock.\n\nThis change is safe because rfkill_fop_write() holds rfkill_global_mutex\nwhile calling the rfkill callbacks, and rfkill_unregister() also acquires\nrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will\nwait for any ongoing callback to complete before proceeding, and\ndevice_del() is only called after rfkill_unregister() returns, preventing\nany use-after-free.\n\nThe similar lock ordering in nfc_register_device() (device_lock -\u003e\nrfkill_global_mutex via rfkill_register) is safe because during\nregistration the device is not yet in rfkill_list, so no concurrent\nrfkill operations can occur on this device."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:06.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3"
},
{
"url": "https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012"
},
{
"url": "https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5"
},
{
"url": "https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4"
},
{
"url": "https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083"
},
{
"url": "https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda"
},
{
"url": "https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5"
}
],
"title": "net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71079",
"datePublished": "2026-01-13T15:34:44.136Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-05-23T16:03:06.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68364 (GCVE-0-2025-68364)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just
to avoid crashing the whole kernel due to a filesystem corruption.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f603e567aa7a243e68ca48b4f105b990851360f , < cb34a55f552960c74e26b3699c84745b96e3131a
(git)
Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 08b93c1c12c66989316883d733475c64d14de5d2 (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 1ad2f81a099b8df5f72bce0a3e9f531263a846b8 (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < bcb94288d95cfc52f4d7cead260f4db54c8c741a (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < e5c2503696ec2e0dc7b2aee902dc859ccde39ddf (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 7abbe41d22a06aae00fd46d29f59dd40a01e988f (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < e5c52c320577cd405b251943ef77842dc6f303bf (git) Affected: 8f603e567aa7a243e68ca48b4f105b990851360f , < 8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb34a55f552960c74e26b3699c84745b96e3131a",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "08b93c1c12c66989316883d733475c64d14de5d2",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "1ad2f81a099b8df5f72bce0a3e9f531263a846b8",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "bcb94288d95cfc52f4d7cead260f4db54c8c741a",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c2503696ec2e0dc7b2aee902dc859ccde39ddf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "7abbe41d22a06aae00fd46d29f59dd40a01e988f",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c52c320577cd405b251943ef77842dc6f303bf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()\n\nIn \u0027__ocfs2_move_extent()\u0027, relax \u0027BUG()\u0027 to \u0027ocfs2_error()\u0027 just\nto avoid crashing the whole kernel due to a filesystem corruption."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:46.671Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb34a55f552960c74e26b3699c84745b96e3131a"
},
{
"url": "https://git.kernel.org/stable/c/08b93c1c12c66989316883d733475c64d14de5d2"
},
{
"url": "https://git.kernel.org/stable/c/1ad2f81a099b8df5f72bce0a3e9f531263a846b8"
},
{
"url": "https://git.kernel.org/stable/c/bcb94288d95cfc52f4d7cead260f4db54c8c741a"
},
{
"url": "https://git.kernel.org/stable/c/e5c2503696ec2e0dc7b2aee902dc859ccde39ddf"
},
{
"url": "https://git.kernel.org/stable/c/7abbe41d22a06aae00fd46d29f59dd40a01e988f"
},
{
"url": "https://git.kernel.org/stable/c/e5c52c320577cd405b251943ef77842dc6f303bf"
},
{
"url": "https://git.kernel.org/stable/c/8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d"
}
],
"title": "ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68364",
"datePublished": "2025-12-24T10:32:51.922Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-05-11T21:51:46.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68787 (GCVE-0-2025-68787)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
netrom: Fix memory leak in nr_sendmsg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix memory leak in nr_sendmsg()
syzbot reported a memory leak [1].
When function sock_alloc_send_skb() return NULL in nr_output(), the
original skb is not freed, which was allocated in nr_sendmsg(). Fix this
by freeing it before return.
[1]
BUG: memory leak
unreferenced object 0xffff888129f35500 (size 240):
comm "syz.0.17", pid 6119, jiffies 4294944652
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....
backtrace (crc 1456a3e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x293/0x2a0 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0x143/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f77e538ac4e3adb1882d5bccb7bfdc111b5963d3
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 09efbf54eeaecebe882af603c9939a4b1bb9567e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 73839497bbde5cd4fd02bbd9c8bc2640780ae65d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 156a0f6341dce634a825db49ca20b48b1ae9bcc1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8d1ccba4b171cd504ecfa47349cb9864fc9d687c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 613d12dd794e078be8ff3cf6b62a6b9acf7f4619 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f77e538ac4e3adb1882d5bccb7bfdc111b5963d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "09efbf54eeaecebe882af603c9939a4b1bb9567e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73839497bbde5cd4fd02bbd9c8bc2640780ae65d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "156a0f6341dce634a825db49ca20b48b1ae9bcc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d1ccba4b171cd504ecfa47349cb9864fc9d687c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "613d12dd794e078be8ff3cf6b62a6b9acf7f4619",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix memory leak in nr_sendmsg()\n\nsyzbot reported a memory leak [1].\n\nWhen function sock_alloc_send_skb() return NULL in nr_output(), the\noriginal skb is not freed, which was allocated in nr_sendmsg(). Fix this\nby freeing it before return.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888129f35500 (size 240):\n comm \"syz.0.17\", pid 6119, jiffies 4294944652\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....\n backtrace (crc 1456a3e4):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4983 [inline]\n slab_alloc_node mm/slub.c:5288 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671\n sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965\n sock_alloc_send_skb include/net/sock.h:1859 [inline]\n nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x293/0x2a0 net/socket.c:1195\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0x143/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:21.061Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3"
},
{
"url": "https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e"
},
{
"url": "https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d"
},
{
"url": "https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1"
},
{
"url": "https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c"
},
{
"url": "https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977"
},
{
"url": "https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619"
}
],
"title": "netrom: Fix memory leak in nr_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68787",
"datePublished": "2026-01-13T15:29:00.344Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-05-11T21:53:21.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23159 (GCVE-0-2026-23159)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
perf: sched: Fix perf crash with new is_user_task() helper
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: sched: Fix perf crash with new is_user_task() helper
In order to do a user space stacktrace the current task needs to be a user
task that has executed in user space. It use to be possible to test if a
task is a user task or not by simply checking the task_struct mm field. If
it was non NULL, it was a user task and if not it was a kernel task.
But things have changed over time, and some kernel tasks now have their
own mm field.
An idea was made to instead test PF_KTHREAD and two functions were used to
wrap this check in case it became more complex to test if a task was a
user task or not[1]. But this was rejected and the C code simply checked
the PF_KTHREAD directly.
It was later found that not all kernel threads set PF_KTHREAD. The io-uring
helpers instead set PF_USER_WORKER and this needed to be added as well.
But checking the flags is still not enough. There's a very small window
when a task exits that it frees its mm field and it is set back to NULL.
If perf were to trigger at this moment, the flags test would say its a
user space task but when perf would read the mm field it would crash with
at NULL pointer dereference.
Now there are flags that can be used to test if a task is exiting, but
they are set in areas that perf may still want to profile the user space
task (to see where it exited). The only real test is to check both the
flags and the mm field.
Instead of making this modification in every location, create a new
is_user_task() helper function that does all the tests needed to know if
it is safe to read the user space memory or not.
[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
34b5aba8511a12fb2e9bd3124835cb4087187dac , < d84a4836dc246b7dc244e46a08ff992956b68db0
(git)
Affected: 8d79f96e477c4b8e3fca2efb36b269d8960a2285 , < 5aac392fcd3d981d7997f1a0766829e1afdeac2e (git) Affected: 90942f9fac05702065ff82ed0bade0d08168d4ea , < a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c (git) Affected: 90942f9fac05702065ff82ed0bade0d08168d4ea , < 76ed27608f7dd235b727ebbb12163438c2fbb617 (git) Affected: 5050083e1a2f3e5e29cee0205c40e5864b52601d (git) Affected: 6.6.116 , < 6.6.123 (semver) Affected: 6.12.57 , < 6.12.69 (semver) Affected: 6.17.7 , < 6.18 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/events/callchain.c",
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d84a4836dc246b7dc244e46a08ff992956b68db0",
"status": "affected",
"version": "34b5aba8511a12fb2e9bd3124835cb4087187dac",
"versionType": "git"
},
{
"lessThan": "5aac392fcd3d981d7997f1a0766829e1afdeac2e",
"status": "affected",
"version": "8d79f96e477c4b8e3fca2efb36b269d8960a2285",
"versionType": "git"
},
{
"lessThan": "a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c",
"status": "affected",
"version": "90942f9fac05702065ff82ed0bade0d08168d4ea",
"versionType": "git"
},
{
"lessThan": "76ed27608f7dd235b727ebbb12163438c2fbb617",
"status": "affected",
"version": "90942f9fac05702065ff82ed0bade0d08168d4ea",
"versionType": "git"
},
{
"status": "affected",
"version": "5050083e1a2f3e5e29cee0205c40e5864b52601d",
"versionType": "git"
},
{
"lessThan": "6.6.123",
"status": "affected",
"version": "6.6.116",
"versionType": "semver"
},
{
"lessThan": "6.12.69",
"status": "affected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/events/callchain.c",
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.6.116",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: sched: Fix perf crash with new is_user_task() helper\n\nIn order to do a user space stacktrace the current task needs to be a user\ntask that has executed in user space. It use to be possible to test if a\ntask is a user task or not by simply checking the task_struct mm field. If\nit was non NULL, it was a user task and if not it was a kernel task.\n\nBut things have changed over time, and some kernel tasks now have their\nown mm field.\n\nAn idea was made to instead test PF_KTHREAD and two functions were used to\nwrap this check in case it became more complex to test if a task was a\nuser task or not[1]. But this was rejected and the C code simply checked\nthe PF_KTHREAD directly.\n\nIt was later found that not all kernel threads set PF_KTHREAD. The io-uring\nhelpers instead set PF_USER_WORKER and this needed to be added as well.\n\nBut checking the flags is still not enough. There\u0027s a very small window\nwhen a task exits that it frees its mm field and it is set back to NULL.\nIf perf were to trigger at this moment, the flags test would say its a\nuser space task but when perf would read the mm field it would crash with\nat NULL pointer dereference.\n\nNow there are flags that can be used to test if a task is exiting, but\nthey are set in areas that perf may still want to profile the user space\ntask (to see where it exited). The only real test is to check both the\nflags and the mm field.\n\nInstead of making this modification in every location, create a new\nis_user_task() helper function that does all the tests needed to know if\nit is safe to read the user space memory or not.\n\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:01.503Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d84a4836dc246b7dc244e46a08ff992956b68db0"
},
{
"url": "https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e"
},
{
"url": "https://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c"
},
{
"url": "https://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617"
}
],
"title": "perf: sched: Fix perf crash with new is_user_task() helper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23159",
"datePublished": "2026-02-14T16:01:25.229Z",
"dateReserved": "2026-01-13T15:37:45.979Z",
"dateUpdated": "2026-05-23T16:04:01.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22992 (GCVE-0-2026-22992)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-06-16 20:37
VLAI?
EPSS
Title
libceph: return the handler error from mon_handle_auth_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: return the handler error from mon_handle_auth_done()
Currently any error from ceph_auth_handle_reply_done() is propagated
via finish_auth() but isn't returned from mon_handle_auth_done(). This
results in higher layers learning that (despite the monitor considering
us to be successfully authenticated) something went wrong in the
authentication phase and reacting accordingly, but msgr2 still trying
to proceed with establishing the session in the background. In the
case of secure mode this can trigger a WARN in setup_crypto() and later
lead to a NULL pointer dereference inside of prepare_auth_signature().
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 77229551f2cf72f3e35636db68e6a825b912cf16
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 33908769248b38a5e77cf9292817bb28e641992d (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < e097cd858196b1914309e7e3d79b4fa79383754d (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < d2c4a5f6996683f287f3851ef5412797042de7f1 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 9e0101e57534ef0e7578dd09608a6106736b82e5 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < e84b48d31b5008932c0a0902982809fbaa1d3b70 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:37:25.414286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:37:35.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77229551f2cf72f3e35636db68e6a825b912cf16",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "33908769248b38a5e77cf9292817bb28e641992d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e097cd858196b1914309e7e3d79b4fa79383754d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "d2c4a5f6996683f287f3851ef5412797042de7f1",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "9e0101e57534ef0e7578dd09608a6106736b82e5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e84b48d31b5008932c0a0902982809fbaa1d3b70",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: return the handler error from mon_handle_auth_done()\n\nCurrently any error from ceph_auth_handle_reply_done() is propagated\nvia finish_auth() but isn\u0027t returned from mon_handle_auth_done(). This\nresults in higher layers learning that (despite the monitor considering\nus to be successfully authenticated) something went wrong in the\nauthentication phase and reacting accordingly, but msgr2 still trying\nto proceed with establishing the session in the background. In the\ncase of secure mode this can trigger a WARN in setup_crypto() and later\nlead to a NULL pointer dereference inside of prepare_auth_signature()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:54.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16"
},
{
"url": "https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d"
},
{
"url": "https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d"
},
{
"url": "https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1"
},
{
"url": "https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5"
},
{
"url": "https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70"
}
],
"title": "libceph: return the handler error from mon_handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22992",
"datePublished": "2026-01-23T15:24:12.993Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-06-16T20:37:35.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71123 (GCVE-0-2025-71123)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
ext4: fix string copying in parse_apply_sb_mount_options()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix string copying in parse_apply_sb_mount_options()
strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term
string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce
memtostr() and memtostr_pad()") provides additional information in that
regard. So if this happens, the following warning is observed:
strnlen: detected buffer overflow: 65 byte read of buffer size 64
WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Modules linked in:
CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Call Trace:
<TASK>
__fortify_panic+0x1f/0x30 lib/string_helpers.c:1039
strnlen include/linux/fortify-string.h:235 [inline]
sized_strscpy include/linux/fortify-string.h:309 [inline]
parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]
__ext4_fill_super fs/ext4/super.c:5261 [inline]
ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706
get_tree_bdev_flags+0x387/0x620 fs/super.c:1636
vfs_get_tree+0x93/0x380 fs/super.c:1814
do_new_mount fs/namespace.c:3553 [inline]
path_mount+0x6ae/0x1f70 fs/namespace.c:3880
do_mount fs/namespace.c:3893 [inline]
__do_sys_mount fs/namespace.c:4103 [inline]
__se_sys_mount fs/namespace.c:4080 [inline]
__x64_sys_mount+0x280/0x300 fs/namespace.c:4080
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Since userspace is expected to provide s_mount_opts field to be at most 63
characters long with the ending byte being NUL-term, use a 64-byte buffer
which matches the size of s_mount_opts, so that strscpy_pad() does its job
properly. Return with error if the user still managed to provide a
non-NUL-term string here.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b2bac84fde28fb6a88817b8b761abda17a1d300b , < 52ac96c4a2dd7bc47666000440b0602d9742e820
(git)
Affected: e651294218d2684302ee5ed95ccf381646f3e5b4 , < 6e37143560e37869d51b7d9e0ac61fc48895f8a0 (git) Affected: 01829af7656b56d83682b3491265d583d502e502 , < 902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc (git) Affected: 2a0cf438320cdb783e0378570744c0ef0d83e934 , < db9ee13fab0267eccf6544ee35b16c9522db9aac (git) Affected: 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 , < 5bbacbbf1ca4419861dca3c6b82707c10e9c021c (git) Affected: 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 , < ee5a977b4e771cc181f39d504426dbd31ed701cc (git) Affected: 7bf46ff83a0ef11836e38ebd72cdc5107209342d (git) Affected: a6e94557cd05adc82fae0400f6e17745563e5412 (git) Affected: 5.10.246 , < 5.10.248 (semver) Affected: 6.1.158 , < 6.1.160 (semver) Affected: 6.6.114 , < 6.6.120 (semver) Affected: 6.12.54 , < 6.12.64 (semver) Affected: 5.4.301 , < 5.5 (semver) Affected: 6.17.4 , < 6.18 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52ac96c4a2dd7bc47666000440b0602d9742e820",
"status": "affected",
"version": "b2bac84fde28fb6a88817b8b761abda17a1d300b",
"versionType": "git"
},
{
"lessThan": "6e37143560e37869d51b7d9e0ac61fc48895f8a0",
"status": "affected",
"version": "e651294218d2684302ee5ed95ccf381646f3e5b4",
"versionType": "git"
},
{
"lessThan": "902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc",
"status": "affected",
"version": "01829af7656b56d83682b3491265d583d502e502",
"versionType": "git"
},
{
"lessThan": "db9ee13fab0267eccf6544ee35b16c9522db9aac",
"status": "affected",
"version": "2a0cf438320cdb783e0378570744c0ef0d83e934",
"versionType": "git"
},
{
"lessThan": "5bbacbbf1ca4419861dca3c6b82707c10e9c021c",
"status": "affected",
"version": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"versionType": "git"
},
{
"lessThan": "ee5a977b4e771cc181f39d504426dbd31ed701cc",
"status": "affected",
"version": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"versionType": "git"
},
{
"status": "affected",
"version": "7bf46ff83a0ef11836e38ebd72cdc5107209342d",
"versionType": "git"
},
{
"status": "affected",
"version": "a6e94557cd05adc82fae0400f6e17745563e5412",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix string copying in parse_apply_sb_mount_options()\n\nstrscpy_pad() can\u0027t be used to copy a non-NUL-term string into a NUL-term\nstring of possibly bigger size. Commit 0efc5990bca5 (\"string.h: Introduce\nmemtostr() and memtostr_pad()\") provides additional information in that\nregard. So if this happens, the following warning is observed:\n\nstrnlen: detected buffer overflow: 65 byte read of buffer size 64\nWARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nModules linked in:\nCPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nCall Trace:\n \u003cTASK\u003e\n __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039\n strnlen include/linux/fortify-string.h:235 [inline]\n sized_strscpy include/linux/fortify-string.h:309 [inline]\n parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]\n __ext4_fill_super fs/ext4/super.c:5261 [inline]\n ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706\n get_tree_bdev_flags+0x387/0x620 fs/super.c:1636\n vfs_get_tree+0x93/0x380 fs/super.c:1814\n do_new_mount fs/namespace.c:3553 [inline]\n path_mount+0x6ae/0x1f70 fs/namespace.c:3880\n do_mount fs/namespace.c:3893 [inline]\n __do_sys_mount fs/namespace.c:4103 [inline]\n __se_sys_mount fs/namespace.c:4080 [inline]\n __x64_sys_mount+0x280/0x300 fs/namespace.c:4080\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSince userspace is expected to provide s_mount_opts field to be at most 63\ncharacters long with the ending byte being NUL-term, use a 64-byte buffer\nwhich matches the size of s_mount_opts, so that strscpy_pad() does its job\nproperly. Return with error if the user still managed to provide a\nnon-NUL-term string here.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:16.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820"
},
{
"url": "https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0"
},
{
"url": "https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc"
},
{
"url": "https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac"
},
{
"url": "https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c"
},
{
"url": "https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc"
}
],
"title": "ext4: fix string copying in parse_apply_sb_mount_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71123",
"datePublished": "2026-01-14T15:06:09.246Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-05-23T16:03:16.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68771 (GCVE-0-2025-68771)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7
(git)
Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < d0fd1f732ea8063cecd07a3879b7d815c7ee71ed (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < b08a33d5f80efe6979a6e8f905c1a898910c21dd (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 96f1b074c98c20f55a3b23d2ab44d9fb0f619869 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < e24aedae71652d4119049f1fbef6532ccbe3966d (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 7acc0390e0dd7474c4451d05465a677d55ad4268 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 039bef30e320827bac8990c9f29d2a68cd8adb5f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "d0fd1f732ea8063cecd07a3879b7d815c7ee71ed",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "b08a33d5f80efe6979a6e8f905c1a898910c21dd",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "96f1b074c98c20f55a3b23d2ab44d9fb0f619869",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "e24aedae71652d4119049f1fbef6532ccbe3966d",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "7acc0390e0dd7474c4451d05465a677d55ad4268",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "039bef30e320827bac8990c9f29d2a68cd8adb5f",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix kernel BUG in ocfs2_find_victim_chain\n\nsyzbot reported a kernel BUG in ocfs2_find_victim_chain() because the\n`cl_next_free_rec` field of the allocation chain list (next free slot in\nthe chain list) is 0, triggring the BUG_ON(!cl-\u003ecl_next_free_rec)\ncondition in ocfs2_find_victim_chain() and panicking the kernel.\n\nTo fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),\njust before calling ocfs2_find_victim_chain(), the code block in it being\nexecuted when either of the following conditions is true:\n\n1. `cl_next_free_rec` is equal to 0, indicating that there are no free\nchains in the allocation chain list\n2. `cl_next_free_rec` is greater than `cl_count` (the total number of\nchains in the allocation chain list)\n\nEither of them being true is indicative of the fact that there are no\nchains left for usage.\n\nThis is addressed using ocfs2_error(), which prints\nthe error log for debugging purposes, rather than panicking the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:02.168Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7"
},
{
"url": "https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed"
},
{
"url": "https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd"
},
{
"url": "https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869"
},
{
"url": "https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d"
},
{
"url": "https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268"
},
{
"url": "https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f"
}
],
"title": "ocfs2: fix kernel BUG in ocfs2_find_victim_chain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68771",
"datePublished": "2026-01-13T15:28:49.272Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:02.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23025 (GCVE-0-2026-23025)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
mm/page_alloc: prevent pcp corruption with SMP=n
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: prevent pcp corruption with SMP=n
The kernel test robot has reported:
BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28
lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0
CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470
Call Trace:
<IRQ>
__dump_stack (lib/dump_stack.c:95)
dump_stack_lvl (lib/dump_stack.c:123)
dump_stack (lib/dump_stack.c:130)
spin_dump (kernel/locking/spinlock_debug.c:71)
do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)
_raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)
__free_frozen_pages (mm/page_alloc.c:2973)
___free_pages (mm/page_alloc.c:5295)
__free_pages (mm/page_alloc.c:5334)
tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)
? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)
? rcu_core (kernel/rcu/tree.c:?)
rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)
rcu_core_si (kernel/rcu/tree.c:2879)
handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)
__irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)
irq_exit_rcu (kernel/softirq.c:741)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)
</IRQ>
<TASK>
RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
free_pcppages_bulk (mm/page_alloc.c:1494)
drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)
__drain_all_pages (mm/page_alloc.c:2731)
drain_all_pages (mm/page_alloc.c:2747)
kcompactd (mm/compaction.c:3115)
kthread (kernel/kthread.c:465)
? __cfi_kcompactd (mm/compaction.c:3166)
? __cfi_kthread (kernel/kthread.c:412)
ret_from_fork (arch/x86/kernel/process.c:164)
? __cfi_kthread (kernel/kthread.c:412)
ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
</TASK>
Matthew has analyzed the report and identified that in drain_page_zone()
we are in a section protected by spin_lock(&pcp->lock) and then get an
interrupt that attempts spin_trylock() on the same lock. The code is
designed to work this way without disabling IRQs and occasionally fail the
trylock with a fallback. However, the SMP=n spinlock implementation
assumes spin_trylock() will always succeed, and thus it's normally a
no-op. Here the enabled lock debugging catches the problem, but otherwise
it could cause a corruption of the pcp structure.
The problem has been introduced by commit 574907741599 ("mm/page_alloc:
leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme
recognizes the need for disabling IRQs to prevent nesting spin_trylock()
sections on SMP=n, but the need to prevent the nesting in spin_lock() has
not been recognized. Fix it by introducing local wrappers that change the
spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places
that do spin_lock(&pcp->lock).
[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d1da921452b3ee7e07383c12955ab1c6f3b08752 , < 68688fc4eab007834b4c2d740214423ba2a335a8
(git)
Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 4a04ff9cd816e7346fcc8126f00ed80481f6569d (git) Affected: 5749077415994eb02d660b2559b9d8278521e73d , < df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6 (git) Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 3098f8f7c7b0686c74827aec42a2c45e69801ff8 (git) Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 038a102535eb49e10e93eafac54352fcc5d78847 (git) Affected: 6.1.57 , < 6.1.162 (semver) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:48.791Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68688fc4eab007834b4c2d740214423ba2a335a8",
"status": "affected",
"version": "d1da921452b3ee7e07383c12955ab1c6f3b08752",
"versionType": "git"
},
{
"lessThan": "4a04ff9cd816e7346fcc8126f00ed80481f6569d",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"lessThan": "df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"lessThan": "3098f8f7c7b0686c74827aec42a2c45e69801ff8",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"lessThan": "038a102535eb49e10e93eafac54352fcc5d78847",
"status": "affected",
"version": "5749077415994eb02d660b2559b9d8278521e73d",
"versionType": "git"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.57",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: prevent pcp corruption with SMP=n\n\nThe kernel test robot has reported:\n\n BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28\n lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0\n CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470\n Call Trace:\n \u003cIRQ\u003e\n __dump_stack (lib/dump_stack.c:95)\n dump_stack_lvl (lib/dump_stack.c:123)\n dump_stack (lib/dump_stack.c:130)\n spin_dump (kernel/locking/spinlock_debug.c:71)\n do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)\n _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)\n __free_frozen_pages (mm/page_alloc.c:2973)\n ___free_pages (mm/page_alloc.c:5295)\n __free_pages (mm/page_alloc.c:5334)\n tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)\n ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)\n ? rcu_core (kernel/rcu/tree.c:?)\n rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)\n rcu_core_si (kernel/rcu/tree.c:2879)\n handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)\n __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)\n irq_exit_rcu (kernel/softirq.c:741)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)\n free_pcppages_bulk (mm/page_alloc.c:1494)\n drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)\n __drain_all_pages (mm/page_alloc.c:2731)\n drain_all_pages (mm/page_alloc.c:2747)\n kcompactd (mm/compaction.c:3115)\n kthread (kernel/kthread.c:465)\n ? __cfi_kcompactd (mm/compaction.c:3166)\n ? __cfi_kthread (kernel/kthread.c:412)\n ret_from_fork (arch/x86/kernel/process.c:164)\n ? __cfi_kthread (kernel/kthread.c:412)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:255)\n \u003c/TASK\u003e\n\nMatthew has analyzed the report and identified that in drain_page_zone()\nwe are in a section protected by spin_lock(\u0026pcp-\u003elock) and then get an\ninterrupt that attempts spin_trylock() on the same lock. The code is\ndesigned to work this way without disabling IRQs and occasionally fail the\ntrylock with a fallback. However, the SMP=n spinlock implementation\nassumes spin_trylock() will always succeed, and thus it\u0027s normally a\nno-op. Here the enabled lock debugging catches the problem, but otherwise\nit could cause a corruption of the pcp structure.\n\nThe problem has been introduced by commit 574907741599 (\"mm/page_alloc:\nleave IRQs enabled for per-cpu page allocations\"). The pcp locking scheme\nrecognizes the need for disabling IRQs to prevent nesting spin_trylock()\nsections on SMP=n, but the need to prevent the nesting in spin_lock() has\nnot been recognized. Fix it by introducing local wrappers that change the\nspin_lock() to spin_lock_iqsave() with SMP=n and use them in all places\nthat do spin_lock(\u0026pcp-\u003elock).\n\n[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:45.004Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68688fc4eab007834b4c2d740214423ba2a335a8"
},
{
"url": "https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d"
},
{
"url": "https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6"
},
{
"url": "https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8"
},
{
"url": "https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847"
}
],
"title": "mm/page_alloc: prevent pcp corruption with SMP=n",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23025",
"datePublished": "2026-01-31T11:42:04.426Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-06-02T13:00:48.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68788 (GCVE-0-2025-68788)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 16:22
VLAI?
EPSS
Title
fsnotify: do not generate ACCESS/MODIFY events on child for special files
Summary
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: do not generate ACCESS/MODIFY events on child for special files
inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72acc854427948efed7a83da27f7dc3239ac9afc , < df2711544b050aba703e6da418c53c7dc5d443ca
(git)
Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 859bdf438f01d9aa7f84b09c1202d548c7cad9e8 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < e0643d46759db8b84c0504a676043e5e341b6c81 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 82f7416bcbd951549e758d15fc1a96a5afc2e900 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 635bc4def026a24e071436f4f356ea08c0eed6ff (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:22:25.274360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:22:36.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df2711544b050aba703e6da418c53c7dc5d443ca",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "859bdf438f01d9aa7f84b09c1202d548c7cad9e8",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "e0643d46759db8b84c0504a676043e5e341b6c81",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "82f7416bcbd951549e758d15fc1a96a5afc2e900",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "635bc4def026a24e071436f4f356ea08c0eed6ff",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: do not generate ACCESS/MODIFY events on child for special files\n\ninotify/fanotify do not allow users with no read access to a file to\nsubscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the\nsame user to subscribe for watching events on children when the user\nhas access to the parent directory (e.g. /dev).\n\nUsers with no read access to a file but with read access to its parent\ndirectory can still stat the file and see if it was accessed/modified\nvia atime/mtime change.\n\nThe same is not true for special files (e.g. /dev/null). Users will not\ngenerally observe atime/mtime changes when other users read/write to\nspecial files, only when someone sets atime/mtime via utimensat().\n\nAlign fsnotify events with this stat behavior and do not generate\nACCESS/MODIFY events to parent watchers on read/write of special files.\nThe events are still generated to parent watchers on utimensat(). This\ncloses some side-channels that could be possibly used for information\nexfiltration [1].\n\n[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:22.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca"
},
{
"url": "https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8"
},
{
"url": "https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91"
},
{
"url": "https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81"
},
{
"url": "https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900"
},
{
"url": "https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6"
},
{
"url": "https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff"
}
],
"title": "fsnotify: do not generate ACCESS/MODIFY events on child for special files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68788",
"datePublished": "2026-01-13T15:29:01.270Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-06-16T16:22:36.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23073 (GCVE-0-2026-23073)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
wifi: rsi: Fix memory corruption due to not set vif driver data size
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rsi: Fix memory corruption due to not set vif driver data size
The struct ieee80211_vif contains trailing space for vif driver data,
when struct ieee80211_vif is allocated, the total memory size that is
allocated is sizeof(struct ieee80211_vif) + size of vif driver data.
The size of vif driver data is set by each WiFi driver as needed.
The RSI911x driver does not set vif driver data size, no trailing space
for vif driver data is therefore allocated past struct ieee80211_vif .
The RSI911x driver does however use the vif driver data to store its
vif driver data structure "struct vif_priv". An access to vif->drv_priv
leads to access out of struct ieee80211_vif bounds and corruption of
some memory.
In case of the failure observed locally, rsi_mac80211_add_interface()
would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv;
vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member
struct list_head new_flows . The flow = list_first_entry(head, struct
fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus
address, which when accessed causes a crash.
The trigger is very simple, boot the machine with init=/bin/sh , mount
devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1",
"ip link set wlan0 down" and the crash occurs.
Fix this by setting the correct size of vif driver data, which is the
size of "struct vif_priv", so that memory is allocated and the driver
can store its driver data in it, instead of corrupting memory around
it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dad0d04fa7ba41ce603a01e8e64967650303e9a2 , < 49ef094fdbc3526e5db2aebb404b84f79c5603dc
(git)
Affected: dad0d04fa7ba41ce603a01e8e64967650303e9a2 , < 0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0 (git) Affected: dad0d04fa7ba41ce603a01e8e64967650303e9a2 , < 7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4 (git) Affected: dad0d04fa7ba41ce603a01e8e64967650303e9a2 , < 7761d7801f40e61069b4df3db88b36d80d089f8a (git) Affected: dad0d04fa7ba41ce603a01e8e64967650303e9a2 , < 99129d80a5d4989ef8566f434f3589f60f28042b (git) Affected: dad0d04fa7ba41ce603a01e8e64967650303e9a2 , < 31efbcff90884ea5f65bf3d1de01267db51ee3d1 (git) Affected: dad0d04fa7ba41ce603a01e8e64967650303e9a2 , < 4f431d88ea8093afc7ba55edf4652978c5a68f33 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:45.448812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:15.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49ef094fdbc3526e5db2aebb404b84f79c5603dc",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "7761d7801f40e61069b4df3db88b36d80d089f8a",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "99129d80a5d4989ef8566f434f3589f60f28042b",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "31efbcff90884ea5f65bf3d1de01267db51ee3d1",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "4f431d88ea8093afc7ba55edf4652978c5a68f33",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Fix memory corruption due to not set vif driver data size\n\nThe struct ieee80211_vif contains trailing space for vif driver data,\nwhen struct ieee80211_vif is allocated, the total memory size that is\nallocated is sizeof(struct ieee80211_vif) + size of vif driver data.\nThe size of vif driver data is set by each WiFi driver as needed.\n\nThe RSI911x driver does not set vif driver data size, no trailing space\nfor vif driver data is therefore allocated past struct ieee80211_vif .\nThe RSI911x driver does however use the vif driver data to store its\nvif driver data structure \"struct vif_priv\". An access to vif-\u003edrv_priv\nleads to access out of struct ieee80211_vif bounds and corruption of\nsome memory.\n\nIn case of the failure observed locally, rsi_mac80211_add_interface()\nwould write struct vif_priv *vif_info = (struct vif_priv *)vif-\u003edrv_priv;\nvif_info-\u003evap_id = vap_idx. This write corrupts struct fq_tin member\nstruct list_head new_flows . The flow = list_first_entry(head, struct\nfq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus\naddress, which when accessed causes a crash.\n\nThe trigger is very simple, boot the machine with init=/bin/sh , mount\ndevtmpfs, sysfs, procfs, and then do \"ip link set wlan0 up\", \"sleep 1\",\n\"ip link set wlan0 down\" and the crash occurs.\n\nFix this by setting the correct size of vif driver data, which is the\nsize of \"struct vif_priv\", so that memory is allocated and the driver\ncan store its driver data in it, instead of corrupting memory around\nit."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:28.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc"
},
{
"url": "https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0"
},
{
"url": "https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4"
},
{
"url": "https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a"
},
{
"url": "https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b"
},
{
"url": "https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1"
},
{
"url": "https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33"
}
],
"title": "wifi: rsi: Fix memory corruption due to not set vif driver data size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23073",
"datePublished": "2026-02-04T16:07:53.527Z",
"dateReserved": "2026-01-13T15:37:45.958Z",
"dateUpdated": "2026-06-11T18:44:15.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71085 (GCVE-0-2025-71085)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 86f365897068d09418488165a68b23cb5baa37f2
(git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 6b7522424529556c9cbc15e15e7bd4eeae310910 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 2bb759062efa188ea5d07242a43e5aa5464bbae1 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < c53aa6a5086f03f19564096ee084a202a8c738c0 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < bf3709738d8a8cc6fa275773170c5c29511a0b24 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 73744ad5696dce0e0f43872aba8de6a83d6ad570 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 58fc7342b529803d3c221101102fe913df7adb83 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:02.469421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:18.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86f365897068d09418488165a68b23cb5baa37f2",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "6b7522424529556c9cbc15e15e7bd4eeae310910",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "2bb759062efa188ea5d07242a43e5aa5464bbae1",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "c53aa6a5086f03f19564096ee084a202a8c738c0",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "bf3709738d8a8cc6fa275773170c5c29511a0b24",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "73744ad5696dce0e0f43872aba8de6a83d6ad570",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "58fc7342b529803d3c221101102fe913df7adb83",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = \u0026dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg-\u003ecmsg_len = cmsg_len;\n cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, \u0026msg, 0);"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:27.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2"
},
{
"url": "https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910"
},
{
"url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"
},
{
"url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"
},
{
"url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"
},
{
"url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"
},
{
"url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"
}
],
"title": "ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71085",
"datePublished": "2026-01-13T15:34:48.324Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-06-11T18:44:18.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71154 (GCVE-0-2025-71154)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
In async_set_registers(), when usb_submit_urb() fails, the allocated
async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing
these allocations, but it is only called after the URB is successfully
submitted and completes (successfully or with error). If submission
fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error
path when usb_submit_urb() fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < a4e2442d3c48355a84463342f397134f149936d7
(git)
Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 2f966186b99550e3c665dbfb87b8314e30acea02 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < db2244c580540306d60ce783ed340190720cd429 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 4bd4ea3eb326608ffc296db12c105f92dc2f2190 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 6492ad6439ff1a479fc94dc6052df3628faed8b6 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 151403e903840c9cf06754097b6732c14f26c532 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 12cab1191d9890097171156d06bfa8d31f1e39c8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:06.317102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:19.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4e2442d3c48355a84463342f397134f149936d7",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "2f966186b99550e3c665dbfb87b8314e30acea02",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "db2244c580540306d60ce783ed340190720cd429",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "4bd4ea3eb326608ffc296db12c105f92dc2f2190",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "6492ad6439ff1a479fc94dc6052df3628faed8b6",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "151403e903840c9cf06754097b6732c14f26c532",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "12cab1191d9890097171156d06bfa8d31f1e39c8",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix memory leak on usb_submit_urb() failure\n\nIn async_set_registers(), when usb_submit_urb() fails, the allocated\n async_req structure and URB are not freed, causing a memory leak.\n\n The completion callback async_set_reg_cb() is responsible for freeing\n these allocations, but it is only called after the URB is successfully\n submitted and completes (successfully or with error). If submission\n fails, the callback never runs and the memory is leaked.\n\n Fix this by freeing both the URB and the request structure in the error\n path when usb_submit_urb() fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:00.321Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7"
},
{
"url": "https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02"
},
{
"url": "https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429"
},
{
"url": "https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190"
},
{
"url": "https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6"
},
{
"url": "https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532"
},
{
"url": "https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8"
}
],
"title": "net: usb: rtl8150: fix memory leak on usb_submit_urb() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71154",
"datePublished": "2026-01-23T14:25:53.818Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-06-11T18:44:19.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23141 (GCVE-0-2026-23141)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-06-01 16:10
VLAI?
EPSS
Title
btrfs: send: check for inline extents in range_is_hole_in_parent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: send: check for inline extents in range_is_hole_in_parent()
Before accessing the disk_bytenr field of a file extent item we need
to check if we are dealing with an inline extent.
This is because for inline extents their data starts at the offset of
the disk_bytenr field. So accessing the disk_bytenr
means we are accessing inline data or in case the inline data is less
than 8 bytes we can actually cause an invalid
memory access if this inline extent item is the first item in the leaf
or access metadata from other items.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 901e581bfc44d181f7d9c3f11880dac3e89deb2e
(git)
Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < d948055bd46a9c14d1d4217aed65c5c258c32903 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < db00636643e66898d79f2530ac9c56ebd5eca369 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 39f83f10772310ba4a77f2b5256aaf36994ef7e8 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 08b096c1372cd69627f4f559fb47c9fb67a52b39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "901e581bfc44d181f7d9c3f11880dac3e89deb2e",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "d948055bd46a9c14d1d4217aed65c5c258c32903",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "db00636643e66898d79f2530ac9c56ebd5eca369",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "39f83f10772310ba4a77f2b5256aaf36994ef7e8",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "08b096c1372cd69627f4f559fb47c9fb67a52b39",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: check for inline extents in range_is_hole_in_parent()\n\nBefore accessing the disk_bytenr field of a file extent item we need\nto check if we are dealing with an inline extent.\nThis is because for inline extents their data starts at the offset of\nthe disk_bytenr field. So accessing the disk_bytenr\nmeans we are accessing inline data or in case the inline data is less\nthan 8 bytes we can actually cause an invalid\nmemory access if this inline extent item is the first item in the leaf\nor access metadata from other items."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:10:51.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/901e581bfc44d181f7d9c3f11880dac3e89deb2e"
},
{
"url": "https://git.kernel.org/stable/c/d948055bd46a9c14d1d4217aed65c5c258c32903"
},
{
"url": "https://git.kernel.org/stable/c/f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9"
},
{
"url": "https://git.kernel.org/stable/c/db00636643e66898d79f2530ac9c56ebd5eca369"
},
{
"url": "https://git.kernel.org/stable/c/39f83f10772310ba4a77f2b5256aaf36994ef7e8"
},
{
"url": "https://git.kernel.org/stable/c/08b096c1372cd69627f4f559fb47c9fb67a52b39"
}
],
"title": "btrfs: send: check for inline extents in range_is_hole_in_parent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23141",
"datePublished": "2026-02-14T15:36:07.417Z",
"dateReserved": "2026-01-13T15:37:45.973Z",
"dateUpdated": "2026-06-01T16:10:51.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68744 (GCVE-0-2025-68744)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
bpf: Free special fields when update [lru_,]percpu_hash maps
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Free special fields when update [lru_,]percpu_hash maps
As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing
calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the
memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the
map gets freed.
Fix this by calling 'bpf_obj_free_fields()' after
'copy_map_value[,_long]()' in 'pcpu_copy_value()'.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 994d6303ed0b84cbc795bb5becf7ed6de40d3f3c
(git)
Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 3bf1378747e251571e0de15e7e0a6bf2919044e7 (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 96a5cb7072cabbac5c66ac9318242c3bdceebb68 (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 4a03d69cece145e4fb527464be29c3806aa3221e (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 6af6e49a76c9af7d42eb923703e7648cb2bf401a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994d6303ed0b84cbc795bb5becf7ed6de40d3f3c",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "3bf1378747e251571e0de15e7e0a6bf2919044e7",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "96a5cb7072cabbac5c66ac9318242c3bdceebb68",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "4a03d69cece145e4fb527464be29c3806aa3221e",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "6af6e49a76c9af7d42eb923703e7648cb2bf401a",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free special fields when update [lru_,]percpu_hash maps\n\nAs [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing\ncalls to \u0027bpf_obj_free_fields()\u0027 in \u0027pcpu_copy_value()\u0027 could cause the\nmemory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the\nmap gets freed.\n\nFix this by calling \u0027bpf_obj_free_fields()\u0027 after\n\u0027copy_map_value[,_long]()\u0027 in \u0027pcpu_copy_value()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:30.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994d6303ed0b84cbc795bb5becf7ed6de40d3f3c"
},
{
"url": "https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7"
},
{
"url": "https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68"
},
{
"url": "https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e"
},
{
"url": "https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a"
}
],
"title": "bpf: Free special fields when update [lru_,]percpu_hash maps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68744",
"datePublished": "2025-12-24T12:09:40.839Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-05-11T21:52:30.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40325 (GCVE-0-2025-40325)
Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
md/raid10: wait barrier before returning discard request with REQ_NOWAIT
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: wait barrier before returning discard request with REQ_NOWAIT
raid10_handle_discard should wait barrier before returning a discard bio
which has REQ_NOWAIT. And there is no need to print warning calltrace
if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks
dmesg and reports error if dmesg has warning/error calltrace.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c9aa889b035fca4598ae985a0f0c76ebbb547ad2 , < 31ff67982c5fa39c0093b9d9f429fef91c2494b7
(git)
Affected: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 , < 31d3156efe909b53ba174861a3da880c688f5edc (git) Affected: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 , < 3db4404435397a345431b45f57876a3df133f3b4 (git) Affected: 39db562b3fedb93978a7e42dd216b306740959f8 (git) Affected: 5.15.111 , < 5.16 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31ff67982c5fa39c0093b9d9f429fef91c2494b7",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "31d3156efe909b53ba174861a3da880c688f5edc",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "3db4404435397a345431b45f57876a3df133f3b4",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"status": "affected",
"version": "39db562b3fedb93978a7e42dd216b306740959f8",
"versionType": "git"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.111",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.111",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: wait barrier before returning discard request with REQ_NOWAIT\n\nraid10_handle_discard should wait barrier before returning a discard bio\nwhich has REQ_NOWAIT. And there is no need to print warning calltrace\nif a discard bio has REQ_NOWAIT flag. Quality engineer usually checks\ndmesg and reports error if dmesg has warning/error calltrace."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:09.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31ff67982c5fa39c0093b9d9f429fef91c2494b7"
},
{
"url": "https://git.kernel.org/stable/c/31d3156efe909b53ba174861a3da880c688f5edc"
},
{
"url": "https://git.kernel.org/stable/c/3db4404435397a345431b45f57876a3df133f3b4"
}
],
"title": "md/raid10: wait barrier before returning discard request with REQ_NOWAIT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40325",
"datePublished": "2025-04-18T07:01:41.619Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-23T16:02:09.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71131 (GCVE-0-2025-71131)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
As soon as crypto_aead_encrypt is called, the underlying request
may be freed by an asynchronous completion. Thus dereferencing
req->iv after it returns is invalid.
Instead of checking req->iv against info, create a new variable
unaligned_info and use it for that purpose instead.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 18202537856e0fae079fed2c9308780bcff2bb9d
(git)
Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < baf0e2d1e03ddb04781dfe7f22a654d3611f69b2 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 50f196d2bbaee4ab2494bb1b0d294deba292951a (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 0279978adec6f1296af66b642cce641c6580be46 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < ccbb96434d88e32358894c879457b33f7508e798 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 5476f7f8a311236604b78fcc5b2a63b3a61b0169 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 50fdb78b7c0bcc550910ef69c0984e751cac72fa (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:45.516602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:04.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18202537856e0fae079fed2c9308780bcff2bb9d",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "baf0e2d1e03ddb04781dfe7f22a654d3611f69b2",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "50f196d2bbaee4ab2494bb1b0d294deba292951a",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "0279978adec6f1296af66b642cce641c6580be46",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "ccbb96434d88e32358894c879457b33f7508e798",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "5476f7f8a311236604b78fcc5b2a63b3a61b0169",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "50fdb78b7c0bcc550910ef69c0984e751cac72fa",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: seqiv - Do not use req-\u003eiv after crypto_aead_encrypt\n\nAs soon as crypto_aead_encrypt is called, the underlying request\nmay be freed by an asynchronous completion. Thus dereferencing\nreq-\u003eiv after it returns is invalid.\n\nInstead of checking req-\u003eiv against info, create a new variable\nunaligned_info and use it for that purpose instead."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:34.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d"
},
{
"url": "https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2"
},
{
"url": "https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a"
},
{
"url": "https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46"
},
{
"url": "https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798"
},
{
"url": "https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169"
},
{
"url": "https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa"
}
],
"title": "crypto: seqiv - Do not use req-\u003eiv after crypto_aead_encrypt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71131",
"datePublished": "2026-01-14T15:07:47.194Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-06-11T18:44:04.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47336 (GCVE-0-2026-47336)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:29 – Updated: 2026-05-28 19:23
VLAI?
EPSS
Title
Use of uninitialized value in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation rules
Summary
Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.
Severity ?
CWE
- CWE-457 - Use of uninitialized variable
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
|
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:21:17.067482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:23:22.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457 Use of uninitialized variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:29:01.992Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=f37c6a70fe7b435322c334554002809a4e7b7293"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Use of uninitialized value in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation rules"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47336",
"datePublished": "2026-05-28T18:29:01.992Z",
"dateReserved": "2026-05-19T10:37:36.434Z",
"dateUpdated": "2026-05-28T19:23:22.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68778 (GCVE-0-2025-68778)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
We can't log a conflicting inode if it's a directory and it was moved
from one parent directory to another parent directory in the current
transaction, as this can result an attempt to have a directory with
two hard links during log replay, one for the old parent directory and
another for the new parent directory.
The following scenario triggers that issue:
1) We have directories "dir1" and "dir2" created in a past transaction.
Directory "dir1" has inode A as its parent directory;
2) We move "dir1" to some other directory;
3) We create a file with the name "dir1" in directory inode A;
4) We fsync the new file. This results in logging the inode of the new file
and the inode for the directory "dir1" that was previously moved in the
current transaction. So the log tree has the INODE_REF item for the
new location of "dir1";
5) We move the new file to some other directory. This results in updating
the log tree to included the new INODE_REF for the new location of the
file and removes the INODE_REF for the old location. This happens
during the rename when we call btrfs_log_new_name();
6) We fsync the file, and that persists the log tree changes done in the
previous step (btrfs_log_new_name() only updates the log tree in
memory);
7) We have a power failure;
8) Next time the fs is mounted, log replay happens and when processing
the inode for directory "dir1" we find a new INODE_REF and add that
link, but we don't remove the old link of the inode since we have
not logged the old parent directory of the directory inode "dir1".
As a result after log replay finishes when we trigger writeback of the
subvolume tree's extent buffers, the tree check will detect that we have
a directory a hard link count of 2 and we get a mount failure.
The errors and stack traces reported in dmesg/syslog are like this:
[ 3845.729764] BTRFS info (device dm-0): start tree-log replay
[ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c
[ 3845.731236] memcg:ffff9264c02f4e00
[ 3845.731751] aops:btree_aops [btrfs] ino:1
[ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8
[ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00
[ 3845.735305] page dumped because: eb page dump
[ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir
[ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5
[ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701
[ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384
[ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0
[ 3845.737797] rdev 0 sequence 2 flags 0x0
[ 3845.737798] atime 1764259517.0
[ 3845.737800] ctime 1764259517.572889464
[ 3845.737801] mtime 1764259517.572889464
[ 3845.737802] otime 1764259517.0
[ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[ 3845.737805] index 0 name_len 2
[ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34
[ 3845.737808] location key (257 1 0) type 2
[ 3845.737810] transid 9 data_len 0 name_len 4
[ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34
[ 3845.737813] location key (258 1 0) type 2
[ 3845.737814] transid 9 data_len 0 name_len 4
[ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[ 3845.737816] location key (257 1 0) type 2
[
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
44f714dae50a2e795d3268a6831762aa6fa54f55 , < d64f3834dffef80f0a9185a037617a54ed7f4bd2
(git)
Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < 7359e1d39c78816ecbdb0cb4e93975794ce53973 (git) Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < d478f50727c3ee46d0359f0d2ae114f70191816e (git) Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < a35788ddf8df65837897ecbb0ddb2896b863159e (git) Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < 266273eaf4d99475f1ae57f687b3e42bc71ec6f0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d64f3834dffef80f0a9185a037617a54ed7f4bd2",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "7359e1d39c78816ecbdb0cb4e93975794ce53973",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "d478f50727c3ee46d0359f0d2ae114f70191816e",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "a35788ddf8df65837897ecbb0ddb2896b863159e",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "266273eaf4d99475f1ae57f687b3e42bc71ec6f0",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction\n\nWe can\u0027t log a conflicting inode if it\u0027s a directory and it was moved\nfrom one parent directory to another parent directory in the current\ntransaction, as this can result an attempt to have a directory with\ntwo hard links during log replay, one for the old parent directory and\nanother for the new parent directory.\n\nThe following scenario triggers that issue:\n\n1) We have directories \"dir1\" and \"dir2\" created in a past transaction.\n Directory \"dir1\" has inode A as its parent directory;\n\n2) We move \"dir1\" to some other directory;\n\n3) We create a file with the name \"dir1\" in directory inode A;\n\n4) We fsync the new file. This results in logging the inode of the new file\n and the inode for the directory \"dir1\" that was previously moved in the\n current transaction. So the log tree has the INODE_REF item for the\n new location of \"dir1\";\n\n5) We move the new file to some other directory. This results in updating\n the log tree to included the new INODE_REF for the new location of the\n file and removes the INODE_REF for the old location. This happens\n during the rename when we call btrfs_log_new_name();\n\n6) We fsync the file, and that persists the log tree changes done in the\n previous step (btrfs_log_new_name() only updates the log tree in\n memory);\n\n7) We have a power failure;\n\n8) Next time the fs is mounted, log replay happens and when processing\n the inode for directory \"dir1\" we find a new INODE_REF and add that\n link, but we don\u0027t remove the old link of the inode since we have\n not logged the old parent directory of the directory inode \"dir1\".\n\nAs a result after log replay finishes when we trigger writeback of the\nsubvolume tree\u0027s extent buffers, the tree check will detect that we have\na directory a hard link count of 2 and we get a mount failure.\nThe errors and stack traces reported in dmesg/syslog are like this:\n\n [ 3845.729764] BTRFS info (device dm-0): start tree-log replay\n [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c\n [ 3845.731236] memcg:ffff9264c02f4e00\n [ 3845.731751] aops:btree_aops [btrfs] ino:1\n [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8\n [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00\n [ 3845.735305] page dumped because: eb page dump\n [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir\n [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5\n [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701\n [ 3845.737792] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n [ 3845.737794] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n [ 3845.737795] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n [ 3845.737797] \t\trdev 0 sequence 2 flags 0x0\n [ 3845.737798] \t\tatime 1764259517.0\n [ 3845.737800] \t\tctime 1764259517.572889464\n [ 3845.737801] \t\tmtime 1764259517.572889464\n [ 3845.737802] \t\totime 1764259517.0\n [ 3845.737803] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n [ 3845.737805] \t\tindex 0 name_len 2\n [ 3845.737807] \titem 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34\n [ 3845.737808] \t\tlocation key (257 1 0) type 2\n [ 3845.737810] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737811] \titem 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34\n [ 3845.737813] \t\tlocation key (258 1 0) type 2\n [ 3845.737814] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737815] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n [ 3845.737816] \t\tlocation key (257 1 0) type 2\n [\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:10.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2"
},
{
"url": "https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973"
},
{
"url": "https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e"
},
{
"url": "https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e"
},
{
"url": "https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0"
}
],
"title": "btrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68778",
"datePublished": "2026-01-13T15:28:54.107Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:10.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23173 (GCVE-0-2026-23173)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
net/mlx5e: TC, delete flows only for existing peers
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: TC, delete flows only for existing peers
When deleting TC steering flows, iterate only over actual devcom
peers instead of assuming all possible ports exist. This avoids
touching non-existent peers and ensures cleanup is limited to
devices the driver is currently connected to.
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 133c8a067 P4D 0
Oops: Oops: 0002 [#1] SMP
CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]
Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49
RSP: 0018:ff11000143867528 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000
RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0
RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002
R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78
R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0
FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0
Call Trace:
<TASK>
mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]
mlx5e_flow_put+0x25/0x50 [mlx5_core]
mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]
tc_setup_cb_reoffload+0x20/0x80
fl_reoffload+0x26f/0x2f0 [cls_flower]
? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
tcf_block_playback_offloads+0x9e/0x1c0
tcf_block_unbind+0x7b/0xd0
tcf_block_setup+0x186/0x1d0
tcf_block_offload_cmd.isra.0+0xef/0x130
tcf_block_offload_unbind+0x43/0x70
__tcf_block_put+0x85/0x160
ingress_destroy+0x32/0x110 [sch_ingress]
__qdisc_destroy+0x44/0x100
qdisc_graft+0x22b/0x610
tc_get_qdisc+0x183/0x4d0
rtnetlink_rcv_msg+0x2d7/0x3d0
? rtnl_calcit.isra.0+0x100/0x100
netlink_rcv_skb+0x53/0x100
netlink_unicast+0x249/0x320
? __alloc_skb+0x102/0x1f0
netlink_sendmsg+0x1e3/0x420
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x1ef/0x230
? copy_msghdr_from_user+0x6c/0xa0
___sys_sendmsg+0x7f/0xc0
? ___sys_recvmsg+0x8a/0xc0
? __sys_sendto+0x119/0x180
__sys_sendmsg+0x61/0xb0
do_syscall_64+0x55/0x640
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f35238bb764
Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55
RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764
RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003
RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20
R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790
R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < 62e1d8920f6920543f4b095a65fb964448c9901d
(git)
Affected: 9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < 2652e2f1253c53f9a3ce84cc972568b32c892734 (git) Affected: 9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < fdf8437016f578f18b160c6e14f13ab96bfbc3ba (git) Affected: 9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < f67666938ae626cbda63fbf5176b3583c07e7124 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62e1d8920f6920543f4b095a65fb964448c9901d",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
},
{
"lessThan": "2652e2f1253c53f9a3ce84cc972568b32c892734",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
},
{
"lessThan": "fdf8437016f578f18b160c6e14f13ab96bfbc3ba",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
},
{
"lessThan": "f67666938ae626cbda63fbf5176b3583c07e7124",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, delete flows only for existing peers\n\nWhen deleting TC steering flows, iterate only over actual devcom\npeers instead of assuming all possible ports exist. This avoids\ntouching non-existent peers and ensures cleanup is limited to\ndevices the driver is currently connected to.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 133c8a067 P4D 0\n Oops: Oops: 0002 [#1] SMP\n CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]\n Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff \u003c48\u003e 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49\n RSP: 0018:ff11000143867528 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000\n RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0\n RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002\n R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78\n R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0\n FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0\n Call Trace:\n \u003cTASK\u003e\n mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]\n mlx5e_flow_put+0x25/0x50 [mlx5_core]\n mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]\n tc_setup_cb_reoffload+0x20/0x80\n fl_reoffload+0x26f/0x2f0 [cls_flower]\n ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n tcf_block_playback_offloads+0x9e/0x1c0\n tcf_block_unbind+0x7b/0xd0\n tcf_block_setup+0x186/0x1d0\n tcf_block_offload_cmd.isra.0+0xef/0x130\n tcf_block_offload_unbind+0x43/0x70\n __tcf_block_put+0x85/0x160\n ingress_destroy+0x32/0x110 [sch_ingress]\n __qdisc_destroy+0x44/0x100\n qdisc_graft+0x22b/0x610\n tc_get_qdisc+0x183/0x4d0\n rtnetlink_rcv_msg+0x2d7/0x3d0\n ? rtnl_calcit.isra.0+0x100/0x100\n netlink_rcv_skb+0x53/0x100\n netlink_unicast+0x249/0x320\n ? __alloc_skb+0x102/0x1f0\n netlink_sendmsg+0x1e3/0x420\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x1ef/0x230\n ? copy_msghdr_from_user+0x6c/0xa0\n ___sys_sendmsg+0x7f/0xc0\n ? ___sys_recvmsg+0x8a/0xc0\n ? __sys_sendto+0x119/0x180\n __sys_sendmsg+0x61/0xb0\n do_syscall_64+0x55/0x640\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f35238bb764\n Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55\n RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764\n RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003\n RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20\n R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790\n R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:44.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62e1d8920f6920543f4b095a65fb964448c9901d"
},
{
"url": "https://git.kernel.org/stable/c/2652e2f1253c53f9a3ce84cc972568b32c892734"
},
{
"url": "https://git.kernel.org/stable/c/fdf8437016f578f18b160c6e14f13ab96bfbc3ba"
},
{
"url": "https://git.kernel.org/stable/c/f67666938ae626cbda63fbf5176b3583c07e7124"
}
],
"title": "net/mlx5e: TC, delete flows only for existing peers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23173",
"datePublished": "2026-02-14T16:01:34.842Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-05-11T22:01:44.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68728 (GCVE-0-2025-68728)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Fix a KMSAN un-init bug found by syzkaller.
ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be
uptodate. We do not bring the buffer uptodate before setting it as
uptodate. If the buffer were to not be uptodate, it could mean adding a
buffer with un-init data to the mi record. Attempting to load that record
will trigger KMSAN.
Avoid this by setting the buffer as uptodate, if it’s not already, by
overwriting it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4342306f0f0d5ff4315a204d315c1b51b914fca5 , < afb144bc8e920db43a23e996eb0a6f9bdea84341
(git)
Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < c70b3abfd530c7f574bc25a5f84707e6fdf0def8 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 8bf729b96303bb862d7c6dc05edcf51274ae04cf (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 7ce8f2028dfccb2161b905cf8ab85cdd9e93909c (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 46f2a881e5a7311d41551edb3915e4d4e8802341 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 81ffe9a265df3e41534726b852ab08792e3d374d (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 73e6b9dacf72a1e7a4265eacca46f8f33e0997d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "afb144bc8e920db43a23e996eb0a6f9bdea84341",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "c70b3abfd530c7f574bc25a5f84707e6fdf0def8",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "8bf729b96303bb862d7c6dc05edcf51274ae04cf",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "7ce8f2028dfccb2161b905cf8ab85cdd9e93909c",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "46f2a881e5a7311d41551edb3915e4d4e8802341",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "81ffe9a265df3e41534726b852ab08792e3d374d",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "73e6b9dacf72a1e7a4265eacca46f8f33e0997d6",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix uninit memory after failed mi_read in mi_format_new\n\nFix a KMSAN un-init bug found by syzkaller.\n\nntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be\nuptodate. We do not bring the buffer uptodate before setting it as\nuptodate. If the buffer were to not be uptodate, it could mean adding a\nbuffer with un-init data to the mi record. Attempting to load that record\nwill trigger KMSAN.\n\nAvoid this by setting the buffer as uptodate, if it\u2019s not already, by\noverwriting it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:11.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/afb144bc8e920db43a23e996eb0a6f9bdea84341"
},
{
"url": "https://git.kernel.org/stable/c/c70b3abfd530c7f574bc25a5f84707e6fdf0def8"
},
{
"url": "https://git.kernel.org/stable/c/8bf729b96303bb862d7c6dc05edcf51274ae04cf"
},
{
"url": "https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c"
},
{
"url": "https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341"
},
{
"url": "https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d"
},
{
"url": "https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6"
}
],
"title": "ntfs3: fix uninit memory after failed mi_read in mi_format_new",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68728",
"datePublished": "2025-12-24T10:33:11.847Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-05-11T21:52:11.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23107 (GCVE-0-2026-23107)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
The code to restore a ZA context doesn't attempt to allocate the task's
sve_state before setting TIF_SME. Consequently, restoring a ZA context
can place a task into an invalid state where TIF_SME is set but the
task's sve_state is NULL.
In legitimate but uncommon cases where the ZA signal context was NOT
created by the kernel in the context of the same task (e.g. if the task
is saved/restored with something like CRIU), we have no guarantee that
sve_state had been allocated previously. In these cases, userspace can
enter streaming mode without trapping while sve_state is NULL, causing a
later NULL pointer dereference when the kernel attempts to store the
register state:
| # ./sigreturn-za
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
| Mem abort info:
| ESR = 0x0000000096000046
| EC = 0x25: DABT (current EL), IL = 32 bits
| SET = 0, FnV = 0
| EA = 0, S1PTW = 0
| FSC = 0x06: level 2 translation fault
| Data abort info:
| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
| CM = 0, WnR = 1, TnD = 0, TagAccess = 0
| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00
| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000
| Internal error: Oops: 0000000096000046 [#1] SMP
| Modules linked in:
| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT
| Hardware name: linux,dummy-virt (DT)
| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
| pc : sve_save_state+0x4/0xf0
| lr : fpsimd_save_user_state+0xb0/0x1c0
| sp : ffff80008070bcc0
| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658
| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000
| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40
| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000
| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c
| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020
| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0
| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48
| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000
| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440
| Call trace:
| sve_save_state+0x4/0xf0 (P)
| fpsimd_thread_switch+0x48/0x198
| __switch_to+0x20/0x1c0
| __schedule+0x36c/0xce0
| schedule+0x34/0x11c
| exit_to_user_mode_loop+0x124/0x188
| el0_interrupt+0xc8/0xd8
| __el0_irq_handler_common+0x18/0x24
| el0t_64_irq_handler+0x10/0x1c
| el0t_64_irq+0x198/0x19c
| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)
| ---[ end trace 0000000000000000 ]---
Fix this by having restore_za_context() ensure that the task's sve_state
is allocated, matching what we do when taking an SME trap. Any live
SVE/SSVE state (which is restored earlier from a separate signal
context) must be preserved, and hence this is not zeroed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
39782210eb7e87634d96cacb6ece370bc59d74ba , < c5a5b150992ebab779c1ce54f54676786e47e94c
(git)
Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214 (git) Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 0af233d66eff90fb8f3e0fc09f2316bba0b72bb9 (git) Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 70f7f54566afc23f2c71bf1411af81f5d8009e0f (git) Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5a5b150992ebab779c1ce54f54676786e47e94c",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "0af233d66eff90fb8f3e0fc09f2316bba0b72bb9",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "70f7f54566afc23f2c71bf1411af81f5d8009e0f",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Allocate SSVE storage when restoring ZA\n\nThe code to restore a ZA context doesn\u0027t attempt to allocate the task\u0027s\nsve_state before setting TIF_SME. Consequently, restoring a ZA context\ncan place a task into an invalid state where TIF_SME is set but the\ntask\u0027s sve_state is NULL.\n\nIn legitimate but uncommon cases where the ZA signal context was NOT\ncreated by the kernel in the context of the same task (e.g. if the task\nis saved/restored with something like CRIU), we have no guarantee that\nsve_state had been allocated previously. In these cases, userspace can\nenter streaming mode without trapping while sve_state is NULL, causing a\nlater NULL pointer dereference when the kernel attempts to store the\nregister state:\n\n| # ./sigreturn-za\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n| Mem abort info:\n| ESR = 0x0000000096000046\n| EC = 0x25: DABT (current EL), IL = 32 bits\n| SET = 0, FnV = 0\n| EA = 0, S1PTW = 0\n| FSC = 0x06: level 2 translation fault\n| Data abort info:\n| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n| CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00\n| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000\n| Internal error: Oops: 0000000096000046 [#1] SMP\n| Modules linked in:\n| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n| pc : sve_save_state+0x4/0xf0\n| lr : fpsimd_save_user_state+0xb0/0x1c0\n| sp : ffff80008070bcc0\n| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658\n| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000\n| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40\n| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000\n| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c\n| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020\n| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0\n| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48\n| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000\n| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440\n| Call trace:\n| sve_save_state+0x4/0xf0 (P)\n| fpsimd_thread_switch+0x48/0x198\n| __switch_to+0x20/0x1c0\n| __schedule+0x36c/0xce0\n| schedule+0x34/0x11c\n| exit_to_user_mode_loop+0x124/0x188\n| el0_interrupt+0xc8/0xd8\n| __el0_irq_handler_common+0x18/0x24\n| el0t_64_irq_handler+0x10/0x1c\n| el0t_64_irq+0x198/0x19c\n| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)\n| ---[ end trace 0000000000000000 ]---\n\nFix this by having restore_za_context() ensure that the task\u0027s sve_state\nis allocated, matching what we do when taking an SME trap. Any live\nSVE/SSVE state (which is restored earlier from a separate signal\ncontext) must be preserved, and hence this is not zeroed."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:15.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c"
},
{
"url": "https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214"
},
{
"url": "https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9"
},
{
"url": "https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f"
},
{
"url": "https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4"
}
],
"title": "arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23107",
"datePublished": "2026-02-04T16:08:27.755Z",
"dateReserved": "2026-01-13T15:37:45.967Z",
"dateUpdated": "2026-05-11T22:00:15.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23256 (GCVE-0-2026-23256)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-11 22:03
VLAI?
EPSS
Title
net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
In setup_nic_devices(), the initialization loop jumps to the label
setup_nic_dev_free on failure. The current cleanup loop while(i--)
skip the failing index i, causing a memory leak.
Fix this by changing the loop to iterate from the current index i
down to 0.
Compile tested only. Issue found using code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < bd680e56e316be92c01568be98d85d7a6c9bd92c
(git)
Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 01fbca1e93ec3f39f76c31a8f9afa32ce00da48a (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 71a56b89203ec7e5670d94a61a9b4ae617eca804 (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 3bf519e39b51cb08a93c0599870b35a23db1031e (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 52b19b3a22306fe452ec9e8ff96063f4bfb77b99 (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_vf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd680e56e316be92c01568be98d85d7a6c9bd92c",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "01fbca1e93ec3f39f76c31a8f9afa32ce00da48a",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "71a56b89203ec7e5670d94a61a9b4ae617eca804",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "3bf519e39b51cb08a93c0599870b35a23db1031e",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "52b19b3a22306fe452ec9e8ff96063f4bfb77b99",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "6cbba46934aefdfb5d171e0a95aec06c24f7ca30",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_vf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup\n\nIn setup_nic_devices(), the initialization loop jumps to the label\nsetup_nic_dev_free on failure. The current cleanup loop while(i--)\nskip the failing index i, causing a memory leak.\n\nFix this by changing the loop to iterate from the current index i\ndown to 0.\n\nCompile tested only. Issue found using code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:20.564Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd680e56e316be92c01568be98d85d7a6c9bd92c"
},
{
"url": "https://git.kernel.org/stable/c/01fbca1e93ec3f39f76c31a8f9afa32ce00da48a"
},
{
"url": "https://git.kernel.org/stable/c/71a56b89203ec7e5670d94a61a9b4ae617eca804"
},
{
"url": "https://git.kernel.org/stable/c/3bf519e39b51cb08a93c0599870b35a23db1031e"
},
{
"url": "https://git.kernel.org/stable/c/52b19b3a22306fe452ec9e8ff96063f4bfb77b99"
},
{
"url": "https://git.kernel.org/stable/c/4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd"
},
{
"url": "https://git.kernel.org/stable/c/6cbba46934aefdfb5d171e0a95aec06c24f7ca30"
}
],
"title": "net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23256",
"datePublished": "2026-03-18T17:41:02.964Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-11T22:03:20.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40082 (GCVE-0-2025-40082)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-23 16:01
VLAI?
EPSS
Title
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186
Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290
CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x5f0 mm/kasan/report.c:482
kasan_report+0xca/0x100 mm/kasan/report.c:595
hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186
hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738
vfs_listxattr+0xbe/0x140 fs/xattr.c:493
listxattr+0xee/0x190 fs/xattr.c:924
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x143/0x360 fs/xattr.c:988
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe0e9fae16d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3
RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000
RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000
</TASK>
Allocated by task 14290:
kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4333 [inline]
__kmalloc_noprof+0x219/0x540 mm/slub.c:4345
kmalloc_noprof include/linux/slab.h:909 [inline]
hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21
hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697
vfs_listxattr+0xbe/0x140 fs/xattr.c:493
listxattr+0xee/0x190 fs/xattr.c:924
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x143/0x360 fs/xattr.c:988
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
When hfsplus_uni2asc is called from hfsplus_listxattr,
it actually passes in a struct hfsplus_attr_unistr*.
The size of the corresponding structure is different from that of hfsplus_unistr,
so the previous fix (94458781aee6) is insufficient.
The pointer on the unicode buffer is still going beyond the allocated memory.
This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and
hfsplus_uni2asc_str to process two unicode buffers,
struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.
When ustrlen value is bigger than the allocated memory size,
the ustrlen value is limited to an safe size.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ccf0ad56a779e6704c0b27f555dec847f50c7557 , < 343fe375a8dd6ee51a193a1c233b999f5ea4d479
(git)
Affected: 13604b1d7e7b125fb428cddbec6b8d92baad25d5 , < 782acde47e127c98a113726e2ff8024bd65c0454 (git) Affected: 291bb5d931c6f3cd7227b913302a17be21cf53b0 , < c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e (git) Affected: f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee , < 5b5228964619b180f366940505b77255b1a03929 (git) Affected: 94458781aee6045bd3d0ad4b80b02886b9e2219b , < 857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e (git) Affected: 94458781aee6045bd3d0ad4b80b02886b9e2219b , < bea3e1d4467bcf292c8e54f080353d556d355e26 (git) Affected: 73f7da507d787b489761a0fa280716f84fa32b2f (git) Affected: 76a4c6636a69d69409aa253b049b1be717a539c5 (git) Affected: 6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9 (git) Affected: 1ca69007e52a73bd8b84b988b61b319816ca8b01 (git) Affected: 5.15.190 , < 5.15.200 (semver) Affected: 6.1.149 , < 6.1.163 (semver) Affected: 6.6.103 , < 6.6.124 (semver) Affected: 6.12.43 , < 6.12.70 (semver) Affected: 5.4.297 , < 5.5 (semver) Affected: 5.10.241 , < 5.11 (semver) Affected: 6.15.11 , < 6.16 (semver) Affected: 6.16.2 , < 6.17 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/dir.c",
"fs/hfsplus/hfsplus_fs.h",
"fs/hfsplus/unicode.c",
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "343fe375a8dd6ee51a193a1c233b999f5ea4d479",
"status": "affected",
"version": "ccf0ad56a779e6704c0b27f555dec847f50c7557",
"versionType": "git"
},
{
"lessThan": "782acde47e127c98a113726e2ff8024bd65c0454",
"status": "affected",
"version": "13604b1d7e7b125fb428cddbec6b8d92baad25d5",
"versionType": "git"
},
{
"lessThan": "c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e",
"status": "affected",
"version": "291bb5d931c6f3cd7227b913302a17be21cf53b0",
"versionType": "git"
},
{
"lessThan": "5b5228964619b180f366940505b77255b1a03929",
"status": "affected",
"version": "f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee",
"versionType": "git"
},
{
"lessThan": "857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e",
"status": "affected",
"version": "94458781aee6045bd3d0ad4b80b02886b9e2219b",
"versionType": "git"
},
{
"lessThan": "bea3e1d4467bcf292c8e54f080353d556d355e26",
"status": "affected",
"version": "94458781aee6045bd3d0ad4b80b02886b9e2219b",
"versionType": "git"
},
{
"status": "affected",
"version": "73f7da507d787b489761a0fa280716f84fa32b2f",
"versionType": "git"
},
{
"status": "affected",
"version": "76a4c6636a69d69409aa253b049b1be717a539c5",
"versionType": "git"
},
{
"status": "affected",
"version": "6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9",
"versionType": "git"
},
{
"status": "affected",
"version": "1ca69007e52a73bd8b84b988b61b319816ca8b01",
"versionType": "git"
},
{
"lessThan": "5.15.200",
"status": "affected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThan": "6.1.163",
"status": "affected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThan": "6.12.70",
"status": "affected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThan": "6.17",
"status": "affected",
"version": "6.16.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/dir.c",
"fs/hfsplus/hfsplus_fs.h",
"fs/hfsplus/unicode.c",
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nBUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\nRead of size 2 at addr ffff8880289ef218 by task syz.6.248/14290\n\nCPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x5f0 mm/kasan/report.c:482\n kasan_report+0xca/0x100 mm/kasan/report.c:595\n hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\n hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe0e9fae16d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3\nRAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000\nRBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000\n \u003c/TASK\u003e\n\nAllocated by task 14290:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4333 [inline]\n __kmalloc_noprof+0x219/0x540 mm/slub.c:4345\n kmalloc_noprof include/linux/slab.h:909 [inline]\n hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21\n hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen hfsplus_uni2asc is called from hfsplus_listxattr,\nit actually passes in a struct hfsplus_attr_unistr*.\nThe size of the corresponding structure is different from that of hfsplus_unistr,\nso the previous fix (94458781aee6) is insufficient.\nThe pointer on the unicode buffer is still going beyond the allocated memory.\n\nThis patch introduces two warpper functions hfsplus_uni2asc_xattr_str and\nhfsplus_uni2asc_str to process two unicode buffers,\nstruct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.\nWhen ustrlen value is bigger than the allocated memory size,\nthe ustrlen value is limited to an safe size."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:01:23.267Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/343fe375a8dd6ee51a193a1c233b999f5ea4d479"
},
{
"url": "https://git.kernel.org/stable/c/782acde47e127c98a113726e2ff8024bd65c0454"
},
{
"url": "https://git.kernel.org/stable/c/c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e"
},
{
"url": "https://git.kernel.org/stable/c/5b5228964619b180f366940505b77255b1a03929"
},
{
"url": "https://git.kernel.org/stable/c/857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e"
},
{
"url": "https://git.kernel.org/stable/c/bea3e1d4467bcf292c8e54f080353d556d355e26"
}
],
"title": "hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40082",
"datePublished": "2025-10-28T11:48:45.975Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2026-05-23T16:01:23.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23110 (GCVE-0-2026-23110)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
scsi: core: Wake up the error handler when final completions race against each other
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Wake up the error handler when final completions race against each other
The fragile ordering between marking commands completed or failed so
that the error handler only wakes when the last running command
completes or times out has race conditions. These race conditions can
cause the SCSI layer to fail to wake the error handler, leaving I/O
through the SCSI host stuck as the error state cannot advance.
First, there is an memory ordering issue within scsi_dec_host_busy().
The write which clears SCMD_STATE_INFLIGHT may be reordered with reads
counting in scsi_host_busy(). While the local CPU will see its own
write, reordering can allow other CPUs in scsi_dec_host_busy() or
scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to
see a host busy equal to the host_failed count.
This race condition can be prevented with a memory barrier on the error
path to force the write to be visible before counting host busy
commands.
Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By
counting busy commands before incrementing host_failed, it can race with a
final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does
not see host_failed incremented but scsi_eh_inc_host_failed() counts busy
commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),
resulting in neither waking the error handler task.
This needs the call to scsi_host_busy() to be moved after host_failed is
incremented to close the race condition.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < cc872e35c0df80062abc71268d690a2f749e542e
(git)
Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 6d9a367be356101963c249ebf10ea10b32886607 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 9fdc6f28d5e81350ab1d2cac8389062bd09e61e1 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 219f009ebfd1ef3970888ee9eef4c8a06357f862 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < fe2f8ad6f0999db3b318359a01ee0108c703a8c3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:51.689524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:06.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/scsi_error.c",
"drivers/scsi/scsi_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc872e35c0df80062abc71268d690a2f749e542e",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "6d9a367be356101963c249ebf10ea10b32886607",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "9fdc6f28d5e81350ab1d2cac8389062bd09e61e1",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "219f009ebfd1ef3970888ee9eef4c8a06357f862",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "fe2f8ad6f0999db3b318359a01ee0108c703a8c3",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/scsi_error.c",
"drivers/scsi/scsi_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Wake up the error handler when final completions race against each other\n\nThe fragile ordering between marking commands completed or failed so\nthat the error handler only wakes when the last running command\ncompletes or times out has race conditions. These race conditions can\ncause the SCSI layer to fail to wake the error handler, leaving I/O\nthrough the SCSI host stuck as the error state cannot advance.\n\nFirst, there is an memory ordering issue within scsi_dec_host_busy().\nThe write which clears SCMD_STATE_INFLIGHT may be reordered with reads\ncounting in scsi_host_busy(). While the local CPU will see its own\nwrite, reordering can allow other CPUs in scsi_dec_host_busy() or\nscsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to\nsee a host busy equal to the host_failed count.\n\nThis race condition can be prevented with a memory barrier on the error\npath to force the write to be visible before counting host busy\ncommands.\n\nSecond, there is a general ordering issue with scsi_eh_inc_host_failed(). By\ncounting busy commands before incrementing host_failed, it can race with a\nfinal command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does\nnot see host_failed incremented but scsi_eh_inc_host_failed() counts busy\ncommands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),\nresulting in neither waking the error handler task.\n\nThis needs the call to scsi_host_busy() to be moved after host_failed is\nincremented to close the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:19.004Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc872e35c0df80062abc71268d690a2f749e542e"
},
{
"url": "https://git.kernel.org/stable/c/6d9a367be356101963c249ebf10ea10b32886607"
},
{
"url": "https://git.kernel.org/stable/c/9fdc6f28d5e81350ab1d2cac8389062bd09e61e1"
},
{
"url": "https://git.kernel.org/stable/c/64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0"
},
{
"url": "https://git.kernel.org/stable/c/219f009ebfd1ef3970888ee9eef4c8a06357f862"
},
{
"url": "https://git.kernel.org/stable/c/fe2f8ad6f0999db3b318359a01ee0108c703a8c3"
}
],
"title": "scsi: core: Wake up the error handler when final completions race against each other",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23110",
"datePublished": "2026-02-04T16:08:30.158Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-06-11T18:44:06.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22999 (GCVE-0-2026-22999)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-16 20:36
VLAI?
EPSS
Title
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Fixes qfq_change_class() error case.
cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < 2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < cff6cd703f41d8071995956142729e4bba160363 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < f06f7635499bc806cbe2bbc8805c7cef8b1edddf (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 0a234660dc70ce45d771cbc76b20d925b73ec160 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 362e269bb03f7076ba9990e518aeddb898232e50 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < e9d8f11652fa08c647bf7bba7dd8163241a332cd (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:35:55.025194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:36:05.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "cff6cd703f41d8071995956142729e4bba160363",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "f06f7635499bc806cbe2bbc8805c7cef8b1edddf",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "0a234660dc70ce45d771cbc76b20d925b73ec160",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "362e269bb03f7076ba9990e518aeddb898232e50",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "e9d8f11652fa08c647bf7bba7dd8163241a332cd",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3879cffd9d07aa0377c4b8835c4f64b4fb24ac78",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl-\u003eqdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:02.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e"
},
{
"url": "https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363"
},
{
"url": "https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf"
},
{
"url": "https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160"
},
{
"url": "https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50"
},
{
"url": "https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd"
},
{
"url": "https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78"
}
],
"title": "net/sched: sch_qfq: do not free existing class in qfq_change_class()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22999",
"datePublished": "2026-01-25T14:36:13.909Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-06-16T20:36:05.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22022 (GCVE-0-2025-22022)
Vulnerability from cvelistv5 – Published: 2025-04-16 10:23 – Updated: 2026-05-23 15:57
VLAI?
EPSS
Title
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No ne
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e393a834b41001174a8fb3ae3bc23a749467760 , < abf2df229b6a9172cc1827749c1a446d28e00a2e
(git)
Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 8b586de6f03c850ff48d42e539b4708d1f3f8f1a (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 1143f790a6316201dc8f067eba4c94ea97ecb6ca (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < dbf427663ce272070d3004b5fca63a4a537d781c (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < a4931d9fb99eb5462f3eaa231999d279c40afb21 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 43a18225150ce874d23b37761c302a5dffee1595 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 061a1683bae6ef56ab8fa392725ba7495515cd1d (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < bb0ba4cb1065e87f9cc75db1fa454e56d0894d01 (git) Affected: 5c7a6982e976b381595c9d4ee8e8c94564a40aec (git) Affected: f12ea4a8ca7009fa2d54794c3fcb8e638453bcff (git) Affected: 3.0.9 , < 3.1 (semver) Affected: 3.1.1 , < 3.2 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abf2df229b6a9172cc1827749c1a446d28e00a2e",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "8b586de6f03c850ff48d42e539b4708d1f3f8f1a",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "1143f790a6316201dc8f067eba4c94ea97ecb6ca",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "dbf427663ce272070d3004b5fca63a4a537d781c",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "a4931d9fb99eb5462f3eaa231999d279c40afb21",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "43a18225150ce874d23b37761c302a5dffee1595",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "061a1683bae6ef56ab8fa392725ba7495515cd1d",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "bb0ba4cb1065e87f9cc75db1fa454e56d0894d01",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"status": "affected",
"version": "5c7a6982e976b381595c9d4ee8e8c94564a40aec",
"versionType": "git"
},
{
"status": "affected",
"version": "f12ea4a8ca7009fa2d54794c3fcb8e638453bcff",
"versionType": "git"
},
{
"lessThan": "3.1",
"status": "affected",
"version": "3.0.9",
"versionType": "semver"
},
{
"lessThan": "3.2",
"status": "affected",
"version": "3.1.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.22",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.10",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.1",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt\u0027s possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don\u0027t know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit\u0027s not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:57:36.993Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abf2df229b6a9172cc1827749c1a446d28e00a2e"
},
{
"url": "https://git.kernel.org/stable/c/8b586de6f03c850ff48d42e539b4708d1f3f8f1a"
},
{
"url": "https://git.kernel.org/stable/c/1143f790a6316201dc8f067eba4c94ea97ecb6ca"
},
{
"url": "https://git.kernel.org/stable/c/dbf427663ce272070d3004b5fca63a4a537d781c"
},
{
"url": "https://git.kernel.org/stable/c/a4931d9fb99eb5462f3eaa231999d279c40afb21"
},
{
"url": "https://git.kernel.org/stable/c/43a18225150ce874d23b37761c302a5dffee1595"
},
{
"url": "https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d"
},
{
"url": "https://git.kernel.org/stable/c/bb0ba4cb1065e87f9cc75db1fa454e56d0894d01"
}
],
"title": "usb: xhci: Apply the link chain quirk on NEC isoc endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22022",
"datePublished": "2025-04-16T10:23:27.423Z",
"dateReserved": "2024-12-29T08:45:45.807Z",
"dateUpdated": "2026-05-23T15:57:36.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68815 (GCVE-0-2025-68815)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
net/sched: ets: Remove drr class from the active list if it changes to strict
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Remove drr class from the active list if it changes to strict
Whenever a user issues an ets qdisc change command, transforming a
drr class into a strict one, the ets code isn't checking whether that
class was in the active list and removing it. This means that, if a
user changes a strict class (which was in the active list) back to a drr
one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1
tc qdisc add dev lo parent 1:2 handle 20: \
tbf rate 8bit burst 100b latency 1s
tc filter add dev lo parent 1: basic classid 1:2
ping -c1 -W0.01 -s 56 127.0.0.1
tc qdisc change dev lo root handle 1: ets bands 2 strict 2
tc qdisc change dev lo root handle 1: ets bands 2 strict 1
ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------
[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.
[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220
[ 59.280860][ T365] Modules linked in:
[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)
[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220
[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44
...
[ 59.288812][ T365] Call Trace:
[ 59.289056][ T365] <TASK>
[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80
[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0
[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10
[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240
[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10
[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110
[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list
when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f517335a61ff8037b18ba1b0a002c1f82926a934 , < 58fdce6bc005e964f1dbc3ca716f5fe0f68839a2
(git)
Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87 (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 8067db5c95aab9461d23117679338cd8869831fa (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 2f125ebe47d6369e562f3cbd9b6227cff51eaf34 (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < cca2ed931b734fe48139bc6f020e47367346630f (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 43d9a530c8c094d137159784e7c951c65f11ec6c (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < b1e125ae425aba9b45252e933ca8df52a843ec70 (git) Affected: d05330672afe2e142ba97e63bd7c1faef76781bb (git) Affected: 5.10.62 , < 5.10.248 (semver) Affected: 5.13.14 , < 5.14 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58fdce6bc005e964f1dbc3ca716f5fe0f68839a2",
"status": "affected",
"version": "f517335a61ff8037b18ba1b0a002c1f82926a934",
"versionType": "git"
},
{
"lessThan": "02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "8067db5c95aab9461d23117679338cd8869831fa",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "2f125ebe47d6369e562f3cbd9b6227cff51eaf34",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "cca2ed931b734fe48139bc6f020e47367346630f",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "43d9a530c8c094d137159784e7c951c65f11ec6c",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "b1e125ae425aba9b45252e933ca8df52a843ec70",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"status": "affected",
"version": "d05330672afe2e142ba97e63bd7c1faef76781bb",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.62",
"versionType": "semver"
},
{
"lessThan": "5.14",
"status": "affected",
"version": "5.13.14",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Remove drr class from the active list if it changes to strict\n\nWhenever a user issues an ets qdisc change command, transforming a\ndrr class into a strict one, the ets code isn\u0027t checking whether that\nclass was in the active list and removing it. This means that, if a\nuser changes a strict class (which was in the active list) back to a drr\none, that class will be added twice to the active list [1].\n\nDoing so with the following commands:\n\ntc qdisc add dev lo root handle 1: ets bands 2 strict 1\ntc qdisc add dev lo parent 1:2 handle 20: \\\n tbf rate 8bit burst 100b latency 1s\ntc filter add dev lo parent 1: basic classid 1:2\nping -c1 -W0.01 -s 56 127.0.0.1\ntc qdisc change dev lo root handle 1: ets bands 2 strict 2\ntc qdisc change dev lo root handle 1: ets bands 2 strict 1\nping -c1 -W0.01 -s 56 127.0.0.1\n\nWill trigger the following splat with list debug turned on:\n\n[ 59.279014][ T365] ------------[ cut here ]------------\n[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.\n[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220\n[ 59.280860][ T365] Modules linked in:\n[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)\n[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220\n[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 \u003c0f\u003e 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44\n...\n[ 59.288812][ T365] Call Trace:\n[ 59.289056][ T365] \u003cTASK\u003e\n[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80\n[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0\n[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10\n[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240\n[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10\n[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110\n[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0\n\nFix this by always checking and removing an ets class from the active list\nwhen changing it to strict.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:56.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2"
},
{
"url": "https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87"
},
{
"url": "https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa"
},
{
"url": "https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34"
},
{
"url": "https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f"
},
{
"url": "https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c"
},
{
"url": "https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70"
}
],
"title": "net/sched: ets: Remove drr class from the active list if it changes to strict",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68815",
"datePublished": "2026-01-13T15:29:19.789Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-05-23T16:02:56.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68374 (GCVE-0-2025-68374)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
md: fix rcu protection in md_wakeup_thread
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix rcu protection in md_wakeup_thread
We attempted to use RCU to protect the pointer 'thread', but directly
passed the value when calling md_wakeup_thread(). This means that the
RCU pointer has been acquired before rcu_read_lock(), which renders
rcu_read_lock() ineffective and could lead to a use-after-free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4469315439827290923fce4f3f672599cabeb366 , < 21989cb5034c835b212385a2afadf279d8069da0
(git)
Affected: 4469315439827290923fce4f3f672599cabeb366 , < a4bd1caf591faeae44cb10b6517e7dacb5139bda (git) Affected: 4469315439827290923fce4f3f672599cabeb366 , < f98b191f78124405294481dea85f8a22a3eb0a59 (git) Affected: 4469315439827290923fce4f3f672599cabeb366 , < 0dc76205549b4c25705e54345f211b9f66e018a0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21989cb5034c835b212385a2afadf279d8069da0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "a4bd1caf591faeae44cb10b6517e7dacb5139bda",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "f98b191f78124405294481dea85f8a22a3eb0a59",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "0dc76205549b4c25705e54345f211b9f66e018a0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix rcu protection in md_wakeup_thread\n\nWe attempted to use RCU to protect the pointer \u0027thread\u0027, but directly\npassed the value when calling md_wakeup_thread(). This means that the\nRCU pointer has been acquired before rcu_read_lock(), which renders\nrcu_read_lock() ineffective and could lead to a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:58.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21989cb5034c835b212385a2afadf279d8069da0"
},
{
"url": "https://git.kernel.org/stable/c/a4bd1caf591faeae44cb10b6517e7dacb5139bda"
},
{
"url": "https://git.kernel.org/stable/c/f98b191f78124405294481dea85f8a22a3eb0a59"
},
{
"url": "https://git.kernel.org/stable/c/0dc76205549b4c25705e54345f211b9f66e018a0"
}
],
"title": "md: fix rcu protection in md_wakeup_thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68374",
"datePublished": "2025-12-24T10:33:04.046Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-05-11T21:51:58.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23001 (GCVE-0-2026-23001)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-16 20:17
VLAI?
EPSS
Title
macvlan: fix possible UAF in macvlan_forward_source()
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix possible UAF in macvlan_forward_source()
Add RCU protection on (struct macvlan_source_entry)->vlan.
Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.
This allows macvlan_forward_source() to skip over
entries queued for freeing.
Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).
https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8133e85b8a3ec9f10d861e0002ec6037256e987e
(git)
Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 484919832e2db6ce1e8add92c469e5d459a516b5 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 232afc74a6dde0fe1830988e5827921f5ec9bb3f (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 15f6faf36e162532bec5cc05eb3fc622108bf2ed (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 6dbead9c7677186f22b7981dd085a0feec1f038e (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 7470a7a63dc162f07c26dbf960e41ee1e248d80e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:17:12.456069Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:17:28.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8133e85b8a3ec9f10d861e0002ec6037256e987e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "484919832e2db6ce1e8add92c469e5d459a516b5",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "232afc74a6dde0fe1830988e5827921f5ec9bb3f",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "15f6faf36e162532bec5cc05eb3fc622108bf2ed",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "8518712a2ca952d6da2238c6f0a16b4ae5ea3f13",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "6dbead9c7677186f22b7981dd085a0feec1f038e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "7470a7a63dc162f07c26dbf960e41ee1e248d80e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix possible UAF in macvlan_forward_source()\n\nAdd RCU protection on (struct macvlan_source_entry)-\u003evlan.\n\nWhenever macvlan_hash_del_source() is called, we must clear\nentry-\u003evlan pointer before RCU grace period starts.\n\nThis allows macvlan_forward_source() to skip over\nentries queued for freeing.\n\nNote that macvlan_dev are already RCU protected, as they\nare embedded in a standard netdev (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:05.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8133e85b8a3ec9f10d861e0002ec6037256e987e"
},
{
"url": "https://git.kernel.org/stable/c/484919832e2db6ce1e8add92c469e5d459a516b5"
},
{
"url": "https://git.kernel.org/stable/c/232afc74a6dde0fe1830988e5827921f5ec9bb3f"
},
{
"url": "https://git.kernel.org/stable/c/15f6faf36e162532bec5cc05eb3fc622108bf2ed"
},
{
"url": "https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13"
},
{
"url": "https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e"
},
{
"url": "https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e"
}
],
"title": "macvlan: fix possible UAF in macvlan_forward_source()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23001",
"datePublished": "2026-01-25T14:36:15.790Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-06-16T20:17:28.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71107 (GCVE-0-2025-71107)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
f2fs: ensure node page reads complete before f2fs_put_super() finishes
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: ensure node page reads complete before f2fs_put_super() finishes
Xfstests generic/335, generic/336 sometimes crash with the following message:
F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1
------------[ cut here ]------------
kernel BUG at fs/f2fs/super.c:1939!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:f2fs_put_super+0x3b3/0x3c0
Call Trace:
<TASK>
generic_shutdown_super+0x7e/0x190
kill_block_super+0x1a/0x40
kill_f2fs_super+0x9d/0x190
deactivate_locked_super+0x30/0xb0
cleanup_mnt+0xba/0x150
task_work_run+0x5c/0xa0
exit_to_user_mode_loop+0xb7/0xc0
do_syscall_64+0x1ae/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
---[ end trace 0000000000000000 ]---
It appears that sometimes it is possible that f2fs_put_super() is called before
all node page reads are completed.
Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
20872584b8c0b006c007da9588a272c9e28d2e18 , < c3031cf2b61f1508662fc95ef9ad505cb0882a5f
(git)
Affected: 20872584b8c0b006c007da9588a272c9e28d2e18 , < 3b15d5f12935e9e25f9a571e680716bc9ee61025 (git) Affected: 20872584b8c0b006c007da9588a272c9e28d2e18 , < 0b36fae23621a09e772c8adf918b9011158f8511 (git) Affected: 20872584b8c0b006c007da9588a272c9e28d2e18 , < 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 (git) Affected: 0e2577074b459bba7f4016f4d725ede37d48bb22 (git) Affected: 6.4.16 , < 6.5 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3031cf2b61f1508662fc95ef9ad505cb0882a5f",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"lessThan": "3b15d5f12935e9e25f9a571e680716bc9ee61025",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"lessThan": "0b36fae23621a09e772c8adf918b9011158f8511",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"lessThan": "297baa4aa263ff8f5b3d246ee16a660d76aa82c4",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"status": "affected",
"version": "0e2577074b459bba7f4016f4d725ede37d48bb22",
"versionType": "git"
},
{
"lessThan": "6.5",
"status": "affected",
"version": "6.4.16",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: ensure node page reads complete before f2fs_put_super() finishes\n\nXfstests generic/335, generic/336 sometimes crash with the following message:\n\nF2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/super.c:1939!\nOops: invalid opcode: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:f2fs_put_super+0x3b3/0x3c0\nCall Trace:\n \u003cTASK\u003e\n generic_shutdown_super+0x7e/0x190\n kill_block_super+0x1a/0x40\n kill_f2fs_super+0x9d/0x190\n deactivate_locked_super+0x30/0xb0\n cleanup_mnt+0xba/0x150\n task_work_run+0x5c/0xa0\n exit_to_user_mode_loop+0xb7/0xc0\n do_syscall_64+0x1ae/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n---[ end trace 0000000000000000 ]---\n\nIt appears that sometimes it is possible that f2fs_put_super() is called before\nall node page reads are completed.\nAdding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:12.935Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f"
},
{
"url": "https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025"
},
{
"url": "https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511"
},
{
"url": "https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4"
}
],
"title": "f2fs: ensure node page reads complete before f2fs_put_super() finishes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71107",
"datePublished": "2026-01-14T15:05:55.878Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-05-23T16:03:12.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23209 (GCVE-0-2026-23209)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-06-16 20:31
VLAI?
EPSS
Title
macvlan: fix error recovery in macvlan_common_newlink()
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix error recovery in macvlan_common_newlink()
valis provided a nice repro to crash the kernel:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
ping -c1 -I p1 1.2.3.4
He also gave a very detailed analysis:
<quote valis>
The issue is triggered when a new macvlan link is created with
MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
port and register_netdevice() called from macvlan_common_newlink()
fails (e.g. because of the invalid link name).
In this case macvlan_hash_add_source is called from
macvlan_change_sources() / macvlan_common_newlink():
This adds a reference to vlan to the port's vlan_source_hash using
macvlan_source_entry.
vlan is a pointer to the priv data of the link that is being created.
When register_netdevice() fails, the error is returned from
macvlan_newlink() to rtnl_newlink_create():
if (ops->newlink)
err = ops->newlink(dev, ¶ms, extack);
else
err = register_netdevice(dev);
if (err < 0) {
free_netdev(dev);
goto out;
}
and free_netdev() is called, causing a kvfree() on the struct
net_device that is still referenced in the source entry attached to
the lower device's macvlan port.
Now all packets sent on the macvlan port with a matching source mac
address will trigger a use-after-free in macvlan_forward_source().
</quote valis>
With all that, my fix is to make sure we call macvlan_flush_sources()
regardless of @create value whenever "goto destroy_macvlan_port;"
path is taken.
Many thanks to valis for following up on this issue.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aa5fd0fb77486b8a6764ead8627baa14790e4280 , < da5c6b8ae47e414be47e5e04def15b25d5c962dc
(git)
Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < c43d0e787cbba569ec9d11579ed370b50fab6c9c (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 11ba9f0dc865136174cb98834280fb21bbc950c7 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 986967a162142710076782d5b93daab93a892980 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < f8db6475a83649689c087a8f52486fcc53e627e9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:31:00.910619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:31:11.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "986967a162142710076782d5b93daab93a892980",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "f8db6475a83649689c087a8f52486fcc53e627e9",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix error recovery in macvlan_common_newlink()\n\nvalis provided a nice repro to crash the kernel:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\n\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\n\nping -c1 -I p1 1.2.3.4\n\nHe also gave a very detailed analysis:\n\n\u003cquote valis\u003e\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\n\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\n\nThis adds a reference to vlan to the port\u0027s vlan_source_hash using\nmacvlan_source_entry.\n\nvlan is a pointer to the priv data of the link that is being created.\n\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\n\n if (ops-\u003enewlink)\n err = ops-\u003enewlink(dev, \u0026params, extack);\n else\n err = register_netdevice(dev);\n if (err \u003c 0) {\n free_netdev(dev);\n goto out;\n }\n\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device\u0027s macvlan port.\n\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\n\u003c/quote valis\u003e\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\n\nMany thanks to valis for following up on this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:25.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc"
},
{
"url": "https://git.kernel.org/stable/c/5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a"
},
{
"url": "https://git.kernel.org/stable/c/c43d0e787cbba569ec9d11579ed370b50fab6c9c"
},
{
"url": "https://git.kernel.org/stable/c/11ba9f0dc865136174cb98834280fb21bbc950c7"
},
{
"url": "https://git.kernel.org/stable/c/986967a162142710076782d5b93daab93a892980"
},
{
"url": "https://git.kernel.org/stable/c/cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66"
},
{
"url": "https://git.kernel.org/stable/c/f8db6475a83649689c087a8f52486fcc53e627e9"
}
],
"title": "macvlan: fix error recovery in macvlan_common_newlink()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23209",
"datePublished": "2026-02-14T16:27:31.175Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-06-16T20:31:11.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68354 (GCVE-0-2025-68354)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
regulator_supply_alias_list was accessed without any locking in
regulator_supply_alias(), regulator_register_supply_alias(), and
regulator_unregister_supply_alias(). Concurrent registration,
unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read,
2 duplicate entries when two threads register the same alias,
3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on
regulator_supply_alias_list with the existing regulator_list_mutex.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a06ccd9c3785fa5550917ae036944f4e080b5749 , < e1587064137028e7edcca14fb766b68d27bec94b
(git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 9d041a7ba13f21adfac052eb3fda1df62f2166c1 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 09811a83b214cc15521e0d818e43ae9043e9a28d (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a9864d42ebcdd394ebb864643b961b36e7b515be (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 431a1d44ad4866362cc28fc1cc4ca93d84989239 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1587064137028e7edcca14fb766b68d27bec94b",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "9d041a7ba13f21adfac052eb3fda1df62f2166c1",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "09811a83b214cc15521e0d818e43ae9043e9a28d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a9864d42ebcdd394ebb864643b961b36e7b515be",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "431a1d44ad4866362cc28fc1cc4ca93d84989239",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Protect regulator_supply_alias_list with regulator_list_mutex\n\nregulator_supply_alias_list was accessed without any locking in\nregulator_supply_alias(), regulator_register_supply_alias(), and\nregulator_unregister_supply_alias(). Concurrent registration,\nunregistration and lookups can race, leading to:\n\n1 use-after-free if an alias entry is removed while being read,\n2 duplicate entries when two threads register the same alias,\n3 inconsistent alias mappings observed by consumers.\n\nProtect all traversals, insertions and deletions on\nregulator_supply_alias_list with the existing regulator_list_mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:34.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1587064137028e7edcca14fb766b68d27bec94b"
},
{
"url": "https://git.kernel.org/stable/c/9d041a7ba13f21adfac052eb3fda1df62f2166c1"
},
{
"url": "https://git.kernel.org/stable/c/a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61"
},
{
"url": "https://git.kernel.org/stable/c/09811a83b214cc15521e0d818e43ae9043e9a28d"
},
{
"url": "https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be"
},
{
"url": "https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239"
},
{
"url": "https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf"
},
{
"url": "https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d"
}
],
"title": "regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68354",
"datePublished": "2025-12-24T10:32:44.840Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-05-11T21:51:34.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23047 (GCVE-0-2026-23047)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:00 – Updated: 2026-05-11 21:58
VLAI?
EPSS
Title
libceph: make calc_target() set t->paused, not just clear it
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make calc_target() set t->paused, not just clear it
Currently calc_target() clears t->paused if the request shouldn't be
paused anymore, but doesn't ever set t->paused even though it's able to
determine when the request should be paused. Setting t->paused is left
to __submit_request() which is fine for regular requests but doesn't
work for linger requests -- since __submit_request() doesn't operate
on linger requests, there is nowhere for lreq->t.paused to be set.
One consequence of this is that watches don't get reestablished on
paused -> unpaused transitions in cases where requests have been paused
long enough for the (paused) unwatch request to time out and for the
subsequent (re)watch request to enter the paused state. On top of the
watch not getting reestablished, rbd_reregister_watch() gets stuck with
rbd_dev->watch_mutex held:
rbd_register_watch
__rbd_register_watch
ceph_osdc_watch
linger_reg_commit_wait
It's waiting for lreq->reg_commit_wait to be completed, but for that to
happen the respective request needs to end up on need_resend_linger list
and be kicked when requests are unpaused. There is no chance for that
if the request in question is never marked paused in the first place.
The fact that rbd_dev->watch_mutex remains taken out forever then
prevents the image from getting unmapped -- "rbd unmap" would inevitably
hang in D state on an attempt to grab the mutex.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
922dab6134178cae317ae00de86376cba59f3147 , < 2b3329b3c29d9e188e40d902d5230c2d5989b940
(git)
Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 5d0dc83cb9a69c1d0bea58f1c430199b05f6b021 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 4d3399c52e0e61720ae898f5a0b5b75d4460ae24 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 4ebc711b738d139cabe2fc9e7e7749847676a342 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 6f468f6ff233c6a81e0e761d9124e982903fe9a5 (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < 5647d42c47b535573b63e073e91164d6a5bb058c (git) Affected: 922dab6134178cae317ae00de86376cba59f3147 , < c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b3329b3c29d9e188e40d902d5230c2d5989b940",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "5d0dc83cb9a69c1d0bea58f1c430199b05f6b021",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "4d3399c52e0e61720ae898f5a0b5b75d4460ae24",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "4ebc711b738d139cabe2fc9e7e7749847676a342",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "6f468f6ff233c6a81e0e761d9124e982903fe9a5",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "5647d42c47b535573b63e073e91164d6a5bb058c",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make calc_target() set t-\u003epaused, not just clear it\n\nCurrently calc_target() clears t-\u003epaused if the request shouldn\u0027t be\npaused anymore, but doesn\u0027t ever set t-\u003epaused even though it\u0027s able to\ndetermine when the request should be paused. Setting t-\u003epaused is left\nto __submit_request() which is fine for regular requests but doesn\u0027t\nwork for linger requests -- since __submit_request() doesn\u0027t operate\non linger requests, there is nowhere for lreq-\u003et.paused to be set.\nOne consequence of this is that watches don\u0027t get reestablished on\npaused -\u003e unpaused transitions in cases where requests have been paused\nlong enough for the (paused) unwatch request to time out and for the\nsubsequent (re)watch request to enter the paused state. On top of the\nwatch not getting reestablished, rbd_reregister_watch() gets stuck with\nrbd_dev-\u003ewatch_mutex held:\n\n rbd_register_watch\n __rbd_register_watch\n ceph_osdc_watch\n linger_reg_commit_wait\n\nIt\u0027s waiting for lreq-\u003ereg_commit_wait to be completed, but for that to\nhappen the respective request needs to end up on need_resend_linger list\nand be kicked when requests are unpaused. There is no chance for that\nif the request in question is never marked paused in the first place.\n\nThe fact that rbd_dev-\u003ewatch_mutex remains taken out forever then\nprevents the image from getting unmapped -- \"rbd unmap\" would inevitably\nhang in D state on an attempt to grab the mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:58.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940"
},
{
"url": "https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021"
},
{
"url": "https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24"
},
{
"url": "https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342"
},
{
"url": "https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5"
},
{
"url": "https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c"
},
{
"url": "https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176"
}
],
"title": "libceph: make calc_target() set t-\u003epaused, not just clear it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23047",
"datePublished": "2026-02-04T16:00:29.475Z",
"dateReserved": "2026-01-13T15:37:45.944Z",
"dateUpdated": "2026-05-11T21:58:58.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23011 (GCVE-0-2026-23011)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ipv4: ip_gre: make ipgre_header() robust
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: ip_gre: make ipgre_header() robust
Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Over the years, syzbot found many ways to crash the kernel
in ipgre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ipgre device.
[1]
skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
kernel BUG at net/core/skbuff.c:213 !
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
Call Trace:
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c54419321455631079c7d6e60bc732dd0c5914c5 , < eeb9a521de40c6fadccc12fa5205e5a1b364d5a8
(git)
Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 8d5b6b2d79c1c22a5b0db1187a6439dff375a022 (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 2ecf0aa7cc262472a9599cc51ba02ada0897a17a (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 06fe0801396a36cab865b34f666de1d65bc5ce8e (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < aa57bfea4674e6da8104fa3a37760a6f5f255dad (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 554201ed0a8f4d32e719f42caeaeb2735a9ed6ca (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < e67c577d89894811ce4dcd1a9ed29d8b63476667 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:53.431859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:06.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eeb9a521de40c6fadccc12fa5205e5a1b364d5a8",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "8d5b6b2d79c1c22a5b0db1187a6439dff375a022",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "2ecf0aa7cc262472a9599cc51ba02ada0897a17a",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "06fe0801396a36cab865b34f666de1d65bc5ce8e",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "aa57bfea4674e6da8104fa3a37760a6f5f255dad",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "554201ed0a8f4d32e719f42caeaeb2735a9ed6ca",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "e67c577d89894811ce4dcd1a9ed29d8b63476667",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_gre: make ipgre_header() robust\n\nAnalog to commit db5b4e39c4e6 (\"ip6_gre: make ip6gre_header() robust\")\n\nOver the years, syzbot found many ways to crash the kernel\nin ipgre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ipgre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0\n kernel BUG at net/core/skbuff.c:213 !\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: mld mld_ifc_work\n RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213\nCall Trace:\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:16.754Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eeb9a521de40c6fadccc12fa5205e5a1b364d5a8"
},
{
"url": "https://git.kernel.org/stable/c/8d5b6b2d79c1c22a5b0db1187a6439dff375a022"
},
{
"url": "https://git.kernel.org/stable/c/2ecf0aa7cc262472a9599cc51ba02ada0897a17a"
},
{
"url": "https://git.kernel.org/stable/c/06fe0801396a36cab865b34f666de1d65bc5ce8e"
},
{
"url": "https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad"
},
{
"url": "https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca"
},
{
"url": "https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667"
}
],
"title": "ipv4: ip_gre: make ipgre_header() robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23011",
"datePublished": "2026-01-25T14:36:24.455Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-06-11T18:44:06.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23128 (GCVE-0-2026-23128)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
arm64: Set __nocfi on swsusp_arch_resume()
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: Set __nocfi on swsusp_arch_resume()
A DABT is reported[1] on an android based system when resume from hiberate.
This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()
and does not have a CFI hash, but swsusp_arch_resume() will attempt to
verify the CFI hash when calling a copy of swsusp_arch_suspend_exit().
Given that there's an existing requirement that the entrypoint to
swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text
section, we cannot fix this by marking swsusp_arch_suspend_exit() with
SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in
swsusp_arch_resume().
Mark swsusp_arch_resume() as __nocfi to disable the CFI check.
[1]
[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc
[ 22.991934][ T1] Mem abort info:
[ 22.991934][ T1] ESR = 0x0000000096000007
[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits
[ 22.991934][ T1] SET = 0, FnV = 0
[ 22.991934][ T1] EA = 0, S1PTW = 0
[ 22.991934][ T1] FSC = 0x07: level 3 translation fault
[ 22.991934][ T1] Data abort info:
[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper
[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
[ 22.991934][ T1] Dumping ftrace buffer:
[ 22.991934][ T1] (ftrace buffer empty)
[ 22.991934][ T1] Modules linked in:
[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419
[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)
[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344
[ 22.991934][ T1] sp : ffffffc08006b960
[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000
[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820
[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000
[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058
[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004
[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000
[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000
[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b
[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530
[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000
[ 22.991934][ T1] Call trace:
[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] hibernation_restore+0x158/0x18c
[ 22.991934][ T1] load_image_and_restore+0xb0/0xec
[ 22.991934][ T1] software_resume+0xf4/0x19c
[ 22.991934][ T1] software_resume_initcall+0x34/0x78
[ 22.991934][ T1] do_one_initcall+0xe8/0x370
[ 22.991934][ T1] do_initcall_level+0xc8/0x19c
[ 22.991934][ T1] do_initcalls+0x70/0xc0
[ 22.991934][ T1] do_basic_setup+0x1c/0x28
[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148
[ 22.991934][ T1] kernel_init+0x20/0x1a8
[ 22.991934][ T1] ret_from_fork+0x10/0x20
[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)
[catalin.marinas@arm.com: commit log updated by Mark Rutland]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 122b7cb80f7d468fcc2d18cf7eb320f09f310a96
(git)
Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 8557bdd9af8dd04911fba56ff92b17842b0b5c7f (git) Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 9773a886f26766a8db92d4b342b620a82c2de7dd (git) Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08 (git) Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < e2f8216ca2d8e61a23cb6ec355616339667e0ba6 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:10.523806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:20.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/hibernate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "122b7cb80f7d468fcc2d18cf7eb320f09f310a96",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "8557bdd9af8dd04911fba56ff92b17842b0b5c7f",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "9773a886f26766a8db92d4b342b620a82c2de7dd",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "e2f8216ca2d8e61a23cb6ec355616339667e0ba6",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/hibernate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Set __nocfi on swsusp_arch_resume()\n\nA DABT is reported[1] on an android based system when resume from hiberate.\nThis happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()\nand does not have a CFI hash, but swsusp_arch_resume() will attempt to\nverify the CFI hash when calling a copy of swsusp_arch_suspend_exit().\n\nGiven that there\u0027s an existing requirement that the entrypoint to\nswsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text\nsection, we cannot fix this by marking swsusp_arch_suspend_exit() with\nSYM_FUNC_*(). The simplest fix for now is to disable the CFI check in\nswsusp_arch_resume().\n\nMark swsusp_arch_resume() as __nocfi to disable the CFI check.\n\n[1]\n[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc\n[ 22.991934][ T1] Mem abort info:\n[ 22.991934][ T1] ESR = 0x0000000096000007\n[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 22.991934][ T1] SET = 0, FnV = 0\n[ 22.991934][ T1] EA = 0, S1PTW = 0\n[ 22.991934][ T1] FSC = 0x07: level 3 translation fault\n[ 22.991934][ T1] Data abort info:\n[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper\n[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP\n[ 22.991934][ T1] Dumping ftrace buffer:\n[ 22.991934][ T1] (ftrace buffer empty)\n[ 22.991934][ T1] Modules linked in:\n[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419\n[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)\n[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344\n[ 22.991934][ T1] sp : ffffffc08006b960\n[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000\n[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820\n[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000\n[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058\n[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004\n[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000\n[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000\n[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b\n[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530\n[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000\n[ 22.991934][ T1] Call trace:\n[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] hibernation_restore+0x158/0x18c\n[ 22.991934][ T1] load_image_and_restore+0xb0/0xec\n[ 22.991934][ T1] software_resume+0xf4/0x19c\n[ 22.991934][ T1] software_resume_initcall+0x34/0x78\n[ 22.991934][ T1] do_one_initcall+0xe8/0x370\n[ 22.991934][ T1] do_initcall_level+0xc8/0x19c\n[ 22.991934][ T1] do_initcalls+0x70/0xc0\n[ 22.991934][ T1] do_basic_setup+0x1c/0x28\n[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148\n[ 22.991934][ T1] kernel_init+0x20/0x1a8\n[ 22.991934][ T1] ret_from_fork+0x10/0x20\n[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)\n\n[catalin.marinas@arm.com: commit log updated by Mark Rutland]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:40.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/122b7cb80f7d468fcc2d18cf7eb320f09f310a96"
},
{
"url": "https://git.kernel.org/stable/c/8557bdd9af8dd04911fba56ff92b17842b0b5c7f"
},
{
"url": "https://git.kernel.org/stable/c/9773a886f26766a8db92d4b342b620a82c2de7dd"
},
{
"url": "https://git.kernel.org/stable/c/6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08"
},
{
"url": "https://git.kernel.org/stable/c/e2f8216ca2d8e61a23cb6ec355616339667e0ba6"
}
],
"title": "arm64: Set __nocfi on swsusp_arch_resume()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23128",
"datePublished": "2026-02-14T15:09:56.916Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-06-11T18:44:20.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23094 (GCVE-0-2026-23094)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
uacce: fix isolate sysfs check condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: fix isolate sysfs check condition
uacce supports the device isolation feature. If the driver
implements the isolate_err_threshold_read and
isolate_err_threshold_write callback functions, uacce will create
sysfs files now. Users can read and configure the isolation policy
through sysfs. Currently, sysfs files are created as long as either
isolate_err_threshold_read or isolate_err_threshold_write callback
functions are present.
However, accessing a non-existent callback function may cause the
system to crash. Therefore, intercept the creation of sysfs if
neither read nor write exists; create sysfs if either is supported,
but intercept unsupported operations at the call site.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e3e289fbc0b520cf469469e8cdba84a50424eb65 , < 9ab05cdcac354b1b1139918f49c6418b9005d042
(git)
Affected: e3e289fbc0b520cf469469e8cdba84a50424eb65 , < fdbbb47d15ae17bf39fafec7e2028c1f8efba15e (git) Affected: e3e289fbc0b520cf469469e8cdba84a50424eb65 , < 82821a681d5dcce31475a65190fc39ea8f372cc0 (git) Affected: e3e289fbc0b520cf469469e8cdba84a50424eb65 , < 98eec349259b1fd876f350b1c600403bcef8f85d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ab05cdcac354b1b1139918f49c6418b9005d042",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
},
{
"lessThan": "fdbbb47d15ae17bf39fafec7e2028c1f8efba15e",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
},
{
"lessThan": "82821a681d5dcce31475a65190fc39ea8f372cc0",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
},
{
"lessThan": "98eec349259b1fd876f350b1c600403bcef8f85d",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix isolate sysfs check condition\n\nuacce supports the device isolation feature. If the driver\nimplements the isolate_err_threshold_read and\nisolate_err_threshold_write callback functions, uacce will create\nsysfs files now. Users can read and configure the isolation policy\nthrough sysfs. Currently, sysfs files are created as long as either\nisolate_err_threshold_read or isolate_err_threshold_write callback\nfunctions are present.\n\nHowever, accessing a non-existent callback function may cause the\nsystem to crash. Therefore, intercept the creation of sysfs if\nneither read nor write exists; create sysfs if either is supported,\nbut intercept unsupported operations at the call site."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:53.127Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042"
},
{
"url": "https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e"
},
{
"url": "https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0"
},
{
"url": "https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d"
}
],
"title": "uacce: fix isolate sysfs check condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23094",
"datePublished": "2026-02-04T16:08:17.061Z",
"dateReserved": "2026-01-13T15:37:45.963Z",
"dateUpdated": "2026-05-11T21:59:53.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71199 (GCVE-0-2025-71199)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
at91_adc_interrupt can call at91_adc_touch_data_handler function
to start the work by schedule_work(&st->touch_st.workq).
If we remove the module which will call at91_adc_remove to
make cleanup, it will free indio_dev through iio_device_unregister but
quite a bit later. While the work mentioned above will be used. The
sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| at91_adc_workq_handler
at91_adc_remove |
iio_device_unregister(indio_dev) |
//free indio_dev a bit later |
| iio_push_to_buffers(indio_dev)
| //use indio_dev
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in at91_adc_remove.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e , < 4c83dd62595ee7b7c9298a4d19a256b6647e7240
(git)
Affected: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e , < fdc8c835c637a3473878d1e7438c77ab8928af63 (git) Affected: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e , < 919d176b05776c7ede79c36744c823a07d631617 (git) Affected: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e , < 9795fe80976f8c31cafda7d44edfc0f532d1f7c4 (git) Affected: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e , < d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe (git) Affected: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e , < d890234a91570542c228a20f132ce74f9fedd904 (git) Affected: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e , < dbdb442218cd9d613adeab31a88ac973f22c4873 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/at91-sama5d2_adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c83dd62595ee7b7c9298a4d19a256b6647e7240",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "fdc8c835c637a3473878d1e7438c77ab8928af63",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "919d176b05776c7ede79c36744c823a07d631617",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "9795fe80976f8c31cafda7d44edfc0f532d1f7c4",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "d890234a91570542c228a20f132ce74f9fedd904",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "dbdb442218cd9d613adeab31a88ac973f22c4873",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/at91-sama5d2_adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver\n\nat91_adc_interrupt can call at91_adc_touch_data_handler function\nto start the work by schedule_work(\u0026st-\u003etouch_st.workq).\n\nIf we remove the module which will call at91_adc_remove to\nmake cleanup, it will free indio_dev through iio_device_unregister but\nquite a bit later. While the work mentioned above will be used. The\nsequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | at91_adc_workq_handler\nat91_adc_remove |\niio_device_unregister(indio_dev) |\n//free indio_dev a bit later |\n | iio_push_to_buffers(indio_dev)\n | //use indio_dev\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in at91_adc_remove."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:34.681Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c83dd62595ee7b7c9298a4d19a256b6647e7240"
},
{
"url": "https://git.kernel.org/stable/c/fdc8c835c637a3473878d1e7438c77ab8928af63"
},
{
"url": "https://git.kernel.org/stable/c/919d176b05776c7ede79c36744c823a07d631617"
},
{
"url": "https://git.kernel.org/stable/c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4"
},
{
"url": "https://git.kernel.org/stable/c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe"
},
{
"url": "https://git.kernel.org/stable/c/d890234a91570542c228a20f132ce74f9fedd904"
},
{
"url": "https://git.kernel.org/stable/c/dbdb442218cd9d613adeab31a88ac973f22c4873"
}
],
"title": "iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71199",
"datePublished": "2026-02-04T16:07:34.062Z",
"dateReserved": "2026-01-31T11:36:51.192Z",
"dateUpdated": "2026-05-11T21:56:34.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68378 (GCVE-0-2025-68378)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
when copying stack trace data. The issue occurs when the perf trace
contains more stack entries than the stack map bucket can hold,
leading to an out-of-bounds write in the bucket's data array.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < d1f424a77b6bd27b361737ed73df49a0158f1590
(git)
Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 2a008f6de163279deffd488c1deab081bce5667c (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 4669a8db976c8cbd5427fe9945f12c5fa5168ff3 (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 23f852daa4bab4d579110e034e4d513f7d490846 (git) Affected: 90805175a206f784b6a77f16f07b07f6803e286b (git) Affected: 398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e (git) Affected: e750f78c4ed7cefbcefb9769b3b9e08033db39da (git) Affected: 6c4f243b58f5362e983386488b2d563764c567af (git) Affected: 5.10.110 , < 5.11 (semver) Affected: 5.15.33 , < 5.16 (semver) Affected: 5.16.19 , < 5.17 (semver) Affected: 5.17.2 , < 5.18 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1f424a77b6bd27b361737ed73df49a0158f1590",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "2a008f6de163279deffd488c1deab081bce5667c",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "4669a8db976c8cbd5427fe9945f12c5fa5168ff3",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "23f852daa4bab4d579110e034e4d513f7d490846",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"status": "affected",
"version": "90805175a206f784b6a77f16f07b07f6803e286b",
"versionType": "git"
},
{
"status": "affected",
"version": "398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e",
"versionType": "git"
},
{
"status": "affected",
"version": "e750f78c4ed7cefbcefb9769b3b9e08033db39da",
"versionType": "git"
},
{
"status": "affected",
"version": "6c4f243b58f5362e983386488b2d563764c567af",
"versionType": "git"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThan": "5.17",
"status": "affected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check in __bpf_get_stackid()\n\nSyzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()\nwhen copying stack trace data. The issue occurs when the perf trace\n contains more stack entries than the stack map bucket can hold,\n leading to an out-of-bounds write in the bucket\u0027s data array."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:48.893Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590"
},
{
"url": "https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c"
},
{
"url": "https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3"
},
{
"url": "https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846"
}
],
"title": "bpf: Fix stackmap overflow check in __bpf_get_stackid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68378",
"datePublished": "2025-12-24T10:33:06.859Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-05-23T16:02:48.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71097 (GCVE-0-2025-71097)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ipv4: Fix reference count leak when using error routes with nexthop objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 5de7ad7e18356e39e8fbf7edd185a5faaf4f385a
(git)
Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 33ff5c207c873215e54e6176624ed57423cb7dea (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 30386e090c49e803c0616a7147e43409c32a2b0e (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 5979338c83012110ccd45cae6517591770bfe536 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < ee4183501ea556dca31f5ffd8690aa9fd25b609f (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < e3fc381320d04e4a74311e576a86cac49a16fc43 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < ac782f4e3bfcde145b8a7f8af31d9422d94d172a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:27.713433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:01.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5de7ad7e18356e39e8fbf7edd185a5faaf4f385a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "33ff5c207c873215e54e6176624ed57423cb7dea",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "30386e090c49e803c0616a7147e43409c32a2b0e",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "5979338c83012110ccd45cae6517591770bfe536",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ee4183501ea556dca31f5ffd8690aa9fd25b609f",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "e3fc381320d04e4a74311e576a86cac49a16fc43",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ac782f4e3bfcde145b8a7f8af31d9422d94d172a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:41.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a"
},
{
"url": "https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea"
},
{
"url": "https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e"
},
{
"url": "https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536"
},
{
"url": "https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f"
},
{
"url": "https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43"
},
{
"url": "https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a"
}
],
"title": "ipv4: Fix reference count leak when using error routes with nexthop objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71097",
"datePublished": "2026-01-13T15:34:56.814Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-06-11T18:44:01.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23131 (GCVE-0-2026-23131)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names
The hp-bioscfg driver attempts to register kobjects with empty names when
the HP BIOS returns attributes with empty name strings. This causes
multiple kernel warnings:
kobject: (00000000135fb5e6): attempted to be registered with empty name!
WARNING: CPU: 14 PID: 3336 at lib/kobject.c:219 kobject_add_internal+0x2eb/0x310
Add validation in hp_init_bios_buffer_attribute() to check if the
attribute name is empty after parsing it from the WMI buffer. If empty,
log a debug message and skip registration of that attribute, allowing the
module to continue processing other valid attributes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a34fc329b1895fc8a6eb12099adc47009421ba6a , < 29917c80aa96a25cbcf5876fd774a1cfd72b01a9
(git)
Affected: a34fc329b1895fc8a6eb12099adc47009421ba6a , < 6476be59b7162b891b7bddbd0c2924d87379ef6c (git) Affected: a34fc329b1895fc8a6eb12099adc47009421ba6a , < 800b2767905d6b409b8bbe357121970f0b489a89 (git) Affected: a34fc329b1895fc8a6eb12099adc47009421ba6a , < fdee1b09721605f532352628d0a24623e7062efb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/bioscfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29917c80aa96a25cbcf5876fd774a1cfd72b01a9",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
},
{
"lessThan": "6476be59b7162b891b7bddbd0c2924d87379ef6c",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
},
{
"lessThan": "800b2767905d6b409b8bbe357121970f0b489a89",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
},
{
"lessThan": "fdee1b09721605f532352628d0a24623e7062efb",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/bioscfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names\n\nThe hp-bioscfg driver attempts to register kobjects with empty names when\nthe HP BIOS returns attributes with empty name strings. This causes\nmultiple kernel warnings:\n\n kobject: (00000000135fb5e6): attempted to be registered with empty name!\n WARNING: CPU: 14 PID: 3336 at lib/kobject.c:219 kobject_add_internal+0x2eb/0x310\n\nAdd validation in hp_init_bios_buffer_attribute() to check if the\nattribute name is empty after parsing it from the WMI buffer. If empty,\nlog a debug message and skip registration of that attribute, allowing the\nmodule to continue processing other valid attributes."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:43.817Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29917c80aa96a25cbcf5876fd774a1cfd72b01a9"
},
{
"url": "https://git.kernel.org/stable/c/6476be59b7162b891b7bddbd0c2924d87379ef6c"
},
{
"url": "https://git.kernel.org/stable/c/800b2767905d6b409b8bbe357121970f0b489a89"
},
{
"url": "https://git.kernel.org/stable/c/fdee1b09721605f532352628d0a24623e7062efb"
}
],
"title": "platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23131",
"datePublished": "2026-02-14T15:09:58.916Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-05-11T22:00:43.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23019 (GCVE-0-2026-23019)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-05-11 21:58
VLAI?
EPSS
Title
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
devlink_alloc() may return NULL on allocation failure, but
prestera_devlink_alloc() unconditionally calls devlink_priv() on
the returned pointer.
This leads to a NULL pointer dereference if devlink allocation fails.
Add a check for a NULL devlink pointer and return NULL early to avoid
the crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 8a4333b2818f0d853b43e139936c20659366e4a0
(git)
Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 325aea74be7e192b5c947c782da23b0d19a5fda2 (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 94e070cd50790317fba7787ae6006934b7edcb6f (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 3950054c9512add0cc79ab7e72b6d2f9f675e25b (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < 326a4b7e61d01db3507f71c8bb5e85362f607064 (git) Affected: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 , < a428e0da1248c353557970848994f35fd3f005e2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a4333b2818f0d853b43e139936c20659366e4a0",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "325aea74be7e192b5c947c782da23b0d19a5fda2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "94e070cd50790317fba7787ae6006934b7edcb6f",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "3950054c9512add0cc79ab7e72b6d2f9f675e25b",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "326a4b7e61d01db3507f71c8bb5e85362f607064",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "a428e0da1248c353557970848994f35fd3f005e2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix NULL dereference on devlink_alloc() failure\n\ndevlink_alloc() may return NULL on allocation failure, but\nprestera_devlink_alloc() unconditionally calls devlink_priv() on\nthe returned pointer.\n\nThis leads to a NULL pointer dereference if devlink allocation fails.\nAdd a check for a NULL devlink pointer and return NULL early to avoid\nthe crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:25.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0"
},
{
"url": "https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2"
},
{
"url": "https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f"
},
{
"url": "https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b"
},
{
"url": "https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064"
},
{
"url": "https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2"
}
],
"title": "net: marvell: prestera: fix NULL dereference on devlink_alloc() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23019",
"datePublished": "2026-01-31T11:39:03.179Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-05-11T21:58:25.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71112 (GCVE-0-2025-71112)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
net: hns3: add VLAN id validation before using
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: add VLAN id validation before using
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.
Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8
(git)
Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 42c91dfa772c57de141e5a55a187ac760c0fd7e1 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 00e56a7706e10b3d00a258d81fcb85a7e96372d6 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < b7b4f3bf118f51b67691a55b464f04452e5dc6fc (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 95cca255a7a5ad782639ff0298c2a486707d1046 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 91a51d01be5c9f82c12c2921ca5cceaa31b67128 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 6ef935e65902bfed53980ad2754b06a284ea8ac1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "42c91dfa772c57de141e5a55a187ac760c0fd7e1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "00e56a7706e10b3d00a258d81fcb85a7e96372d6",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "b7b4f3bf118f51b67691a55b464f04452e5dc6fc",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "95cca255a7a5ad782639ff0298c2a486707d1046",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "91a51d01be5c9f82c12c2921ca5cceaa31b67128",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "6ef935e65902bfed53980ad2754b06a284ea8ac1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add VLAN id validation before using\n\nCurrently, the VLAN id may be used without validation when\nreceive a VLAN configuration mailbox from VF. The length of\nvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause\nout-of-bounds memory access once the VLAN id is bigger than\nor equal to VLAN_N_VID.\n\nTherefore, VLAN id needs to be checked to ensure it is within\nthe range of VLAN_N_VID."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:05.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8"
},
{
"url": "https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1"
},
{
"url": "https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6"
},
{
"url": "https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc"
},
{
"url": "https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046"
},
{
"url": "https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128"
},
{
"url": "https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1"
}
],
"title": "net: hns3: add VLAN id validation before using",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71112",
"datePublished": "2026-01-14T15:05:59.308Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-05-11T21:55:05.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22980 (GCVE-0-2026-22980)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-06-16 20:37
VLAI?
EPSS
Title
nfsd: provide locking for v4_end_grace
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: provide locking for v4_end_grace
Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.
This resolves a race which can result in use-after-free.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < ca97360860eb02e3ae4ba42c19b439a0fcecbf06
(git)
Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < e8bfa2401d4c51eca6e48e9b33c798828ca9df61 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 34eb22836e0cdba093baac66599d68c4cd245a9d (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 06600719d0f7a723811c45e4d51f5b742f345309 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < ba4811c8b433bfa681729ca42cc62b6034f223b0 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 53f07d095e7e680c5e4569a55a019f2c0348cdc6 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 2857bd59feb63fcf40fe4baf55401baea6b4feb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:36:55.336499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:37:05.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca97360860eb02e3ae4ba42c19b439a0fcecbf06",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "e8bfa2401d4c51eca6e48e9b33c798828ca9df61",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "34eb22836e0cdba093baac66599d68c4cd245a9d",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "06600719d0f7a723811c45e4d51f5b742f345309",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "ba4811c8b433bfa681729ca42cc62b6034f223b0",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "53f07d095e7e680c5e4569a55a019f2c0348cdc6",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "2857bd59feb63fcf40fe4baf55401baea6b4feb4",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op-\u003einit() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn\u0027t require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn\u0027t restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn-\u003eclient_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:40.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06"
},
{
"url": "https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61"
},
{
"url": "https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d"
},
{
"url": "https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309"
},
{
"url": "https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0"
},
{
"url": "https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6"
},
{
"url": "https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4"
}
],
"title": "nfsd: provide locking for v4_end_grace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22980",
"datePublished": "2026-01-23T15:24:02.924Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-06-16T20:37:05.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71197 (GCVE-0-2025-71197)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
w1: therm: Fix off-by-one buffer overflow in alarms_store
Summary
In the Linux kernel, the following vulnerability has been resolved:
w1: therm: Fix off-by-one buffer overflow in alarms_store
The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes and a NUL terminator is appended. However, the 'size' argument
does not account for this extra byte. The original code then allocated
'size' bytes and used strcpy() to copy 'buf', which always writes one
byte past the allocated buffer since strcpy() copies until the NUL
terminator at index 'size'.
Fix this by parsing the 'buf' parameter directly using simple_strtoll()
without allocating any intermediate memory or string copying. This
removes the overflow while simplifying the code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2c94d6f572079511945e64537eb1218643f2e68 , < 49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95
(git)
Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 060b08d72a38b158a7f850d4b83c17c2969e0f6b (git) Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf (git) Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 6a5820ecfa5a76c3d3e154802c8c15f391ef442e (git) Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0 (git) Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < e6b2609af21b5cccc9559339591b8a2cbf884169 (git) Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 761fcf46a1bd797bd32d23f3ea0141ffd437668a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/w1/slaves/w1_therm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "060b08d72a38b158a7f850d4b83c17c2969e0f6b",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "6a5820ecfa5a76c3d3e154802c8c15f391ef442e",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "e6b2609af21b5cccc9559339591b8a2cbf884169",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "761fcf46a1bd797bd32d23f3ea0141ffd437668a",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/w1/slaves/w1_therm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: therm: Fix off-by-one buffer overflow in alarms_store\n\nThe sysfs buffer passed to alarms_store() is allocated with \u0027size + 1\u0027\nbytes and a NUL terminator is appended. However, the \u0027size\u0027 argument\ndoes not account for this extra byte. The original code then allocated\n\u0027size\u0027 bytes and used strcpy() to copy \u0027buf\u0027, which always writes one\nbyte past the allocated buffer since strcpy() copies until the NUL\nterminator at index \u0027size\u0027.\n\nFix this by parsing the \u0027buf\u0027 parameter directly using simple_strtoll()\nwithout allocating any intermediate memory or string copying. This\nremoves the overflow while simplifying the code."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:32.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95"
},
{
"url": "https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b"
},
{
"url": "https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf"
},
{
"url": "https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e"
},
{
"url": "https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0"
},
{
"url": "https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169"
},
{
"url": "https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a"
}
],
"title": "w1: therm: Fix off-by-one buffer overflow in alarms_store",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71197",
"datePublished": "2026-02-04T16:07:32.198Z",
"dateReserved": "2026-01-31T11:36:51.192Z",
"dateUpdated": "2026-05-11T21:56:32.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23098 (GCVE-0-2026-23098)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
netrom: fix double-free in nr_route_frame()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: fix double-free in nr_route_frame()
In nr_route_frame(), old_skb is immediately freed without checking if
nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
the caller function will free old_skb again, causing a double-free bug.
Therefore, to prevent this, we need to modify it to check whether
nr_neigh->ax25 is NULL before freeing old_skb.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 25aab6bfc31017a7e52035b99aef5c2b6bde8ffb
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6e0110ea90313b7c0558a0b77038274a6821caf8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7c48fdf2d1349bb54815b56fb012b9d577707708 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bd8955337e3764f912f49b360e176d8aaecf7016 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9f5fa78d9980fe75a69835521627ab7943cb3d67 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ba1096c315283ee3292765f6aea4cca15816c4f7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25aab6bfc31017a7e52035b99aef5c2b6bde8ffb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e0110ea90313b7c0558a0b77038274a6821caf8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c48fdf2d1349bb54815b56fb012b9d577707708",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd8955337e3764f912f49b360e176d8aaecf7016",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f5fa78d9980fe75a69835521627ab7943cb3d67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba1096c315283ee3292765f6aea4cca15816c4f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix double-free in nr_route_frame()\n\nIn nr_route_frame(), old_skb is immediately freed without checking if\nnr_neigh-\u003eax25 pointer is NULL. Therefore, if nr_neigh-\u003eax25 is NULL,\nthe caller function will free old_skb again, causing a double-free bug.\n\nTherefore, to prevent this, we need to modify it to check whether\nnr_neigh-\u003eax25 is NULL before freeing old_skb."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:57.863Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb"
},
{
"url": "https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8"
},
{
"url": "https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708"
},
{
"url": "https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016"
},
{
"url": "https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c"
},
{
"url": "https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67"
},
{
"url": "https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7"
}
],
"title": "netrom: fix double-free in nr_route_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23098",
"datePublished": "2026-02-04T16:08:20.692Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-05-11T21:59:57.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71067 (GCVE-0-2025-71067)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
ntfs: set dummy blocksize to read boot_block when mounting
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs: set dummy blocksize to read boot_block when mounting
When mounting, sb->s_blocksize is used to read the boot_block without
being defined or validated. Set a dummy blocksize before attempting to
read the boot_block.
The issue can be triggered with the following syz reproducer:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0)
r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)
ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)
mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00',
&(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0)
syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)
Here, the ioctl sets the bdev block size to 16384. During mount,
get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),
but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves
sb->s_blocksize at zero.
Later, ntfs_init_from_boot() attempts to read the boot_block while
sb->s_blocksize is still zero, which triggers the bug.
[almaz.alexandrovich@paragon-software.com: changed comment style, added
return value handling]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5
(git)
Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 44a38eb4f7876513db5a1bccde74de9bc4389d43 (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 4fff9a625da958a33191c8553a03283786f9f417 (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < d1693a7d5a38acf6424235a6070bcf5b186a360d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "44a38eb4f7876513db5a1bccde74de9bc4389d43",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "4fff9a625da958a33191c8553a03283786f9f417",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "d1693a7d5a38acf6424235a6070bcf5b186a360d",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: set dummy blocksize to read boot_block when mounting\n\nWhen mounting, sb-\u003es_blocksize is used to read the boot_block without\nbeing defined or validated. Set a dummy blocksize before attempting to\nread the boot_block.\n\nThe issue can be triggered with the following syz reproducer:\n\n mkdirat(0xffffffffffffff9c, \u0026(0x7f0000000080)=\u0027./file1\\x00\u0027, 0x0)\n r4 = openat$nullb(0xffffffffffffff9c, \u0026(0x7f0000000040), 0x121403, 0x0)\n ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, \u0026(0x7f0000000980)=0x4000)\n mount(\u0026(0x7f0000000140)=@nullb, \u0026(0x7f0000000040)=\u0027./cgroup\\x00\u0027,\n \u0026(0x7f0000000000)=\u0027ntfs3\\x00\u0027, 0x2208004, 0x0)\n syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)\n\nHere, the ioctl sets the bdev block size to 16384. During mount,\nget_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),\nbut since block_size(bdev) \u003e PAGE_SIZE, sb_set_blocksize() leaves\nsb-\u003es_blocksize at zero.\n\nLater, ntfs_init_from_boot() attempts to read the boot_block while\nsb-\u003es_blocksize is still zero, which triggers the bug.\n\n[almaz.alexandrovich@paragon-software.com: changed comment style, added\nreturn value handling]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:05.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5"
},
{
"url": "https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43"
},
{
"url": "https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417"
},
{
"url": "https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a"
},
{
"url": "https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d"
}
],
"title": "ntfs: set dummy blocksize to read boot_block when mounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71067",
"datePublished": "2026-01-13T15:31:22.585Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-05-11T21:54:05.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23213 (GCVE-0-2026-23213)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:21 – Updated: 2026-05-11 22:02
VLAI?
EPSS
Title
drm/amd/pm: Disable MMIO access during SMU Mode 1 reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: Disable MMIO access during SMU Mode 1 reset
During Mode 1 reset, the ASIC undergoes a reset cycle and becomes
temporarily inaccessible via PCIe. Any attempt to access MMIO registers
during this window (e.g., from interrupt handlers or other driver threads)
can result in uncompleted PCIe transactions, leading to NMI panics or
system hangs.
To prevent this, set the `no_hw_access` flag to true immediately after
triggering the reset. This signals other driver components to skip
register accesses while the device is offline.
A memory barrier `smp_mb()` is added to ensure the flag update is
globally visible to all cores before the driver enters the sleep/wait
state.
(cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ea8139d8d59bd6f014b317e7423345169a56fe49 , < c1853ebbec980d5c05d431bfd6ded73b1363fd00
(git)
Affected: ea8139d8d59bd6f014b317e7423345169a56fe49 , < cd7ff7fd3e4b77f0b5a292e0926532eaa07c5162 (git) Affected: ea8139d8d59bd6f014b317e7423345169a56fe49 , < 0de604d0357d0d22cbf03af1077d174b641707b6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
"drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c",
"drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1853ebbec980d5c05d431bfd6ded73b1363fd00",
"status": "affected",
"version": "ea8139d8d59bd6f014b317e7423345169a56fe49",
"versionType": "git"
},
{
"lessThan": "cd7ff7fd3e4b77f0b5a292e0926532eaa07c5162",
"status": "affected",
"version": "ea8139d8d59bd6f014b317e7423345169a56fe49",
"versionType": "git"
},
{
"lessThan": "0de604d0357d0d22cbf03af1077d174b641707b6",
"status": "affected",
"version": "ea8139d8d59bd6f014b317e7423345169a56fe49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
"drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c",
"drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Disable MMIO access during SMU Mode 1 reset\n\nDuring Mode 1 reset, the ASIC undergoes a reset cycle and becomes\ntemporarily inaccessible via PCIe. Any attempt to access MMIO registers\nduring this window (e.g., from interrupt handlers or other driver threads)\ncan result in uncompleted PCIe transactions, leading to NMI panics or\nsystem hangs.\n\nTo prevent this, set the `no_hw_access` flag to true immediately after\ntriggering the reset. This signals other driver components to skip\nregister accesses while the device is offline.\n\nA memory barrier `smp_mb()` is added to ensure the flag update is\nglobally visible to all cores before the driver enters the sleep/wait\nstate.\n\n(cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:30.627Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1853ebbec980d5c05d431bfd6ded73b1363fd00"
},
{
"url": "https://git.kernel.org/stable/c/cd7ff7fd3e4b77f0b5a292e0926532eaa07c5162"
},
{
"url": "https://git.kernel.org/stable/c/0de604d0357d0d22cbf03af1077d174b641707b6"
}
],
"title": "drm/amd/pm: Disable MMIO access during SMU Mode 1 reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23213",
"datePublished": "2026-02-18T14:21:50.637Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-05-11T22:02:30.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71180 (GCVE-0-2025-71180)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:38 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
Summary
In the Linux kernel, the following vulnerability has been resolved:
counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as
CONFIG_PROVE_RAW_LOCK_NESTING warns:
=============================
[ BUG: Invalid wait context ]
6.18.0-rc1+git... #1
-----------------------------
some-user-space-process/1251 is trying to lock:
(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]
other info that might help us debug this:
context-{2:2}
no locks held by some-user-space-process/....
stack backtrace:
CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT
Call trace:
show_stack (C)
dump_stack_lvl
dump_stack
__lock_acquire
lock_acquire
_raw_spin_lock_irqsave
counter_push_event [counter]
interrupt_cnt_isr [interrupt_cnt]
__handle_irq_event_percpu
handle_irq_event
handle_simple_irq
handle_irq_desc
generic_handle_domain_irq
gpio_irq_handler
handle_irq_desc
generic_handle_domain_irq
gic_handle_irq
call_on_irq_stack
do_interrupt_handler
el0_interrupt
__el0_irq_handler_common
el0t_64_irq_handler
el0t_64_irq
... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an
alternative to switching to raw_spinlock_t, because the latter would limit
all potential nested locks to raw_spinlock_t only.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a55ebd47f21f6f0472766fb52c973849e31d1466 , < ef668c9a2261ec9287faba6e6ef05a98b391aa2b
(git)
Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 51d2e5d6491447258cb39ff1deb93df15d3c23cb (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 49a66829dd3653695e60d7cae13521d131362fcd (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 425886b1f8304621b3f16632b274357067d5f13f (git) Affected: a55ebd47f21f6f0472766fb52c973849e31d1466 , < 23f9485510c338476b9735d516c1d4aacb810d46 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/counter/interrupt-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef668c9a2261ec9287faba6e6ef05a98b391aa2b",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "51d2e5d6491447258cb39ff1deb93df15d3c23cb",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "49a66829dd3653695e60d7cae13521d131362fcd",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "425886b1f8304621b3f16632b274357067d5f13f",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "23f9485510c338476b9735d516c1d4aacb810d46",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/counter/interrupt-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: interrupt-cnt: Drop IRQF_NO_THREAD flag\n\nAn IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as\nCONFIG_PROVE_RAW_LOCK_NESTING warns:\n=============================\n[ BUG: Invalid wait context ]\n6.18.0-rc1+git... #1\n-----------------------------\nsome-user-space-process/1251 is trying to lock:\n(\u0026counter-\u003eevents_list_lock){....}-{3:3}, at: counter_push_event [counter]\nother info that might help us debug this:\ncontext-{2:2}\nno locks held by some-user-space-process/....\nstack backtrace:\nCPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT\nCall trace:\n show_stack (C)\n dump_stack_lvl\n dump_stack\n __lock_acquire\n lock_acquire\n _raw_spin_lock_irqsave\n counter_push_event [counter]\n interrupt_cnt_isr [interrupt_cnt]\n __handle_irq_event_percpu\n handle_irq_event\n handle_simple_irq\n handle_irq_desc\n generic_handle_domain_irq\n gpio_irq_handler\n handle_irq_desc\n generic_handle_domain_irq\n gic_handle_irq\n call_on_irq_stack\n do_interrupt_handler\n el0_interrupt\n __el0_irq_handler_common\n el0t_64_irq_handler\n el0t_64_irq\n\n... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an\nalternative to switching to raw_spinlock_t, because the latter would limit\nall potential nested locks to raw_spinlock_t only."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:12.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef668c9a2261ec9287faba6e6ef05a98b391aa2b"
},
{
"url": "https://git.kernel.org/stable/c/51d2e5d6491447258cb39ff1deb93df15d3c23cb"
},
{
"url": "https://git.kernel.org/stable/c/1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c"
},
{
"url": "https://git.kernel.org/stable/c/49a66829dd3653695e60d7cae13521d131362fcd"
},
{
"url": "https://git.kernel.org/stable/c/425886b1f8304621b3f16632b274357067d5f13f"
},
{
"url": "https://git.kernel.org/stable/c/23f9485510c338476b9735d516c1d4aacb810d46"
}
],
"title": "counter: interrupt-cnt: Drop IRQF_NO_THREAD flag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71180",
"datePublished": "2026-01-31T11:38:52.481Z",
"dateReserved": "2026-01-31T11:36:51.183Z",
"dateUpdated": "2026-05-11T21:56:12.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23064 (GCVE-0-2026-23064)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
net/sched: act_ife: avoid possible NULL deref
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ife: avoid possible NULL deref
tcf_ife_encode() must make sure ife_encode() does not return NULL.
syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166
CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101
tcf_ife_encode net/sched/act_ife.c:841 [inline]
tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877
tc_act include/net/tc_wrapper.h:130 [inline]
tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152
tcf_exts_exec include/net/pkt_cls.h:349 [inline]
mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:197 [inline]
__tcf_classify net/sched/cls_api.c:1764 [inline]
tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860
multiq_classify net/sched/sch_multiq.c:39 [inline]
multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66
dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147
__dev_xmit_skb net/core/dev.c:4262 [inline]
__dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
295a6e06d21e1f469c9f38b00125a13b60ad4e7c , < 4ef2c77851676b7ed106f0c47755bee9eeec9a40
(git)
Affected: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c , < dd9442aedbeae87c44cc64c0ee41abd296dc008b (git) Affected: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c , < 1440d749fe49c8665da6f744323b1671d25a56a0 (git) Affected: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c , < 03710cebfc0bcfe247a9e04381e79ea33896e278 (git) Affected: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c , < 374915dfc932adf57712df3be010667fd1190e3c (git) Affected: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c , < 6c75fed55080014545f262b7055081cec4768b20 (git) Affected: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c , < 27880b0b0d35ad1c98863d09788254e36f874968 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ef2c77851676b7ed106f0c47755bee9eeec9a40",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "dd9442aedbeae87c44cc64c0ee41abd296dc008b",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "1440d749fe49c8665da6f744323b1671d25a56a0",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "03710cebfc0bcfe247a9e04381e79ea33896e278",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "374915dfc932adf57712df3be010667fd1190e3c",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "6c75fed55080014545f262b7055081cec4768b20",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "27880b0b0d35ad1c98863d09788254e36f874968",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: avoid possible NULL deref\n\ntcf_ife_encode() must make sure ife_encode() does not return NULL.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166\nCPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)\nCall Trace:\n \u003cTASK\u003e\n ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101\n tcf_ife_encode net/sched/act_ife.c:841 [inline]\n tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877\n tc_act include/net/tc_wrapper.h:130 [inline]\n tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152\n tcf_exts_exec include/net/pkt_cls.h:349 [inline]\n mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42\n tc_classify include/net/tc_wrapper.h:197 [inline]\n __tcf_classify net/sched/cls_api.c:1764 [inline]\n tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860\n multiq_classify net/sched/sch_multiq.c:39 [inline]\n multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66\n dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147\n __dev_xmit_skb net/core/dev.c:4262 [inline]\n __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:18.219Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40"
},
{
"url": "https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b"
},
{
"url": "https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0"
},
{
"url": "https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278"
},
{
"url": "https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c"
},
{
"url": "https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20"
},
{
"url": "https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968"
}
],
"title": "net/sched: act_ife: avoid possible NULL deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23064",
"datePublished": "2026-02-04T16:07:46.329Z",
"dateReserved": "2026-01-13T15:37:45.953Z",
"dateUpdated": "2026-05-11T21:59:18.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68808 (GCVE-0-2025-68808)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
media: vidtv: initialize local pointers upon transfer of memory ownership
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: initialize local pointers upon transfer of memory ownership
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability,
local pointers must be initialized to NULL when transferring memory
ownership.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3be8037960bccd13052cfdeba8805ad785041d70 , < c342e294dac4988c8ada759b2f057246e48c5108
(git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 12ab6ebb37789b84073e83e4d9b14a5e0d133323 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < a69c7fd603bf5ad93177394fbd9711922ee81032 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 30f4d4e5224a9e44e9ceb3956489462319d804ce (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 98aabfe2d79f74613abc2b0b1cef08f97eaf5322 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c342e294dac4988c8ada759b2f057246e48c5108",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "12ab6ebb37789b84073e83e4d9b14a5e0d133323",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "a69c7fd603bf5ad93177394fbd9711922ee81032",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "30f4d4e5224a9e44e9ceb3956489462319d804ce",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "98aabfe2d79f74613abc2b0b1cef08f97eaf5322",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: initialize local pointers upon transfer of memory ownership\n\nvidtv_channel_si_init() creates a temporary list (program, service, event)\nand ownership of the memory itself is transferred to the PAT/SDT/EIT\ntables through vidtv_psi_pat_program_assign(),\nvidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().\n\nThe problem here is that the local pointer where the memory ownership\ntransfer was completed is not initialized to NULL. This causes the\nvidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and\nin the flow that jumps to free_eit, the memory that was freed by\nvidtv_psi_*_table_destroy() can be accessed again by\nvidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it\nis freed once again.\n\nTherefore, to prevent use-after-free and double-free vulnerability,\nlocal pointers must be initialized to NULL when transferring memory\nownership."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:44.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108"
},
{
"url": "https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323"
},
{
"url": "https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e"
},
{
"url": "https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8"
},
{
"url": "https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032"
},
{
"url": "https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce"
},
{
"url": "https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322"
}
],
"title": "media: vidtv: initialize local pointers upon transfer of memory ownership",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68808",
"datePublished": "2026-01-13T15:29:15.164Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-05-11T21:53:44.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68365 (GCVE-0-2025-68365)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
fs/ntfs3: Initialize allocated memory before use
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Initialize allocated memory before use
KMSAN reports: Multiple uninitialized values detected:
- KMSAN: uninit-value in ntfs_read_hdr (3)
- KMSAN: uninit-value in bcmp (3)
Memory is allocated by __getname(), which is a wrapper for
kmem_cache_alloc(). This memory is used before being properly
cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to
properly allocate and clear memory before use.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
82cae269cfa953032fbb8980a7d554d60fb00b17 , < bdf38063fd15f2fc7361dc0b5d3c259741eab835
(git)
Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < a58e29849aef8d26554a982989a2190b49aaf8ed (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 7d52c592cf53f5bb7163967edc01d2d7d80de44a (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < f7728057220cabd720e27e46097edad48e5bd728 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 192e8ce302f14ac66259231dd10cede19858d742 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < a8a3ca23bbd9d849308a7921a049330dc6c91398 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdf38063fd15f2fc7361dc0b5d3c259741eab835",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "a58e29849aef8d26554a982989a2190b49aaf8ed",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "7d52c592cf53f5bb7163967edc01d2d7d80de44a",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "f7728057220cabd720e27e46097edad48e5bd728",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "192e8ce302f14ac66259231dd10cede19858d742",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "a8a3ca23bbd9d849308a7921a049330dc6c91398",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Initialize allocated memory before use\n\nKMSAN reports: Multiple uninitialized values detected:\n\n- KMSAN: uninit-value in ntfs_read_hdr (3)\n- KMSAN: uninit-value in bcmp (3)\n\nMemory is allocated by __getname(), which is a wrapper for\nkmem_cache_alloc(). This memory is used before being properly\ncleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to\nproperly allocate and clear memory before use."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:47.821Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdf38063fd15f2fc7361dc0b5d3c259741eab835"
},
{
"url": "https://git.kernel.org/stable/c/a58e29849aef8d26554a982989a2190b49aaf8ed"
},
{
"url": "https://git.kernel.org/stable/c/7d52c592cf53f5bb7163967edc01d2d7d80de44a"
},
{
"url": "https://git.kernel.org/stable/c/f7728057220cabd720e27e46097edad48e5bd728"
},
{
"url": "https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742"
},
{
"url": "https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398"
}
],
"title": "fs/ntfs3: Initialize allocated memory before use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68365",
"datePublished": "2025-12-24T10:32:52.728Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-05-11T21:51:47.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68725 (GCVE-0-2025-68725)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-06-11 17:53
VLAI?
EPSS
Title
bpf: Do not let BPF test infra emit invalid GSO types to stack
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Do not let BPF test infra emit invalid GSO types to stack
Yinhao et al. reported that their fuzzer tool was able to trigger a
skb_warn_bad_offload() from netif_skb_features() -> gso_features_check().
When a BPF program - triggered via BPF test infra - pushes the packet
to the loopback device via bpf_clone_redirect() then mentioned offload
warning can be seen. GSO-related features are then rightfully disabled.
We get into this situation due to convert___skb_to_skb() setting
gso_segs and gso_size but not gso_type. Technically, it makes sense
that this warning triggers since the GSO properties are malformed due
to the gso_type. Potentially, the gso_type could be marked non-trustworthy
through setting it at least to SKB_GSO_DODGY without any other specific
assumptions, but that also feels wrong given we should not go further
into the GSO engine in the first place.
The checks were added in 121d57af308d ("gso: validate gso_type in GSO
handlers") because there were malicious (syzbot) senders that combine
a protocol with a non-matching gso_type. If we would want to drop such
packets, gso_features_check() currently only returns feature flags via
netif_skb_features(), so one location for potentially dropping such skbs
could be validate_xmit_unreadable_skb(), but then otoh it would be
an additional check in the fast-path for a very corner case. Given
bpf_clone_redirect() is the only place where BPF test infra could emit
such packets, lets reject them right there.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
850a88cc4096fe1df407452ba2e4d28cf5b3eee9 , < bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f
(git)
Affected: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 , < e0ffb64a2d72c6705b4a4c9efef600409f7e98a0 (git) Affected: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 , < 768376ece7036ecb8604961793a1b72afe6345dd (git) Affected: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 , < 8670b53b8ee91f028f7240531064020b7413c461 (git) Affected: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 , < 0f3a60869ca22024dfb9c6fce412b0c70cb4ea36 (git) Affected: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 , < fbea4c63b5385588cb44ab21f91e55e33c719a54 (git) Affected: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 , < 04a899573fb87273a656f178b5f920c505f68875 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:17.204014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:37.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "e0ffb64a2d72c6705b4a4c9efef600409f7e98a0",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "768376ece7036ecb8604961793a1b72afe6345dd",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "8670b53b8ee91f028f7240531064020b7413c461",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "0f3a60869ca22024dfb9c6fce412b0c70cb4ea36",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "fbea4c63b5385588cb44ab21f91e55e33c719a54",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "04a899573fb87273a656f178b5f920c505f68875",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not let BPF test infra emit invalid GSO types to stack\n\nYinhao et al. reported that their fuzzer tool was able to trigger a\nskb_warn_bad_offload() from netif_skb_features() -\u003e gso_features_check().\nWhen a BPF program - triggered via BPF test infra - pushes the packet\nto the loopback device via bpf_clone_redirect() then mentioned offload\nwarning can be seen. GSO-related features are then rightfully disabled.\n\nWe get into this situation due to convert___skb_to_skb() setting\ngso_segs and gso_size but not gso_type. Technically, it makes sense\nthat this warning triggers since the GSO properties are malformed due\nto the gso_type. Potentially, the gso_type could be marked non-trustworthy\nthrough setting it at least to SKB_GSO_DODGY without any other specific\nassumptions, but that also feels wrong given we should not go further\ninto the GSO engine in the first place.\n\nThe checks were added in 121d57af308d (\"gso: validate gso_type in GSO\nhandlers\") because there were malicious (syzbot) senders that combine\na protocol with a non-matching gso_type. If we would want to drop such\npackets, gso_features_check() currently only returns feature flags via\nnetif_skb_features(), so one location for potentially dropping such skbs\ncould be validate_xmit_unreadable_skb(), but then otoh it would be\nan additional check in the fast-path for a very corner case. Given\nbpf_clone_redirect() is the only place where BPF test infra could emit\nsuch packets, lets reject them right there."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:08.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f"
},
{
"url": "https://git.kernel.org/stable/c/e0ffb64a2d72c6705b4a4c9efef600409f7e98a0"
},
{
"url": "https://git.kernel.org/stable/c/768376ece7036ecb8604961793a1b72afe6345dd"
},
{
"url": "https://git.kernel.org/stable/c/8670b53b8ee91f028f7240531064020b7413c461"
},
{
"url": "https://git.kernel.org/stable/c/0f3a60869ca22024dfb9c6fce412b0c70cb4ea36"
},
{
"url": "https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54"
},
{
"url": "https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875"
}
],
"title": "bpf: Do not let BPF test infra emit invalid GSO types to stack",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68725",
"datePublished": "2025-12-24T10:33:09.610Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-06-11T17:53:37.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23264 (GCVE-0-2026-23264)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
This reverts commit 7294863a6f01248d72b61d38478978d638641bee.
This commit was erroneously applied again after commit 0ab5d711ec74
("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device")
removed it, leading to very hard to debug crashes, when used with a system with two
AMD GPUs of which only one supports ASPM.
(cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0ab5d711ec74d9e60673900974806b7688857947 , < f02c9052aaa031ef3c2285d86a155d4263180ddd
(git)
Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < d2bddc2da2b3ba5d738877c476bf97932dba32e8 (git) Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < 5b794951541e84d2968980a68dd1ac38420f75f3 (git) Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < 5f645222eb30c91135119e12eccfd1b8ea88140e (git) Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < 243b467dea1735fed904c2e54d248a46fa417a2d (git) Affected: 0a9a60dcedaacde4b903337b7445cb431b4dd119 (git) Affected: 5.15.54 , < 5.16 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f02c9052aaa031ef3c2285d86a155d4263180ddd",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "d2bddc2da2b3ba5d738877c476bf97932dba32e8",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "5b794951541e84d2968980a68dd1ac38420f75f3",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "5f645222eb30c91135119e12eccfd1b8ea88140e",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "243b467dea1735fed904c2e54d248a46fa417a2d",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"status": "affected",
"version": "0a9a60dcedaacde4b903337b7445cb431b4dd119",
"versionType": "git"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.54",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd: Check if ASPM is enabled from PCIe subsystem\"\n\nThis reverts commit 7294863a6f01248d72b61d38478978d638641bee.\n\nThis commit was erroneously applied again after commit 0ab5d711ec74\n(\"drm/amd: Refactor `amdgpu_aspm` to be evaluated per device\")\nremoved it, leading to very hard to debug crashes, when used with a system with two\nAMD GPUs of which only one supports ASPM.\n\n(cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:24.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f02c9052aaa031ef3c2285d86a155d4263180ddd"
},
{
"url": "https://git.kernel.org/stable/c/d2bddc2da2b3ba5d738877c476bf97932dba32e8"
},
{
"url": "https://git.kernel.org/stable/c/5b794951541e84d2968980a68dd1ac38420f75f3"
},
{
"url": "https://git.kernel.org/stable/c/5f645222eb30c91135119e12eccfd1b8ea88140e"
},
{
"url": "https://git.kernel.org/stable/c/243b467dea1735fed904c2e54d248a46fa417a2d"
}
],
"title": "Revert \"drm/amd: Check if ASPM is enabled from PCIe subsystem\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23264",
"datePublished": "2026-03-18T17:41:10.208Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-23T16:04:24.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68335 (GCVE-0-2025-68335)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.
[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00aba6e7b5653a6607238ecdab7172318059d984 , < b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16
(git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 935ad4b3c325c24fff2c702da403283025ffc722 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 88d99ca5adbd01ff088f5fb2ddeba5755e085e52 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 5caa40e7c6a43e08e3574f990865127705c22861 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < d948c53dec36dafe182631457597c49c1f1df5ea (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 877adccfacb32687b90714a27cfb09f444fdfa16 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < a51f025b5038abd3d22eed2ede4cd46793d89565 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "935ad4b3c325c24fff2c702da403283025ffc722",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "88d99ca5adbd01ff088f5fb2ddeba5755e085e52",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "5caa40e7c6a43e08e3574f990865127705c22861",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "d948c53dec36dafe182631457597c49c1f1df5ea",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "877adccfacb32687b90714a27cfb09f444fdfa16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "a51f025b5038abd3d22eed2ede4cd46793d89565",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()\n\nSyzbot identified an issue [1] in pcl818_ai_cancel(), which stems from\nthe fact that in case of early device detach via pcl818_detach(),\nsubdevice dev-\u003eread_subdev may not have initialized its pointer to\n\u0026struct comedi_async as intended. Thus, any such dereferencing of\n\u0026s-\u003easync-\u003ecmd will lead to general protection fault and kernel crash.\n\nMitigate this problem by removing a call to pcl818_ai_cancel() from\npcl818_detach() altogether. This way, if the subdevice setups its\nsupport for async commands, everything async-related will be\nhandled via subdevice\u0027s own -\u003ecancel() function in\ncomedi_device_detach_locked() even before pcl818_detach(). If no\nsupport for asynchronous commands is provided, there is no need\nto cancel anything either.\n\n[1] Syzbot crash:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nRIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762\n...\nCall Trace:\n \u003cTASK\u003e\n pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115\n comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207\n do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]\n comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:12.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16"
},
{
"url": "https://git.kernel.org/stable/c/935ad4b3c325c24fff2c702da403283025ffc722"
},
{
"url": "https://git.kernel.org/stable/c/88d99ca5adbd01ff088f5fb2ddeba5755e085e52"
},
{
"url": "https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861"
},
{
"url": "https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea"
},
{
"url": "https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16"
},
{
"url": "https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565"
}
],
"title": "comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68335",
"datePublished": "2025-12-22T16:14:12.614Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-05-11T21:51:12.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71113 (GCVE-0-2025-71113)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Several crypto user API contexts and requests allocated with
sock_kmalloc() were left uninitialized, relying on callers to
set fields explicitly. This resulted in the use of uninitialized
data in certain error paths or when new fields are added in the
future.
The ACVP patches also contain two user-space interface files:
algif_kpp.c and algif_akcipher.c. These too rely on proper
initialization of their context structures.
A particular issue has been observed with the newly added
'inflight' variable introduced in af_alg_ctx by commit:
67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Because the context is not memset to zero after allocation,
the inflight variable has contained garbage values. As a result,
af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
the garbage value was interpreted as true:
https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209
The check directly tests ctx->inflight without explicitly
comparing against true/false. Since inflight is only ever set to
true or false later, an uninitialized value has triggered
-EBUSY failures. Zero-initializing memory allocated with
sock_kmalloc() ensures inflight and other fields start in a known
state, removing random issues caused by uninitialized data.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe869cdb89c95d060c77eea20204d6c91f233b53 , < e125c8e346e4eb7b3e854c862fcb4392bc13ddba
(git)
Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 543bf004e4eafbb302b1e6c78570d425d2ca13a0 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < f81244fd6b14fecfa93b66b6bb1d59f96554e550 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 84238876e3b3b262cf62d5f4d1338e983fb27010 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 5a4b65523608974a81edbe386f8a667a3e10c726 (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 51a5ab36084f3251ef87eda3e6a6236f6488925e (git) Affected: fe869cdb89c95d060c77eea20204d6c91f233b53 , < 6f6e309328d53a10c0fe1f77dec2db73373179b6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:47.263259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:05.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_hash.c",
"crypto/algif_rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e125c8e346e4eb7b3e854c862fcb4392bc13ddba",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "543bf004e4eafbb302b1e6c78570d425d2ca13a0",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "f81244fd6b14fecfa93b66b6bb1d59f96554e550",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "84238876e3b3b262cf62d5f4d1338e983fb27010",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "5a4b65523608974a81edbe386f8a667a3e10c726",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "51a5ab36084f3251ef87eda3e6a6236f6488925e",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "6f6e309328d53a10c0fe1f77dec2db73373179b6",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_hash.c",
"crypto/algif_rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - zero initialize memory allocated via sock_kmalloc\n\nSeveral crypto user API contexts and requests allocated with\nsock_kmalloc() were left uninitialized, relying on callers to\nset fields explicitly. This resulted in the use of uninitialized\ndata in certain error paths or when new fields are added in the\nfuture.\n\nThe ACVP patches also contain two user-space interface files:\nalgif_kpp.c and algif_akcipher.c. These too rely on proper\ninitialization of their context structures.\n\nA particular issue has been observed with the newly added\n\u0027inflight\u0027 variable introduced in af_alg_ctx by commit:\n\n 67b164a871af (\"crypto: af_alg - Disallow multiple in-flight AIO requests\")\n\nBecause the context is not memset to zero after allocation,\nthe inflight variable has contained garbage values. As a result,\naf_alg_alloc_areq() has incorrectly returned -EBUSY randomly when\nthe garbage value was interpreted as true:\n\n https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209\n\nThe check directly tests ctx-\u003einflight without explicitly\ncomparing against true/false. Since inflight is only ever set to\ntrue or false later, an uninitialized value has triggered\n-EBUSY failures. Zero-initializing memory allocated with\nsock_kmalloc() ensures inflight and other fields start in a known\nstate, removing random issues caused by uninitialized data."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:06.916Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba"
},
{
"url": "https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0"
},
{
"url": "https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550"
},
{
"url": "https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010"
},
{
"url": "https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726"
},
{
"url": "https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e"
},
{
"url": "https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6"
}
],
"title": "crypto: af_alg - zero initialize memory allocated via sock_kmalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71113",
"datePublished": "2026-01-14T15:05:59.992Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-06-11T18:44:05.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23204 (GCVE-0-2026-23204)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-06-16 20:32
VLAI?
EPSS
Title
net/sched: cls_u32: use skb_header_pointer_careful()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 29681ed51e737be14d18ecd1c304c57002e4b72c
(git)
Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cfa745830e45ecb75c061aa34330ee0cac941cc7 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 13336a6239b9d7c6e61483017bb8bdfe3ceb10a5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < e41a23e61259f5526af875c3b86b3d42a9bae0e5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 8a672f177ebe19c93d795fbe967846084fbc7943 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cabd1a976375780dabab888784e356f574bbaed8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:32:50.609345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:32:59.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29681ed51e737be14d18ecd1c304c57002e4b72c",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "cfa745830e45ecb75c061aa34330ee0cac941cc7",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "cabd1a976375780dabab888784e356f574bbaed8",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:10:54.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29681ed51e737be14d18ecd1c304c57002e4b72c"
},
{
"url": "https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7"
},
{
"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"
},
{
"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"
},
{
"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"
},
{
"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"
}
],
"title": "net/sched: cls_u32: use skb_header_pointer_careful()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23204",
"datePublished": "2026-02-14T16:27:27.708Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-06-16T20:32:59.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68753 (GCVE-0-2025-68753)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.
Fix by adding a bounds check before put_user().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < ea2c921d9de6e32ca50cb817b9d57bb881be70de
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6d4f17782ce4facf3197e79707df411ee3d7b30a (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < df692cf2b601a54b34edfdb9e683d67483aa8ce1 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 298e753880b6ea99ac30df34959a7a03b0878eed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea2c921d9de6e32ca50cb817b9d57bb881be70de",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6d4f17782ce4facf3197e79707df411ee3d7b30a",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "df692cf2b601a54b34edfdb9e683d67483aa8ce1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "298e753880b6ea99ac30df34959a7a03b0878eed",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: add bounds check in put_user loop for DSP events\n\nIn the DSP event handling code, a put_user() loop copies event data.\nWhen the user buffer size is not aligned to 4 bytes, it could overwrite\nbeyond the buffer boundary.\n\nFix by adding a bounds check before put_user()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:41.055Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de"
},
{
"url": "https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a"
},
{
"url": "https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f"
},
{
"url": "https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1"
},
{
"url": "https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187"
},
{
"url": "https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed"
}
],
"title": "ALSA: firewire-motu: add bounds check in put_user loop for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68753",
"datePublished": "2026-01-05T09:32:27.029Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-05-11T21:52:41.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58097 (GCVE-0-2024-58097)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2026-05-11 21:03
VLAI?
EPSS
Title
wifi: ath11k: fix RCU stall while reaping monitor destination ring
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix RCU stall while reaping monitor destination ring
While processing the monitor destination ring, MSDUs are reaped from the
link descriptor based on the corresponding buf_id.
However, sometimes the driver cannot obtain a valid buffer corresponding
to the buf_id received from the hardware. This causes an infinite loop
in the destination processing, resulting in a kernel crash.
kernel log:
ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309
ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed
ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309
ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed
Fix this by skipping the problematic buf_id and reaping the next entry,
replacing the break with the next MSDU processing.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Severity ?
5.5 (Medium)
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d5c65159f2895379e11ca13f62feabe93278985d , < 8db5de0cf02fccf4c759aa58edbe65659daf607c
(git)
Affected: d5c65159f2895379e11ca13f62feabe93278985d , < 9f1a002f0171d27f3554e529f3c70df438f05dfe (git) Affected: d5c65159f2895379e11ca13f62feabe93278985d , < b4991fc41745645f8050506f5a8578bd11e6b378 (git) Affected: d5c65159f2895379e11ca13f62feabe93278985d , < 16c6c35c03ea73054a1f6d3302a4ce4a331b427d (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:05:53.896243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:05:56.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8db5de0cf02fccf4c759aa58edbe65659daf607c",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "9f1a002f0171d27f3554e529f3c70df438f05dfe",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "b4991fc41745645f8050506f5a8578bd11e6b378",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "16c6c35c03ea73054a1f6d3302a4ce4a331b427d",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix RCU stall while reaping monitor destination ring\n\nWhile processing the monitor destination ring, MSDUs are reaped from the\nlink descriptor based on the corresponding buf_id.\n\nHowever, sometimes the driver cannot obtain a valid buffer corresponding\nto the buf_id received from the hardware. This causes an infinite loop\nin the destination processing, resulting in a kernel crash.\n\nkernel log:\nath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309\nath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed\nath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309\nath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed\n\nFix this by skipping the problematic buf_id and reaping the next entry,\nreplacing the break with the next MSDU processing.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:03:14.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8db5de0cf02fccf4c759aa58edbe65659daf607c"
},
{
"url": "https://git.kernel.org/stable/c/9f1a002f0171d27f3554e529f3c70df438f05dfe"
},
{
"url": "https://git.kernel.org/stable/c/b4991fc41745645f8050506f5a8578bd11e6b378"
},
{
"url": "https://git.kernel.org/stable/c/16c6c35c03ea73054a1f6d3302a4ce4a331b427d"
}
],
"title": "wifi: ath11k: fix RCU stall while reaping monitor destination ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58097",
"datePublished": "2025-04-16T14:11:45.330Z",
"dateReserved": "2025-03-06T15:52:09.189Z",
"dateUpdated": "2026-05-11T21:03:14.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68820 (GCVE-0-2025-68820)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 16:55
VLAI?
EPSS
Title
ext4: xattr: fix null pointer deref in ext4_raw_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: xattr: fix null pointer deref in ext4_raw_inode()
If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 , < b72a3476f0c97d02f63a6e9fff127348d55436f6
(git)
Affected: f737418b6de31c962c7192777ee4018906975383 , < 3d8d22e75f7edfa0b30ff27330fd6a1285d594c3 (git) Affected: cf9291a3449b04688b81e32621e88de8f4314b54 , < 190ad0f22ba49f1101182b80e3af50ca2ddfe72f (git) Affected: 362a90cecd36e8a5c415966d0b75b04a0270e4dd , < b5d942922182e82724b7152cb998f540132885ec (git) Affected: eb59cc31b6ea076021d14b04e7faab1636b87d0e , < 5b154e901fda2e98570b8f426a481f5740097dc2 (git) Affected: c8e008b60492cf6fd31ef127aea6d02fd3d314cd , < ce5f54c065a4a7cbb92787f4f140917112350142 (git) Affected: c8e008b60492cf6fd31ef127aea6d02fd3d314cd , < b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 (git) Affected: 6aff941cb0f7d0c897c3698ad2e30672709135e3 (git) Affected: 3bc6317033f365ce578eb6039445fb66162722fd (git) Affected: 836e625b03a666cf93ff5be328c8cb30336db872 (git) Affected: 5.10.237 , < 5.10.248 (semver) Affected: 5.15.181 , < 5.15.198 (semver) Affected: 6.1.135 , < 6.1.160 (semver) Affected: 6.6.88 , < 6.6.120 (semver) Affected: 6.12.24 , < 6.12.64 (semver) Affected: 5.4.293 , < 5.5 (semver) Affected: 6.13.12 , < 6.14 (semver) Affected: 6.14.3 , < 6.15 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:55:32.991979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:55:53.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b72a3476f0c97d02f63a6e9fff127348d55436f6",
"status": "affected",
"version": "76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3",
"versionType": "git"
},
{
"lessThan": "3d8d22e75f7edfa0b30ff27330fd6a1285d594c3",
"status": "affected",
"version": "f737418b6de31c962c7192777ee4018906975383",
"versionType": "git"
},
{
"lessThan": "190ad0f22ba49f1101182b80e3af50ca2ddfe72f",
"status": "affected",
"version": "cf9291a3449b04688b81e32621e88de8f4314b54",
"versionType": "git"
},
{
"lessThan": "b5d942922182e82724b7152cb998f540132885ec",
"status": "affected",
"version": "362a90cecd36e8a5c415966d0b75b04a0270e4dd",
"versionType": "git"
},
{
"lessThan": "5b154e901fda2e98570b8f426a481f5740097dc2",
"status": "affected",
"version": "eb59cc31b6ea076021d14b04e7faab1636b87d0e",
"versionType": "git"
},
{
"lessThan": "ce5f54c065a4a7cbb92787f4f140917112350142",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"lessThan": "b97cb7d6a051aa6ebd57906df0e26e9e36c26d14",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"status": "affected",
"version": "6aff941cb0f7d0c897c3698ad2e30672709135e3",
"versionType": "git"
},
{
"status": "affected",
"version": "3bc6317033f365ce578eb6039445fb66162722fd",
"versionType": "git"
},
{
"status": "affected",
"version": "836e625b03a666cf93ff5be328c8cb30336db872",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThan": "6.15",
"status": "affected",
"version": "6.14.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: xattr: fix null pointer deref in ext4_raw_inode()\n\nIf ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),\niloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()\nlacks error checking, this will lead to a null pointer dereference\nin ext4_raw_inode(), called right after ext4_get_inode_loc().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:59.512Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6"
},
{
"url": "https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3"
},
{
"url": "https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f"
},
{
"url": "https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec"
},
{
"url": "https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2"
},
{
"url": "https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142"
},
{
"url": "https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14"
}
],
"title": "ext4: xattr: fix null pointer deref in ext4_raw_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68820",
"datePublished": "2026-01-13T15:29:23.351Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-06-16T16:55:53.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68732 (GCVE-0-2025-68732)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
gpu: host1x: Fix race in syncpt alloc/free
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix race in syncpt alloc/free
Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.
Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5ba33fb9690566c382624637125827b5512e766 , < ca9388fba50dac2eb71c13702b7022a801bef90e
(git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4aeaece518fa4436af93d1d8b786200d9656ff4b (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 6245cce711e2cdb2cc75c0bb8632952e36f8c972 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4e6e07ce0197aecfb6c4a62862acc93b3efedeb7 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < d138f73ffb0c57ded473c577719e6e551b7b1f27 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 79197c6007f2afbfd7bcf5b9b80ccabf8483d774 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < c7d393267c497502fa737607f435f05dfe6e3d9b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca9388fba50dac2eb71c13702b7022a801bef90e",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4aeaece518fa4436af93d1d8b786200d9656ff4b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "6245cce711e2cdb2cc75c0bb8632952e36f8c972",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4e6e07ce0197aecfb6c4a62862acc93b3efedeb7",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "d138f73ffb0c57ded473c577719e6e551b7b1f27",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "79197c6007f2afbfd7bcf5b9b80ccabf8483d774",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "c7d393267c497502fa737607f435f05dfe6e3d9b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix race in syncpt alloc/free\n\nFix race condition between host1x_syncpt_alloc()\nand host1x_syncpt_put() by using kref_put_mutex()\ninstead of kref_put() + manual mutex locking.\n\nThis ensures no thread can acquire the\nsyncpt_mutex after the refcount drops to zero\nbut before syncpt_release acquires it.\nThis prevents races where syncpoints could\nbe allocated while still being cleaned up\nfrom a previous release.\n\nRemove explicit mutex locking in syncpt_release\nas kref_put_mutex() handles this atomically."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:16.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca9388fba50dac2eb71c13702b7022a801bef90e"
},
{
"url": "https://git.kernel.org/stable/c/4aeaece518fa4436af93d1d8b786200d9656ff4b"
},
{
"url": "https://git.kernel.org/stable/c/6245cce711e2cdb2cc75c0bb8632952e36f8c972"
},
{
"url": "https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7"
},
{
"url": "https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27"
},
{
"url": "https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774"
},
{
"url": "https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b"
}
],
"title": "gpu: host1x: Fix race in syncpt alloc/free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68732",
"datePublished": "2025-12-24T10:33:14.664Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-05-11T21:52:16.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23021 (GCVE-0-2026-23021)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
net: usb: pegasus: fix memory leak in update_eth_regs_async()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: pegasus: fix memory leak in update_eth_regs_async()
When asynchronously writing to the device registers and if usb_submit_urb()
fail, the code fail to release allocated to this point resources.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
323b34963d113efb566635f43858f40cce01d5f9 , < 5397ea6d21c35a17707e201a60761bdee00bcc4e
(git)
Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < a40af9a2904a1ab8ce61866ebe2a894ef30754ba (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < ac5d92d2826dec51e5d4c6854865bc5817277452 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < 93f18eaa190374e0f2d253e3b1a65cee19a7abe6 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < 471dfb97599eec74e0476046b3ef8e7037f27b34 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < ce6eef731aba23a988decea1df3b08cf978f7b01 (git) Affected: 323b34963d113efb566635f43858f40cce01d5f9 , < afa27621a28af317523e0836dad430bec551eb54 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:03.342469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:08.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5397ea6d21c35a17707e201a60761bdee00bcc4e",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "a40af9a2904a1ab8ce61866ebe2a894ef30754ba",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ac5d92d2826dec51e5d4c6854865bc5817277452",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "93f18eaa190374e0f2d253e3b1a65cee19a7abe6",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "471dfb97599eec74e0476046b3ef8e7037f27b34",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ce6eef731aba23a988decea1df3b08cf978f7b01",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "afa27621a28af317523e0836dad430bec551eb54",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: fix memory leak in update_eth_regs_async()\n\nWhen asynchronously writing to the device registers and if usb_submit_urb()\nfail, the code fail to release allocated to this point resources."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:28.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e"
},
{
"url": "https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba"
},
{
"url": "https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452"
},
{
"url": "https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6"
},
{
"url": "https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34"
},
{
"url": "https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01"
},
{
"url": "https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54"
}
],
"title": "net: usb: pegasus: fix memory leak in update_eth_regs_async()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23021",
"datePublished": "2026-01-31T11:39:05.152Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-06-11T18:44:08.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68798 (GCVE-0-2025-68798)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
perf/x86/amd: Check event before enable to avoid GPF
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/amd: Check event before enable to avoid GPF
On AMD machines cpuc->events[idx] can become NULL in a subtle race
condition with NMI->throttle->x86_pmu_stop().
Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.
This appears to be an AMD only issue.
Syzkaller reported a GPF in amd_pmu_enable_all.
INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143
msecs
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]
CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk
RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195
arch/x86/events/core.c:1430)
RSP: 0018:ffff888118009d60 EFLAGS: 00010012
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601
FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0
Call Trace:
<IRQ>
amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))
x86_pmu_enable (arch/x86/events/core.c:1360)
event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186
kernel/events/core.c:2346)
__perf_remove_from_context (kernel/events/core.c:2435)
event_function (kernel/events/core.c:259)
remote_function (kernel/events/core.c:92 (discriminator 1)
kernel/events/core.c:72 (discriminator 1))
__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64
kernel/smp.c:135 kernel/smp.c:540)
__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207
./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)
sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)
arch/x86/kernel/smp.c:266 (discriminator 47))
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ada543459cab7f653dcacdaba4011a8bb19c627c , < 49324a0c40f7e9bae1bd0362d23fc42232e14621
(git)
Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < 6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f (git) Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < e1028fb38b328084bc683a4efb001c95d3108573 (git) Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < 43c2e5c2acaae50e99d1c20a5a46e367c442fb3b (git) Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < 866cf36bfee4fba6a492d2dcc5133f857e3446b0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49324a0c40f7e9bae1bd0362d23fc42232e14621",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "e1028fb38b328084bc683a4efb001c95d3108573",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "43c2e5c2acaae50e99d1c20a5a46e367c442fb3b",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "866cf36bfee4fba6a492d2dcc5133f857e3446b0",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Check event before enable to avoid GPF\n\nOn AMD machines cpuc-\u003eevents[idx] can become NULL in a subtle race\ncondition with NMI-\u003ethrottle-\u003ex86_pmu_stop().\n\nCheck event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.\nThis appears to be an AMD only issue.\n\nSyzkaller reported a GPF in amd_pmu_enable_all.\n\nINFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143\n msecs\nOops: general protection fault, probably for non-canonical address\n 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]\nCPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk\nRIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195\n arch/x86/events/core.c:1430)\nRSP: 0018:ffff888118009d60 EFLAGS: 00010012\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002\nR13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601\nFS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0\nCall Trace:\n \u003cIRQ\u003e\namd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))\nx86_pmu_enable (arch/x86/events/core.c:1360)\nevent_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186\n kernel/events/core.c:2346)\n__perf_remove_from_context (kernel/events/core.c:2435)\nevent_function (kernel/events/core.c:259)\nremote_function (kernel/events/core.c:92 (discriminator 1)\n kernel/events/core.c:72 (discriminator 1))\n__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64\n kernel/smp.c:135 kernel/smp.c:540)\n__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207\n ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)\nsysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)\n arch/x86/kernel/smp.c:266 (discriminator 47))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:32.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621"
},
{
"url": "https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f"
},
{
"url": "https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573"
},
{
"url": "https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b"
},
{
"url": "https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0"
}
],
"title": "perf/x86/amd: Check event before enable to avoid GPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68798",
"datePublished": "2026-01-13T15:29:08.329Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-05-11T21:53:32.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71091 (GCVE-0-2025-71091)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
team: fix check for port enabled in team_queue_override_port_prio_changed()
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: fix check for port enabled in team_queue_override_port_prio_changed()
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_rcu include/linux/rculist.h:178 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
team_option_set drivers/net/team/team_core.c:376 [inline]
team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmsg+0x16d/0x220 net/socket.c:2716
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The problem is in this flow:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
-> team_port_disable()
-> team_queue_override_port_del()
-> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
-> team_queue_override_port_prio_changed()
-> checks: port disabled && queue_id != 0
-> calls del - hits the BUG as it is removed already
To fix this, change the check in team_queue_override_port_prio_changed()
so it returns early if port is not enabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 25029e813c4aae5fcf7118e8dd5c56e382b9a1a3
(git)
Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < f820e438b8ec2a8354e70e75145f05fe45500d97 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 53a727a8bfd78c739e130a781192d0f6f8e03d39 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 6bfb62b6010a16112dcae52f490e5e0e6abe12a3 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 107d245f84cb4f55f597d31eda34b42a2b7d6952 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < b71187648ef2349254673d0523fdf96d1fe3d758 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 932ac51d9953eaf77a1252f79b656d4ca86163c6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:55.382453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:06.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25029e813c4aae5fcf7118e8dd5c56e382b9a1a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "f820e438b8ec2a8354e70e75145f05fe45500d97",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "53a727a8bfd78c739e130a781192d0f6f8e03d39",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "6bfb62b6010a16112dcae52f490e5e0e6abe12a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "107d245f84cb4f55f597d31eda34b42a2b7d6952",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "b71187648ef2349254673d0523fdf96d1fe3d758",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "932ac51d9953eaf77a1252f79b656d4ca86163c6",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix check for port enabled in team_queue_override_port_prio_changed()\n\nThere has been a syzkaller bug reported recently with the following\ntrace:\n\nlist_del corruption, ffff888058bea080-\u003eprev is LIST_POISON2 (dead000000000122)\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:59!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59\nCode: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 \u003c0f\u003e 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d49f370 EFLAGS: 00010286\nRAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000\nRDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005\nRBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230\nR13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480\nFS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n __list_del_entry_valid include/linux/list.h:132 [inline]\n __list_del_entry include/linux/list.h:223 [inline]\n list_del_rcu include/linux/rculist.h:178 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]\n team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]\n team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534\n team_option_set drivers/net/team/team_core.c:376 [inline]\n team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653\n genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684\n __sys_sendmsg+0x16d/0x220 net/socket.c:2716\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe problem is in this flow:\n1) Port is enabled, queue_id != 0, in qom_list\n2) Port gets disabled\n -\u003e team_port_disable()\n -\u003e team_queue_override_port_del()\n -\u003e del (removed from list)\n3) Port is disabled, queue_id != 0, not in any list\n4) Priority changes\n -\u003e team_queue_override_port_prio_changed()\n -\u003e checks: port disabled \u0026\u0026 queue_id != 0\n -\u003e calls del - hits the BUG as it is removed already\n\nTo fix this, change the check in team_queue_override_port_prio_changed()\nso it returns early if port is not enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:34.264Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3"
},
{
"url": "https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97"
},
{
"url": "https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39"
},
{
"url": "https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3"
},
{
"url": "https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952"
},
{
"url": "https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758"
},
{
"url": "https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6"
}
],
"title": "team: fix check for port enabled in team_queue_override_port_prio_changed()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71091",
"datePublished": "2026-01-13T15:34:52.431Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-06-11T18:44:06.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68258 (GCVE-0-2025-68258)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-05-11 21:49
VLAI?
EPSS
Title
comedi: multiq3: sanitize config options in multiq3_attach()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: multiq3: sanitize config options in multiq3_attach()
Syzbot identified an issue [1] in multiq3_attach() that induces a
task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
specifically, in the case of multiq3 driver.
This problem arose when syzkaller managed to craft weird configuration
options used to specify the number of channels in encoder subdevice.
If a particularly great number is passed to s->n_chan in
multiq3_attach() via it->options[2], then multiple calls to
multiq3_encoder_reset() at the end of driver-specific attach() method
will be running for minutes, thus blocking tasks and affected devices
as well.
While this issue is most likely not too dangerous for real-life
devices, it still makes sense to sanitize configuration inputs. Enable
a sensible limit on the number of encoder chips (4 chips max, each
with 2 channels) to stop this behaviour from manifesting.
[1] Syzbot crash:
INFO: task syz.2.19:6067 blocked for more than 143 seconds.
...
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5254 [inline]
__schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
__schedule_loop kernel/sched/core.c:6944 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6959
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x953/0x13f0 fs/open.c:965
vfs_open+0x3b/0x340 fs/open.c:1097
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77e01cdbad5175f56027fd6fae00bd0fc175651a , < f9ff87aac7b37d462246c46d28912d382a8e2ea6
(git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 4cde9a7e025cc09b88097c70606f6b30c22880f4 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < ad7ed3c9c7b8408e8612697bc43a5441fe386c71 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 049f14557450351750f929ebfff36d849511e132 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8952bc1973cd54158c35e06bfb8c29ace7375a48 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 543f4c380c2e1f35e60528df7cb54705cda7fee3 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < f24c6e3a39fa355dabfb684c9ca82db579534e72 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9ff87aac7b37d462246c46d28912d382a8e2ea6",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "4cde9a7e025cc09b88097c70606f6b30c22880f4",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "ad7ed3c9c7b8408e8612697bc43a5441fe386c71",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "049f14557450351750f929ebfff36d849511e132",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8952bc1973cd54158c35e06bfb8c29ace7375a48",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "543f4c380c2e1f35e60528df7cb54705cda7fee3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "f24c6e3a39fa355dabfb684c9ca82db579534e72",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: multiq3: sanitize config options in multiq3_attach()\n\nSyzbot identified an issue [1] in multiq3_attach() that induces a\ntask timeout due to open() or COMEDI_DEVCONFIG ioctl operations,\nspecifically, in the case of multiq3 driver.\n\nThis problem arose when syzkaller managed to craft weird configuration\noptions used to specify the number of channels in encoder subdevice.\nIf a particularly great number is passed to s-\u003en_chan in\nmultiq3_attach() via it-\u003eoptions[2], then multiple calls to\nmultiq3_encoder_reset() at the end of driver-specific attach() method\nwill be running for minutes, thus blocking tasks and affected devices\nas well.\n\nWhile this issue is most likely not too dangerous for real-life\ndevices, it still makes sense to sanitize configuration inputs. Enable\na sensible limit on the number of encoder chips (4 chips max, each\nwith 2 channels) to stop this behaviour from manifesting.\n\n[1] Syzbot crash:\nINFO: task syz.2.19:6067 blocked for more than 143 seconds.\n...\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5254 [inline]\n __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862\n __schedule_loop kernel/sched/core.c:6944 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:6959\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016\n __mutex_lock_common kernel/locking/mutex.c:676 [inline]\n __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760\n comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868\n chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414\n do_dentry_open+0x953/0x13f0 fs/open.c:965\n vfs_open+0x3b/0x340 fs/open.c:1097\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:53.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9ff87aac7b37d462246c46d28912d382a8e2ea6"
},
{
"url": "https://git.kernel.org/stable/c/4cde9a7e025cc09b88097c70606f6b30c22880f4"
},
{
"url": "https://git.kernel.org/stable/c/ad7ed3c9c7b8408e8612697bc43a5441fe386c71"
},
{
"url": "https://git.kernel.org/stable/c/049f14557450351750f929ebfff36d849511e132"
},
{
"url": "https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48"
},
{
"url": "https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3"
},
{
"url": "https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3"
},
{
"url": "https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72"
}
],
"title": "comedi: multiq3: sanitize config options in multiq3_attach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68258",
"datePublished": "2025-12-16T14:45:00.920Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-05-11T21:49:53.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68380 (GCVE-0-2025-68380)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
wifi: ath11k: fix peer HE MCS assignment
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to
firmware as receive MCS while peer's receive MCS sent as transmit MCS,
which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not
supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff
is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities
[...]
Supported HE-MCS and NSS Set
[...]
Rx and Tx MCS Maps 160 MHz
[...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it
needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping
done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
61fe43e7216df6e9a912d831aafc7142fa20f280 , < 92791290e4f6a1de25d35af792ab8918a70737f6
(git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4304bd7a334e981f189b9973056a58f84cc2b482 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 097c870b91817779e5a312c6539099a884b1fe2b (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 381096a417b7019896e93e86f4c585c592bf98e2 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 6b1a0da75932353f66e710976ca85a7131f647ff (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4a013ca2d490c73c40588d62712ffaa432046a04 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92791290e4f6a1de25d35af792ab8918a70737f6",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4304bd7a334e981f189b9973056a58f84cc2b482",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "097c870b91817779e5a312c6539099a884b1fe2b",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "381096a417b7019896e93e86f4c585c592bf98e2",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "6b1a0da75932353f66e710976ca85a7131f647ff",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4a013ca2d490c73c40588d62712ffaa432046a04",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix peer HE MCS assignment\n\nIn ath11k_wmi_send_peer_assoc_cmd(), peer\u0027s transmit MCS is sent to\nfirmware as receive MCS while peer\u0027s receive MCS sent as transmit MCS,\nwhich goes against firmwire\u0027s definition.\n\nWhile connecting to a misbehaved AP that advertises 0xffff (meaning not\nsupported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff\nis assigned to he_mcs-\u003erx_mcs_set field.\n\n\tExt Tag: HE Capabilities\n\t [...]\n\t Supported HE-MCS and NSS Set\n\t\t[...]\n\t Rx and Tx MCS Maps 160 MHz\n\t\t [...]\n\t Tx HE-MCS Map 160 MHz: 0xffff\n\nSwap the assignment to fix this issue.\n\nAs the HE rate control mask is meant to limit our own transmit MCS, it\nneeds to go via he_mcs-\u003erx_mcs_set field. With the aforementioned swapping\ndone, change is needed as well to apply it to the peer\u0027s receive MCS.\n\nTested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:05.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6"
},
{
"url": "https://git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482"
},
{
"url": "https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b"
},
{
"url": "https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2"
},
{
"url": "https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff"
},
{
"url": "https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04"
}
],
"title": "wifi: ath11k: fix peer HE MCS assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68380",
"datePublished": "2025-12-24T10:33:08.266Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-05-11T21:52:05.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68259 (GCVE-0-2025-68259)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-05-11 21:49
VLAI?
EPSS
Title
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn
instruction, discard the exception and retry the instruction if the code
stream is changed (e.g. by a different vCPU) between when the CPU
executes the instruction and when KVM decodes the instruction to get the
next RIP.
As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject
INT3/INTO instead of retrying the instruction"), failure to verify that
the correct INTn instruction was decoded can effectively clobber guest
state due to decoding the wrong instruction and thus specifying the
wrong next RIP.
The bug most often manifests as "Oops: int3" panics on static branch
checks in Linux guests. Enabling or disabling a static branch in Linux
uses the kernel's "text poke" code patching mechanism. To modify code
while other CPUs may be executing that code, Linux (temporarily)
replaces the first byte of the original instruction with an int3 (opcode
0xcc), then patches in the new code stream except for the first byte,
and finally replaces the int3 with the first byte of the new code
stream. If a CPU hits the int3, i.e. executes the code while it's being
modified, then the guest kernel must look up the RIP to determine how to
handle the #BP, e.g. by emulating the new instruction. If the RIP is
incorrect, then this lookup fails and the guest kernel panics.
The bug reproduces almost instantly by hacking the guest kernel to
repeatedly check a static branch[1] while running a drgn script[2] on
the host to constantly swap out the memory containing the guest's TSS.
[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a
[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 2e84a018c2895c05abe213eb10db128aa45f6ec6
(git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 152289a51107ef45bbfe9b4aeeaa584a503042b5 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 87cc1622c88a4888959d64fa1fc9ba1e264aa3d4 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 54bcccc2c7805a00af1d7d2faffd6f424c0133aa (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 53903ac9ca1abffa27327e85075ec496fa55ccf3 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 4da3768e1820cf15cced390242d8789aed34f54d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e84a018c2895c05abe213eb10db128aa45f6ec6",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "152289a51107ef45bbfe9b4aeeaa584a503042b5",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "87cc1622c88a4888959d64fa1fc9ba1e264aa3d4",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "54bcccc2c7805a00af1d7d2faffd6f424c0133aa",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "53903ac9ca1abffa27327e85075ec496fa55ccf3",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "4da3768e1820cf15cced390242d8789aed34f54d",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced\n\nWhen re-injecting a soft interrupt from an INT3, INT0, or (select) INTn\ninstruction, discard the exception and retry the instruction if the code\nstream is changed (e.g. by a different vCPU) between when the CPU\nexecutes the instruction and when KVM decodes the instruction to get the\nnext RIP.\n\nAs effectively predicted by commit 6ef88d6e36c2 (\"KVM: SVM: Re-inject\nINT3/INTO instead of retrying the instruction\"), failure to verify that\nthe correct INTn instruction was decoded can effectively clobber guest\nstate due to decoding the wrong instruction and thus specifying the\nwrong next RIP.\n\nThe bug most often manifests as \"Oops: int3\" panics on static branch\nchecks in Linux guests. Enabling or disabling a static branch in Linux\nuses the kernel\u0027s \"text poke\" code patching mechanism. To modify code\nwhile other CPUs may be executing that code, Linux (temporarily)\nreplaces the first byte of the original instruction with an int3 (opcode\n0xcc), then patches in the new code stream except for the first byte,\nand finally replaces the int3 with the first byte of the new code\nstream. If a CPU hits the int3, i.e. executes the code while it\u0027s being\nmodified, then the guest kernel must look up the RIP to determine how to\nhandle the #BP, e.g. by emulating the new instruction. If the RIP is\nincorrect, then this lookup fails and the guest kernel panics.\n\nThe bug reproduces almost instantly by hacking the guest kernel to\nrepeatedly check a static branch[1] while running a drgn script[2] on\nthe host to constantly swap out the memory containing the guest\u0027s TSS.\n\n[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a\n[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:54.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e84a018c2895c05abe213eb10db128aa45f6ec6"
},
{
"url": "https://git.kernel.org/stable/c/152289a51107ef45bbfe9b4aeeaa584a503042b5"
},
{
"url": "https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4"
},
{
"url": "https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa"
},
{
"url": "https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3"
},
{
"url": "https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d"
}
],
"title": "KVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68259",
"datePublished": "2025-12-16T14:45:01.753Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-05-11T21:49:54.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68772 (GCVE-0-2025-68772)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
f2fs: fix to avoid updating compression context during writeback
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating compression context during writeback
Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857
Call Trace:
<TASK>
f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]
__f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]
f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317
do_writepages+0x38e/0x640 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794
f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294
generic_write_sync include/linux/fs.h:3043 [inline]
f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7e9/0xe00 fs/read_write.c:686
ksys_write+0x19d/0x2d0 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The bug was triggered w/ below race condition:
fsync setattr ioctl
- f2fs_do_sync_file
- file_write_and_wait_range
- f2fs_write_cache_pages
: inode is non-compressed
: cc.cluster_size =
F2FS_I(inode)->i_cluster_size = 0
- tag_pages_for_writeback
- f2fs_setattr
- truncate_setsize
- f2fs_truncate
- f2fs_fileattr_set
- f2fs_setflags_common
- set_compress_context
: F2FS_I(inode)->i_cluster_size = 4
: set_inode_flag(inode, FI_COMPRESSED_FILE)
- f2fs_compressed_file
: return true
- f2fs_all_cluster_page_ready
: "pgidx % cc->cluster_size" trigger dividing 0 issue
Let's change as below to fix this issue:
- introduce a new atomic type variable .writeback in structure f2fs_inode_info
to track the number of threads which calling f2fs_write_cache_pages().
- use .i_sem lock to protect .writeback update.
- check .writeback before update compression context in f2fs_setflags_common()
to avoid race w/ ->writepages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < ad26bfbc085c939b5dca77ff8c14798c06d151c4
(git)
Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0 (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 0bf1a02494c7eb5bd43445de4c83c8592e02c4bf (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 0df713a9c082a474c8b0bcf670edc8e98461d5a0 (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad26bfbc085c939b5dca77ff8c14798c06d151c4",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0bf1a02494c7eb5bd43445de4c83c8592e02c4bf",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0df713a9c082a474c8b0bcf670edc8e98461d5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating compression context during writeback\n\nBai, Shuangpeng \u003csjb7183@psu.edu\u003e reported a bug as below:\n\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857\nCall Trace:\n \u003cTASK\u003e\n f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]\n f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317\n do_writepages+0x38e/0x640 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc mm/filemap.c:386 [inline]\n __filemap_fdatawrite_range mm/filemap.c:419 [inline]\n file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794\n f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294\n generic_write_sync include/linux/fs.h:3043 [inline]\n f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x7e9/0xe00 fs/read_write.c:686\n ksys_write+0x19d/0x2d0 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe bug was triggered w/ below race condition:\n\nfsync\t\t\t\tsetattr\t\t\tioctl\n- f2fs_do_sync_file\n - file_write_and_wait_range\n - f2fs_write_cache_pages\n : inode is non-compressed\n : cc.cluster_size =\n F2FS_I(inode)-\u003ei_cluster_size = 0\n - tag_pages_for_writeback\n\t\t\t\t- f2fs_setattr\n\t\t\t\t - truncate_setsize\n\t\t\t\t - f2fs_truncate\n\t\t\t\t\t\t\t- f2fs_fileattr_set\n\t\t\t\t\t\t\t - f2fs_setflags_common\n\t\t\t\t\t\t\t - set_compress_context\n\t\t\t\t\t\t\t : F2FS_I(inode)-\u003ei_cluster_size = 4\n\t\t\t\t\t\t\t : set_inode_flag(inode, FI_COMPRESSED_FILE)\n - f2fs_compressed_file\n : return true\n - f2fs_all_cluster_page_ready\n : \"pgidx % cc-\u003ecluster_size\" trigger dividing 0 issue\n\nLet\u0027s change as below to fix this issue:\n- introduce a new atomic type variable .writeback in structure f2fs_inode_info\nto track the number of threads which calling f2fs_write_cache_pages().\n- use .i_sem lock to protect .writeback update.\n- check .writeback before update compression context in f2fs_setflags_common()\nto avoid race w/ -\u003ewritepages."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:03.304Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4"
},
{
"url": "https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0"
},
{
"url": "https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf"
},
{
"url": "https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0"
},
{
"url": "https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76"
}
],
"title": "f2fs: fix to avoid updating compression context during writeback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68772",
"datePublished": "2026-01-13T15:28:49.924Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:03.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23254 (GCVE-0-2026-23254)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
net: gro: fix outer network offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gro: fix outer network offset
The udp GRO complete stage assumes that all the packets inserted the RX
have the `encapsulation` flag zeroed. Such assumption is not true, as a
few H/W NICs can set such flag when H/W offloading the checksum for
an UDP encapsulated traffic, the tun driver can inject GSO packets with
UDP encapsulation and the problematic layout can also be created via
a veth based setup.
Due to the above, in the problematic scenarios, udp4_gro_complete() uses
the wrong network offset (inner instead of outer) to compute the outer
UDP header pseudo checksum, leading to csum validation errors later on
in packet processing.
Address the issue always clearing the encapsulation flag at GRO completion
time. Such flag will be set again as needed for encapsulated packets by
udp_gro_complete().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
af276a5ac8e938c8b058e3e124073cc1e322d98b , < 9d40a85138568696387ef04cd004c64612a70874
(git)
Affected: 5ef31ea5d053a8f493a772ebad3f3ce82c35d845 , < b83557bc6f560433fe5d727e241069f8db5ba709 (git) Affected: 5ef31ea5d053a8f493a772ebad3f3ce82c35d845 , < 2e5edb69e5d0e23ef248c56fc977039268c77a7b (git) Affected: 5ef31ea5d053a8f493a772ebad3f3ce82c35d845 , < 5c2c3c38be396257a6a2e55bd601a12bb9781507 (git) Affected: dbd9466d323a72e22efe09151253d195d36d3bf6 (git) Affected: 6.6.31 , < 6.6.124 (semver) Affected: 6.8.10 , < 6.9 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d40a85138568696387ef04cd004c64612a70874",
"status": "affected",
"version": "af276a5ac8e938c8b058e3e124073cc1e322d98b",
"versionType": "git"
},
{
"lessThan": "b83557bc6f560433fe5d727e241069f8db5ba709",
"status": "affected",
"version": "5ef31ea5d053a8f493a772ebad3f3ce82c35d845",
"versionType": "git"
},
{
"lessThan": "2e5edb69e5d0e23ef248c56fc977039268c77a7b",
"status": "affected",
"version": "5ef31ea5d053a8f493a772ebad3f3ce82c35d845",
"versionType": "git"
},
{
"lessThan": "5c2c3c38be396257a6a2e55bd601a12bb9781507",
"status": "affected",
"version": "5ef31ea5d053a8f493a772ebad3f3ce82c35d845",
"versionType": "git"
},
{
"status": "affected",
"version": "dbd9466d323a72e22efe09151253d195d36d3bf6",
"versionType": "git"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThan": "6.9",
"status": "affected",
"version": "6.8.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: fix outer network offset\n\nThe udp GRO complete stage assumes that all the packets inserted the RX\nhave the `encapsulation` flag zeroed. Such assumption is not true, as a\nfew H/W NICs can set such flag when H/W offloading the checksum for\nan UDP encapsulated traffic, the tun driver can inject GSO packets with\nUDP encapsulation and the problematic layout can also be created via\na veth based setup.\n\nDue to the above, in the problematic scenarios, udp4_gro_complete() uses\nthe wrong network offset (inner instead of outer) to compute the outer\nUDP header pseudo checksum, leading to csum validation errors later on\nin packet processing.\n\nAddress the issue always clearing the encapsulation flag at GRO completion\ntime. Such flag will be set again as needed for encapsulated packets by\nudp_gro_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:21.918Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d40a85138568696387ef04cd004c64612a70874"
},
{
"url": "https://git.kernel.org/stable/c/b83557bc6f560433fe5d727e241069f8db5ba709"
},
{
"url": "https://git.kernel.org/stable/c/2e5edb69e5d0e23ef248c56fc977039268c77a7b"
},
{
"url": "https://git.kernel.org/stable/c/5c2c3c38be396257a6a2e55bd601a12bb9781507"
}
],
"title": "net: gro: fix outer network offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23254",
"datePublished": "2026-03-18T17:41:00.591Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-23T16:04:21.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23139 (GCVE-0-2026-23139)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
netfilter: nf_conncount: update last_gc only when GC has been performed
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: update last_gc only when GC has been performed
Currently last_gc is being updated everytime a new connection is
tracked, that means that it is updated even if a GC wasn't performed.
With a sufficiently high packet rate, it is possible to always bypass
the GC, causing the list to grow infinitely.
Update the last_gc value only when a GC has been actually performed.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f106694733c66a48740c25bc4e212e9b2ea364ce , < 2c7c71113ed6d3e2f3aca4c088f22283016ff34f
(git)
Affected: be69850b461e7b491d87a22e33ab76fdd04b725e , < c4cde57c8affdcca5bcff53a1047e15d268bdca1 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 9f45588993d7f115280fc726119ca86fba32a811 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 3cd717359e56f82f06cbf8279b47a7d79880c6f3 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 26a82dce2beee39c43c109d9647e16f49cb02a35 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 8bdafdf4900040a81422056cabe5e00a37bd101a (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 7811ba452402d58628e68faedf38745b3d485e3c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c7c71113ed6d3e2f3aca4c088f22283016ff34f",
"status": "affected",
"version": "f106694733c66a48740c25bc4e212e9b2ea364ce",
"versionType": "git"
},
{
"lessThan": "c4cde57c8affdcca5bcff53a1047e15d268bdca1",
"status": "affected",
"version": "be69850b461e7b491d87a22e33ab76fdd04b725e",
"versionType": "git"
},
{
"lessThan": "9f45588993d7f115280fc726119ca86fba32a811",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "3cd717359e56f82f06cbf8279b47a7d79880c6f3",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "26a82dce2beee39c43c109d9647e16f49cb02a35",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "8bdafdf4900040a81422056cabe5e00a37bd101a",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "7811ba452402d58628e68faedf38745b3d485e3c",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: update last_gc only when GC has been performed\n\nCurrently last_gc is being updated everytime a new connection is\ntracked, that means that it is updated even if a GC wasn\u0027t performed.\nWith a sufficiently high packet rate, it is possible to always bypass\nthe GC, causing the list to grow infinitely.\n\nUpdate the last_gc value only when a GC has been actually performed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:53.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c7c71113ed6d3e2f3aca4c088f22283016ff34f"
},
{
"url": "https://git.kernel.org/stable/c/c4cde57c8affdcca5bcff53a1047e15d268bdca1"
},
{
"url": "https://git.kernel.org/stable/c/9f45588993d7f115280fc726119ca86fba32a811"
},
{
"url": "https://git.kernel.org/stable/c/3cd717359e56f82f06cbf8279b47a7d79880c6f3"
},
{
"url": "https://git.kernel.org/stable/c/26a82dce2beee39c43c109d9647e16f49cb02a35"
},
{
"url": "https://git.kernel.org/stable/c/8bdafdf4900040a81422056cabe5e00a37bd101a"
},
{
"url": "https://git.kernel.org/stable/c/7811ba452402d58628e68faedf38745b3d485e3c"
}
],
"title": "netfilter: nf_conncount: update last_gc only when GC has been performed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23139",
"datePublished": "2026-02-14T15:22:24.059Z",
"dateReserved": "2026-01-13T15:37:45.972Z",
"dateUpdated": "2026-05-11T22:00:53.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68740 (GCVE-0-2025-68740)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-06-16 19:20
VLAI?
EPSS
Title
ima: Handle error code returned by ima_filter_rule_match()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Handle error code returned by ima_filter_rule_match()
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to
the rule being NULL, the function incorrectly skips the 'if (!rc)' check
and sets 'result = true'. The LSM rule is considered a match, causing
extra files to be measured by IMA.
This issue can be reproduced in the following scenario:
After unloading the SELinux policy module via 'semodule -d', if an IMA
measurement is triggered before ima_lsm_rules is updated,
in ima_match_rules(), the first call to ima_filter_rule_match() returns
-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&
!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In
ima_lsm_copy_rule(), since the SELinux module has been removed, the rule
becomes NULL, and the second call to ima_filter_rule_match() returns
-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace:
selinux_audit_rule_match+0x310/0x3b8
security_audit_rule_match+0x60/0xa0
ima_match_rules+0x2e4/0x4a0
ima_match_policy+0x9c/0x1e8
ima_get_action+0x48/0x60
process_measurement+0xf8/0xa98
ima_bprm_check+0x98/0xd8
security_bprm_check+0x5c/0x78
search_binary_handler+0x6c/0x318
exec_binprm+0x58/0x1b8
bprm_execve+0xb8/0x130
do_execveat_common.isra.0+0x1a8/0x258
__arm64_sys_execve+0x48/0x68
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x44/0x200
el0t_64_sync_handler+0x100/0x130
el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error
codes like -ENOENT do not bypass the check and accidentally result in a
successful match.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4af4662fa4a9dc62289c580337ae2506339c4729 , < d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51
(git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < cca3e7df3c0f99542033657ba850b9a6d27f8784 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < c2238d487a640ae3511e1b6f4640ab27ce10d7f6 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < de4431faf308d0c533cb386f5fa9af009bc86158 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 32952c4f4d1b2deb30dce72ba109da808a9018e1 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:20:20.279928Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:20:31.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "cca3e7df3c0f99542033657ba850b9a6d27f8784",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "c2238d487a640ae3511e1b6f4640ab27ce10d7f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "de4431faf308d0c533cb386f5fa9af009bc86158",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "32952c4f4d1b2deb30dce72ba109da808a9018e1",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "738c9738e690f5cea24a3ad6fd2d9a323cf614f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Handle error code returned by ima_filter_rule_match()\n\nIn ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to\nthe rule being NULL, the function incorrectly skips the \u0027if (!rc)\u0027 check\nand sets \u0027result = true\u0027. The LSM rule is considered a match, causing\nextra files to be measured by IMA.\n\nThis issue can be reproduced in the following scenario:\nAfter unloading the SELinux policy module via \u0027semodule -d\u0027, if an IMA\nmeasurement is triggered before ima_lsm_rules is updated,\nin ima_match_rules(), the first call to ima_filter_rule_match() returns\n-ESTALE. This causes the code to enter the \u0027if (rc == -ESTALE \u0026\u0026\n!rule_reinitialized)\u0027 block, perform ima_lsm_copy_rule() and retry. In\nima_lsm_copy_rule(), since the SELinux module has been removed, the rule\nbecomes NULL, and the second call to ima_filter_rule_match() returns\n-ENOENT. This bypasses the \u0027if (!rc)\u0027 check and results in a false match.\n\nCall trace:\n selinux_audit_rule_match+0x310/0x3b8\n security_audit_rule_match+0x60/0xa0\n ima_match_rules+0x2e4/0x4a0\n ima_match_policy+0x9c/0x1e8\n ima_get_action+0x48/0x60\n process_measurement+0xf8/0xa98\n ima_bprm_check+0x98/0xd8\n security_bprm_check+0x5c/0x78\n search_binary_handler+0x6c/0x318\n exec_binprm+0x58/0x1b8\n bprm_execve+0xb8/0x130\n do_execveat_common.isra.0+0x1a8/0x258\n __arm64_sys_execve+0x48/0x68\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x44/0x200\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x3c8/0x3d0\n\nFix this by changing \u0027if (!rc)\u0027 to \u0027if (rc \u003c= 0)\u0027 to ensure that error\ncodes like -ENOENT do not bypass the check and accidentally result in a\nsuccessful match."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:25.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51"
},
{
"url": "https://git.kernel.org/stable/c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85"
},
{
"url": "https://git.kernel.org/stable/c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749"
},
{
"url": "https://git.kernel.org/stable/c/cca3e7df3c0f99542033657ba850b9a6d27f8784"
},
{
"url": "https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6"
},
{
"url": "https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158"
},
{
"url": "https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1"
},
{
"url": "https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6"
}
],
"title": "ima: Handle error code returned by ima_filter_rule_match()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68740",
"datePublished": "2025-12-24T12:09:37.971Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-06-16T19:20:31.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23167 (GCVE-0-2026-23167)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
nfc: nci: Fix race between rfkill and nci_unregister_device().
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: Fix race between rfkill and nci_unregister_device().
syzbot reported the splat below [0] without a repro.
It indicates that struct nci_dev.cmd_wq had been destroyed before
nci_close_device() was called via rfkill.
nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
(I think) was called from virtual_ncidev_close() when syzbot close()d
an fd of virtual_ncidev.
The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
first and then calls nfc_unregister_device(), which removes the
device from rfkill by rfkill_unregister().
So, the device is still visible via rfkill even after nci_dev.cmd_wq
is destroyed.
Let's unregister the device from rfkill first in nci_unregister_device().
Note that we cannot call nfc_unregister_device() before
nci_close_device() because
1) nfc_unregister_device() calls device_del() which frees
all memory allocated by devm_kzalloc() and linked to
ndev->conn_info_list
2) nci_rx_work() could try to queue nci_conn_info to
ndev->conn_info_list which could be leaked
Thus, nfc_unregister_device() is split into two functions so we
can remove rfkill interfaces only before nci_close_device().
[0]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
Modules linked in:
CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
Call Trace:
<TASK>
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
__flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
nfc_dev_down+0x152/0x290 net/nfc/core.c:161
nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
vfs_write+0x29a/0xb90 fs/read_write.c:684
ksys_write+0x150/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa59b39acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
RBP: 00007fa59b408bf7 R08:
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6a2968aaf50c7a22fced77a5e24aa636281efca8 , < cd4412d5905ee580e96c48360dc98fcd9e6f3208
(git)
Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < eaa5da5130deda26420273d4610cf6e4f794ed75 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 546eba0b10989de9ccc7fd619e874a30561e2b88 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < c3369fc5e6120a72169e71acd72e987907a682af (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < d2492688bb9fed6ab6e313682c387ae71a66ebae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/nfc/nfc.h",
"net/nfc/core.c",
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd4412d5905ee580e96c48360dc98fcd9e6f3208",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "eaa5da5130deda26420273d4610cf6e4f794ed75",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "546eba0b10989de9ccc7fd619e874a30561e2b88",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "c3369fc5e6120a72169e71acd72e987907a682af",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "d2492688bb9fed6ab6e313682c387ae71a66ebae",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/nfc/nfc.h",
"net/nfc/core.c",
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix race between rfkill and nci_unregister_device().\n\nsyzbot reported the splat below [0] without a repro.\n\nIt indicates that struct nci_dev.cmd_wq had been destroyed before\nnci_close_device() was called via rfkill.\n\nnci_dev.cmd_wq is only destroyed in nci_unregister_device(), which\n(I think) was called from virtual_ncidev_close() when syzbot close()d\nan fd of virtual_ncidev.\n\nThe problem is that nci_unregister_device() destroys nci_dev.cmd_wq\nfirst and then calls nfc_unregister_device(), which removes the\ndevice from rfkill by rfkill_unregister().\n\nSo, the device is still visible via rfkill even after nci_dev.cmd_wq\nis destroyed.\n\nLet\u0027s unregister the device from rfkill first in nci_unregister_device().\n\nNote that we cannot call nfc_unregister_device() before\nnci_close_device() because\n\n 1) nfc_unregister_device() calls device_del() which frees\n all memory allocated by devm_kzalloc() and linked to\n ndev-\u003econn_info_list\n\n 2) nci_rx_work() could try to queue nci_conn_info to\n ndev-\u003econn_info_list which could be leaked\n\nThus, nfc_unregister_device() is split into two functions so we\ncan remove rfkill interfaces only before nci_close_device().\n\n[0]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349\nModules linked in:\nCPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026\nRIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]\nRIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]\nRIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187\nCode: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d \u003c67\u003e 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f\nRSP: 0018:ffffc9000c767680 EFLAGS: 00010046\nRAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000\nRDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0\nRBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4\nR10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2\nR13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30\nFS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868\n touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940\n __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982\n nci_close_device+0x302/0x630 net/nfc/nci/core.c:567\n nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639\n nfc_dev_down+0x152/0x290 net/nfc/core.c:161\n nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179\n rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346\n rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301\n vfs_write+0x29a/0xb90 fs/read_write.c:684\n ksys_write+0x150/0x270 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa59b39acb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9\nRDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007\nRBP: 00007fa59b408bf7 R08: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:37.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd4412d5905ee580e96c48360dc98fcd9e6f3208"
},
{
"url": "https://git.kernel.org/stable/c/eaa5da5130deda26420273d4610cf6e4f794ed75"
},
{
"url": "https://git.kernel.org/stable/c/8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac"
},
{
"url": "https://git.kernel.org/stable/c/546eba0b10989de9ccc7fd619e874a30561e2b88"
},
{
"url": "https://git.kernel.org/stable/c/126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5"
},
{
"url": "https://git.kernel.org/stable/c/c3369fc5e6120a72169e71acd72e987907a682af"
},
{
"url": "https://git.kernel.org/stable/c/d2492688bb9fed6ab6e313682c387ae71a66ebae"
}
],
"title": "nfc: nci: Fix race between rfkill and nci_unregister_device().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23167",
"datePublished": "2026-02-14T16:01:30.755Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-05-11T22:01:37.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23020 (GCVE-0-2026-23020)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
pdev can be null and free_ring: can be called in 1297 with a null
pdev.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55c82617c3e82210b7471e9334e8fc5df6a9961f , < 053ac9e37eee435e999277c0f1ef890dad6064bf
(git)
Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 606872c8e8bf96066730f6a2317502c5633c37f1 (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 28b2a805609699be7b90020ae7dccfb234be1ceb (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < 2f05f7737e16d9a40038cc1c38a96a3f7964898b (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7 (git) Affected: 55c82617c3e82210b7471e9334e8fc5df6a9961f , < a4e305ed60f7c41bbf9aabc16dd75267194e0de3 (git) Affected: d30fdc02c49ad9965bba25015ae66c22dae967d1 (git) Affected: 4.16.12 , < 4.17 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "053ac9e37eee435e999277c0f1ef890dad6064bf",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "606872c8e8bf96066730f6a2317502c5633c37f1",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "28b2a805609699be7b90020ae7dccfb234be1ceb",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "2f05f7737e16d9a40038cc1c38a96a3f7964898b",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "a4e305ed60f7c41bbf9aabc16dd75267194e0de3",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"status": "affected",
"version": "d30fdc02c49ad9965bba25015ae66c22dae967d1",
"versionType": "git"
},
{
"lessThan": "4.17",
"status": "affected",
"version": "4.16.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: 3com: 3c59x: fix possible null dereference in vortex_probe1()\n\npdev can be null and free_ring: can be called in 1297 with a null\npdev."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:43.973Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf"
},
{
"url": "https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d"
},
{
"url": "https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1"
},
{
"url": "https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb"
},
{
"url": "https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b"
},
{
"url": "https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7"
},
{
"url": "https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3"
}
],
"title": "net: 3com: 3c59x: fix possible null dereference in vortex_probe1()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23020",
"datePublished": "2026-01-31T11:39:04.023Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-05-23T16:03:43.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23063 (GCVE-0-2026-23063)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
uacce: ensure safe queue release with state management
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: ensure safe queue release with state management
Directly calling `put_queue` carries risks since it cannot
guarantee that resources of `uacce_queue` have been fully released
beforehand. So adding a `stop_queue` operation for the
UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to
the final resource release ensures safety.
Queue states are defined as follows:
- UACCE_Q_ZOMBIE: Initial state
- UACCE_Q_INIT: After opening `uacce`
- UACCE_Q_STARTED: After `start` is issued via `ioctl`
When executing `poweroff -f` in virt while accelerator are still
working, `uacce_fops_release` and `uacce_remove` may execute
concurrently. This can cause `uacce_put_queue` within
`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add
state checks to prevent accessing freed pointers.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
015d239ac0142ad0e26567fd890ef8d171f13709 , < b457abeb5d962db88aaf60e249402fd3073dbfab
(git)
Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 8b57bf1d3b1db692f34bce694a03e41be79f6016 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 336fb41a186e7c0415ae94fec9e23d1f04b87483 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 43f233eb6e7b9d88536881a9bc43726d0e34800d (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 47634d70073890c9c37e39ab4ff93d4b585b028a (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 92e4f11e29b98ef424ff72d6371acac03e5d973c (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 26c08dabe5475d99a13f353d8dd70e518de45663 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b457abeb5d962db88aaf60e249402fd3073dbfab",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "8b57bf1d3b1db692f34bce694a03e41be79f6016",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "336fb41a186e7c0415ae94fec9e23d1f04b87483",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "43f233eb6e7b9d88536881a9bc43726d0e34800d",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "47634d70073890c9c37e39ab4ff93d4b585b028a",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "92e4f11e29b98ef424ff72d6371acac03e5d973c",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "26c08dabe5475d99a13f353d8dd70e518de45663",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: ensure safe queue release with state management\n\nDirectly calling `put_queue` carries risks since it cannot\nguarantee that resources of `uacce_queue` have been fully released\nbeforehand. So adding a `stop_queue` operation for the\nUACCE_CMD_PUT_Q command and leaving the `put_queue` operation to\nthe final resource release ensures safety.\n\nQueue states are defined as follows:\n- UACCE_Q_ZOMBIE: Initial state\n- UACCE_Q_INIT: After opening `uacce`\n- UACCE_Q_STARTED: After `start` is issued via `ioctl`\n\nWhen executing `poweroff -f` in virt while accelerator are still\nworking, `uacce_fops_release` and `uacce_remove` may execute\nconcurrently. This can cause `uacce_put_queue` within\n`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add\nstate checks to prevent accessing freed pointers."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:17.047Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab"
},
{
"url": "https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016"
},
{
"url": "https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483"
},
{
"url": "https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d"
},
{
"url": "https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a"
},
{
"url": "https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c"
},
{
"url": "https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663"
}
],
"title": "uacce: ensure safe queue release with state management",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23063",
"datePublished": "2026-02-04T16:07:45.426Z",
"dateReserved": "2026-01-13T15:37:45.953Z",
"dateUpdated": "2026-05-11T21:59:17.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23163 (GCVE-0-2026-23163)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and
ih2 interrupt ring buffers are not initialized. This is by design, as
these secondary IH rings are only available on discrete GPUs. See
vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when
AMD_IS_APU is set.
However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to
get the timestamp of the last interrupt entry. When retry faults are
enabled on APUs (noretry=0), this function is called from the SVM page
fault recovery path, resulting in a NULL pointer dereference when
amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[].
The crash manifests as:
BUG: kernel NULL pointer dereference, address: 0000000000000004
RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]
Call Trace:
amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]
svm_range_restore_pages+0xae5/0x11c0 [amdgpu]
amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]
gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]
amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]
amdgpu_ih_process+0x84/0x100 [amdgpu]
This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HW
IP 9.3.0 from noretry=1") which changed the default for Renoir APU from
noretry=1 to noretry=0, enabling retry fault handling and thus
exercising the buggy code path.
Fix this by adding a check for ih1.ring_size before attempting to use
it. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu:
Rework retry fault removal"). This is needed if the hardware doesn't
support secondary HW IH rings.
v2: additional updates (Alex)
(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd299441654fd8209056c7985ddf2373ebaba6ed , < c74e2dbb5316898fb2113a8ea3a93b27698dbf68
(git)
Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < 7611d7faccc1218be477671f892a89b25c0cb352 (git) Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < ac251d17d8af58ddc3daba65eaf0a99e63dc4284 (git) Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < 8b1ecc9377bc641533cd9e76dfa3aee3cd04a007 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c74e2dbb5316898fb2113a8ea3a93b27698dbf68",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
},
{
"lessThan": "7611d7faccc1218be477671f892a89b25c0cb352",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
},
{
"lessThan": "ac251d17d8af58ddc3daba65eaf0a99e63dc4284",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
},
{
"lessThan": "8b1ecc9377bc641533cd9e76dfa3aee3cd04a007",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove\n\nOn APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and\nih2 interrupt ring buffers are not initialized. This is by design, as\nthese secondary IH rings are only available on discrete GPUs. See\nvega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when\nAMD_IS_APU is set.\n\nHowever, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to\nget the timestamp of the last interrupt entry. When retry faults are\nenabled on APUs (noretry=0), this function is called from the SVM page\nfault recovery path, resulting in a NULL pointer dereference when\namdgpu_ih_decode_iv_ts_helper() attempts to access ih-\u003ering[].\n\nThe crash manifests as:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000004\n RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]\n Call Trace:\n amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]\n svm_range_restore_pages+0xae5/0x11c0 [amdgpu]\n amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]\n gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]\n amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]\n amdgpu_ih_process+0x84/0x100 [amdgpu]\n\nThis issue was exposed by commit 1446226d32a4 (\"drm/amdgpu: Remove GC HW\nIP 9.3.0 from noretry=1\") which changed the default for Renoir APU from\nnoretry=1 to noretry=0, enabling retry fault handling and thus\nexercising the buggy code path.\n\nFix this by adding a check for ih1.ring_size before attempting to use\nit. Also restore the soft_ih support from commit dd299441654f (\"drm/amdgpu:\nRework retry fault removal\"). This is needed if the hardware doesn\u0027t\nsupport secondary HW IH rings.\n\nv2: additional updates (Alex)\n\n(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:25.841Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c74e2dbb5316898fb2113a8ea3a93b27698dbf68"
},
{
"url": "https://git.kernel.org/stable/c/7611d7faccc1218be477671f892a89b25c0cb352"
},
{
"url": "https://git.kernel.org/stable/c/ac251d17d8af58ddc3daba65eaf0a99e63dc4284"
},
{
"url": "https://git.kernel.org/stable/c/8b1ecc9377bc641533cd9e76dfa3aee3cd04a007"
}
],
"title": "drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23163",
"datePublished": "2026-02-14T16:01:27.912Z",
"dateReserved": "2026-01-13T15:37:45.980Z",
"dateUpdated": "2026-05-11T22:01:25.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22979 (GCVE-0-2026-22979)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
net: fix memory leak in skb_segment_list for GRO packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix memory leak in skb_segment_list for GRO packets
When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking
environment:
unreferenced object 0xffff8881e6eb9100 (size 2048):
comm "ping", pid 6720, jiffies 4295492526
backtrace:
kmem_cache_alloc_noprof+0x5c6/0x800
sk_prot_alloc+0x5b/0x220
sk_alloc+0x35/0xa00
inet6_create.part.0+0x303/0x10d0
__sock_create+0x248/0x640
__sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2eeab8c47c3c0276e0746bc382f405c9a236a5ad , < 0b27828ebd1ed3107d7929c3737adbe862e99e74
(git)
Affected: fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6 , < 88bea149db2057112af3aaf63534b24fab5858ab (git) Affected: ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 , < 3264881431e308b9c72cb8a0159d57a56d67dd79 (git) Affected: ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 , < c114a32a2e70b82d447f409f7ffcfa3058f9d5bd (git) Affected: ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 , < 238e03d0466239410b72294b79494e43d4fabe77 (git) Affected: d225b0ac96dc40d7e8ae2bc227eb2c56e130975f (git) Affected: 5b3b67f731296027cceb3efad881ae281213f86f (git) Affected: 6.1.85 , < 6.1.161 (semver) Affected: 6.6.26 , < 6.6.121 (semver) Affected: 5.15.154 , < 5.16 (semver) Affected: 6.8.5 , < 6.9 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b27828ebd1ed3107d7929c3737adbe862e99e74",
"status": "affected",
"version": "2eeab8c47c3c0276e0746bc382f405c9a236a5ad",
"versionType": "git"
},
{
"lessThan": "88bea149db2057112af3aaf63534b24fab5858ab",
"status": "affected",
"version": "fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6",
"versionType": "git"
},
{
"lessThan": "3264881431e308b9c72cb8a0159d57a56d67dd79",
"status": "affected",
"version": "ed4cccef64c1d0d5b91e69f7a8a6697c3a865486",
"versionType": "git"
},
{
"lessThan": "c114a32a2e70b82d447f409f7ffcfa3058f9d5bd",
"status": "affected",
"version": "ed4cccef64c1d0d5b91e69f7a8a6697c3a865486",
"versionType": "git"
},
{
"lessThan": "238e03d0466239410b72294b79494e43d4fabe77",
"status": "affected",
"version": "ed4cccef64c1d0d5b91e69f7a8a6697c3a865486",
"versionType": "git"
},
{
"status": "affected",
"version": "d225b0ac96dc40d7e8ae2bc227eb2c56e130975f",
"versionType": "git"
},
{
"status": "affected",
"version": "5b3b67f731296027cceb3efad881ae281213f86f",
"versionType": "git"
},
{
"lessThan": "6.1.161",
"status": "affected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThan": "6.6.121",
"status": "affected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThan": "6.9",
"status": "affected",
"version": "6.8.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "6.1.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in skb_segment_list for GRO packets\n\nWhen skb_segment_list() is called during packet forwarding, it handles\npackets that were aggregated by the GRO engine.\n\nHistorically, the segmentation logic in skb_segment_list assumes that\nindividual segments are split from a parent SKB and may need to carry\ntheir own socket memory accounting. Accordingly, the code transfers\ntruesize from the parent to the newly created segments.\n\nPrior to commit ed4cccef64c1 (\"gro: fix ownership transfer\"), this\ntruesize subtraction in skb_segment_list() was valid because fragments\nstill carry a reference to the original socket.\n\nHowever, commit ed4cccef64c1 (\"gro: fix ownership transfer\") changed\nthis behavior by ensuring that fraglist entries are explicitly\norphaned (skb-\u003esk = NULL) to prevent illegal orphaning later in the\nstack. This change meant that the entire socket memory charge remained\nwith the head SKB, but the corresponding accounting logic in\nskb_segment_list() was never updated.\n\nAs a result, the current code unconditionally adds each fragment\u0027s\ntruesize to delta_truesize and subtracts it from the parent SKB. Since\nthe fragments are no longer charged to the socket, this subtraction\nresults in an effective under-count of memory when the head is freed.\nThis causes sk_wmem_alloc to remain non-zero, preventing socket\ndestruction and leading to a persistent memory leak.\n\nThe leak can be observed via KMEMLEAK when tearing down the networking\nenvironment:\n\nunreferenced object 0xffff8881e6eb9100 (size 2048):\n comm \"ping\", pid 6720, jiffies 4295492526\n backtrace:\n kmem_cache_alloc_noprof+0x5c6/0x800\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x35/0xa00\n inet6_create.part.0+0x303/0x10d0\n __sock_create+0x248/0x640\n __sys_socket+0x11b/0x1d0\n\nSince skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST\npackets constructed by GRO, the truesize adjustment is removed.\n\nThe call to skb_release_head_state() must be preserved. As documented in\ncommit cf673ed0e057 (\"net: fix fraglist segmentation reference count\nleak\"), it is still required to correctly drop references to SKB\nextensions that may be overwritten during __copy_skb_header()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:37.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74"
},
{
"url": "https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab"
},
{
"url": "https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79"
},
{
"url": "https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd"
},
{
"url": "https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77"
}
],
"title": "net: fix memory leak in skb_segment_list for GRO packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22979",
"datePublished": "2026-01-23T15:24:01.340Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-05-23T16:03:37.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37926 (GCVE-0-2025-37926)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:21 – Updated: 2026-05-11 21:17
VLAI?
EPSS
Title
ksmbd: fix use-after-free in ksmbd_session_rpc_open
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in ksmbd_session_rpc_open
A UAF issue can occur due to a race condition between
ksmbd_session_rpc_open() and __session_rpc_close().
Add rpc_lock to the session to protect it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < a4348710a7267705b75692dc1a000920481d1d92
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 1067361a1cc6ad9cdf7acfc47f90012b72ad1502 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8fb3b6c85b7e3127161623586b62abcc366caa20 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6323fec65fe54b365961fed260dd579191e46121 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a1f46c99d9ea411f9bf30025b912d881d36fc709 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c",
"fs/smb/server/mgmt/user_session.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4348710a7267705b75692dc1a000920481d1d92",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "1067361a1cc6ad9cdf7acfc47f90012b72ad1502",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "8fb3b6c85b7e3127161623586b62abcc366caa20",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "6323fec65fe54b365961fed260dd579191e46121",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "a1f46c99d9ea411f9bf30025b912d881d36fc709",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c",
"fs/smb/server/mgmt/user_session.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_session_rpc_open\n\nA UAF issue can occur due to a race condition between\nksmbd_session_rpc_open() and __session_rpc_close().\nAdd rpc_lock to the session to protect it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:17:46.848Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4348710a7267705b75692dc1a000920481d1d92"
},
{
"url": "https://git.kernel.org/stable/c/1067361a1cc6ad9cdf7acfc47f90012b72ad1502"
},
{
"url": "https://git.kernel.org/stable/c/8fb3b6c85b7e3127161623586b62abcc366caa20"
},
{
"url": "https://git.kernel.org/stable/c/6323fec65fe54b365961fed260dd579191e46121"
},
{
"url": "https://git.kernel.org/stable/c/a1f46c99d9ea411f9bf30025b912d881d36fc709"
}
],
"title": "ksmbd: fix use-after-free in ksmbd_session_rpc_open",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37926",
"datePublished": "2025-05-20T15:21:53.359Z",
"dateReserved": "2025-04-16T04:51:23.969Z",
"dateUpdated": "2026-05-11T21:17:46.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71185 (GCVE-0-2025-71185)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:41 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
Make sure to drop the reference taken when looking up the crossbar
platform device during am335x route allocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 1befa553f1ecc045dc9ff56107ff50162f63f3c0
(git)
Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < c933aa74d9f8d35e6cda322c38c4a907d37a9a2b (git) Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 43725bd47d984937c429919ae291896d982d1f17 (git) Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 6fdf168f57e331e148a1177a9b590a845c21b315 (git) Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < f810132e825588fbad3cba940458c58bb7ec4d84 (git) Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 30352277d8e09c972436f883a5efd1f1b763ac14 (git) Affected: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 , < 4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:34.249Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1befa553f1ecc045dc9ff56107ff50162f63f3c0",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "c933aa74d9f8d35e6cda322c38c4a907d37a9a2b",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "43725bd47d984937c429919ae291896d982d1f17",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "6fdf168f57e331e148a1177a9b590a845c21b315",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "f810132e825588fbad3cba940458c58bb7ec4d84",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "30352277d8e09c972436f883a5efd1f1b763ac14",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: dma-crossbar: fix device leak on am335x route allocation\n\nMake sure to drop the reference taken when looking up the crossbar\nplatform device during am335x route allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:18.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1befa553f1ecc045dc9ff56107ff50162f63f3c0"
},
{
"url": "https://git.kernel.org/stable/c/c933aa74d9f8d35e6cda322c38c4a907d37a9a2b"
},
{
"url": "https://git.kernel.org/stable/c/43725bd47d984937c429919ae291896d982d1f17"
},
{
"url": "https://git.kernel.org/stable/c/6fdf168f57e331e148a1177a9b590a845c21b315"
},
{
"url": "https://git.kernel.org/stable/c/f810132e825588fbad3cba940458c58bb7ec4d84"
},
{
"url": "https://git.kernel.org/stable/c/30352277d8e09c972436f883a5efd1f1b763ac14"
},
{
"url": "https://git.kernel.org/stable/c/4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9"
}
],
"title": "dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71185",
"datePublished": "2026-01-31T11:41:57.082Z",
"dateReserved": "2026-01-31T11:36:51.187Z",
"dateUpdated": "2026-06-02T13:00:34.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68819 (GCVE-0-2025-68819)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
Therefore, we need to add proper range checking to prevent this vuln.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < c2c293ea7b61f12cdaad1e99a5b4efc58c88960a
(git)
Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < c2305b4c5fc15e20ac06c35738e0578eb4323750 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < 61f214a878e96e2a8750bf96a98f78c658dba60c (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < 4a54d8fcb093761e4c56eb211cf4e39bf8401fa1 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < fe3e129ab49806aaaa3f22067ebc75c2dfbe4658 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < ac92151ff2494130d9fc686055d6bbb9743a673e (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < b91e6aafe8d356086cc621bc03e35ba2299e4788 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2c293ea7b61f12cdaad1e99a5b4efc58c88960a",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "c2305b4c5fc15e20ac06c35738e0578eb4323750",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "61f214a878e96e2a8750bf96a98f78c658dba60c",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "4a54d8fcb093761e4c56eb211cf4e39bf8401fa1",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "fe3e129ab49806aaaa3f22067ebc75c2dfbe4658",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "ac92151ff2494130d9fc686055d6bbb9743a673e",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "b91e6aafe8d356086cc621bc03e35ba2299e4788",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()\n\nrlen value is a user-controlled value, but dtv5100_i2c_msg() does not\ncheck the size of the rlen value. Therefore, if it is set to a value\nlarger than sizeof(st-\u003edata), an out-of-bounds vuln occurs for st-\u003edata.\n\nTherefore, we need to add proper range checking to prevent this vuln."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:56.038Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a"
},
{
"url": "https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750"
},
{
"url": "https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c"
},
{
"url": "https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1"
},
{
"url": "https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658"
},
{
"url": "https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e"
},
{
"url": "https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788"
}
],
"title": "media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68819",
"datePublished": "2026-01-13T15:29:22.695Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-05-11T21:53:56.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23097 (GCVE-0-2026-23097)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
migrate: correct lock ordering for hugetlb file folios
Summary
In the Linux kernel, the following vulnerability has been resolved:
migrate: correct lock ordering for hugetlb file folios
Syzbot has found a deadlock (analyzed by Lance Yang):
1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.
migrate_pages()
-> migrate_hugetlbs()
-> unmap_and_move_huge_page() <- Takes folio_lock!
-> remove_migration_ptes()
-> __rmap_walk_file()
-> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
hugetlbfs_fallocate()
-> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
-> hugetlbfs_zero_partial_page()
-> filemap_lock_hugetlb_folio()
-> filemap_lock_folio()
-> __filemap_get_folio <- Waits for folio_lock!
The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c. So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
This is (mostly) how it used to be after commit c0d0381ade79. That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
336bf30eb76580b579dc711ded5d599d905c0217 , < e7396d23f9d5739f56cf9ab430c3a169f5508394
(git)
Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < ad97b9a55246eb940a26ac977f80892a395cabf9 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 5edb9854f8df5428b40990a1c7d60507da5bd330 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 526394af4e8ade89cacd1a9ce2b97712712fcc34 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b75070823b89009f5123fd0e05a8e0c3d39937c1 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 1b68efce6dd483d22f50d0d3800c4cfda14b1305 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b7880cb166ab62c2409046b2347261abf701530e (git) Affected: ef792d6ce0db6a56e56743b1de1716a982c3b851 (git) Affected: 5.9.9 , < 5.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:33.152666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:13.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7396d23f9d5739f56cf9ab430c3a169f5508394",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "ad97b9a55246eb940a26ac977f80892a395cabf9",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "5edb9854f8df5428b40990a1c7d60507da5bd330",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "526394af4e8ade89cacd1a9ce2b97712712fcc34",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b75070823b89009f5123fd0e05a8e0c3d39937c1",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "1b68efce6dd483d22f50d0d3800c4cfda14b1305",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b7880cb166ab62c2409046b2347261abf701530e",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"status": "affected",
"version": "ef792d6ce0db6a56e56743b1de1716a982c3b851",
"versionType": "git"
},
{
"lessThan": "5.10",
"status": "affected",
"version": "5.9.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -\u003e migrate_hugetlbs()\n -\u003e unmap_and_move_huge_page() \u003c- Takes folio_lock!\n -\u003e remove_migration_ptes()\n -\u003e __rmap_walk_file()\n -\u003e i_mmap_lock_read() \u003c- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -\u003e hugetlbfs_punch_hole() \u003c- Takes i_mmap_rwsem(write lock)!\n -\u003e hugetlbfs_zero_partial_page()\n -\u003e filemap_lock_hugetlb_folio()\n -\u003e filemap_lock_folio()\n -\u003e __filemap_get_folio \u003c- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file \u0026 anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:50.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"
},
{
"url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"
},
{
"url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"
},
{
"url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"
},
{
"url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"
},
{
"url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"
},
{
"url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"
}
],
"title": "migrate: correct lock ordering for hugetlb file folios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23097",
"datePublished": "2026-02-04T16:08:19.815Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-06-11T18:44:13.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47334 (GCVE-0-2026-47334)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:28 – Updated: 2026-05-28 19:23
VLAI?
EPSS
Title
Deadlock or kernel panic in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.
Severity ?
5.5 (Medium)
CWE
- CWE-833 - Deadlock
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:21:02.287047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:23:51.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-833",
"description": "CWE-833 Deadlock",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:28:39.628Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=f0e73aec23d13a9877fba096b1c2fd19f66e5313"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Deadlock or kernel panic in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47334",
"datePublished": "2026-05-28T18:28:39.628Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-28T19:23:51.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23394 (GCVE-0-2026-23394)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-06-01 16:11
VLAI?
EPSS
Title
af_unix: Give up GC if MSG_PEEK intervened.
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Give up GC if MSG_PEEK intervened.
Igor Ushakov reported that GC purged the receive queue of
an alive socket due to a race with MSG_PEEK with a nice repro.
This is the exact same issue previously fixed by commit
cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
After GC was replaced with the current algorithm, the cited
commit removed the locking dance in unix_peek_fds() and
reintroduced the same issue.
The problem is that MSG_PEEK bumps a file refcount without
interacting with GC.
Consider an SCC containing sk-A and sk-B, where sk-A is
close()d but can be recv()ed via sk-B.
The bad thing happens if sk-A is recv()ed with MSG_PEEK from
sk-B and sk-B is close()d while GC is checking unix_vertex_dead()
for sk-A and sk-B.
GC thread User thread
--------- -----------
unix_vertex_dead(sk-A)
-> true <------.
\
`------ recv(sk-B, MSG_PEEK)
invalidate !! -> sk-A's file refcount : 1 -> 2
close(sk-B)
-> sk-B's file refcount : 2 -> 1
unix_vertex_dead(sk-B)
-> true
Initially, sk-A's file refcount is 1 by the inflight fd in sk-B
recvq. GC thinks sk-A is dead because the file refcount is the
same as the number of its inflight fds.
However, sk-A's file refcount is bumped silently by MSG_PEEK,
which invalidates the previous evaluation.
At this moment, sk-B's file refcount is 2; one by the open fd,
and one by the inflight fd in sk-A. The subsequent close()
releases one refcount by the former.
Finally, GC incorrectly concludes that both sk-A and sk-B are dead.
One option is to restore the locking dance in unix_peek_fds(),
but we can resolve this more elegantly thanks to the new algorithm.
The point is that the issue does not occur without the subsequent
close() and we actually do not need to synchronise MSG_PEEK with
the dead SCC detection.
When the issue occurs, close() and GC touch the same file refcount.
If GC sees the refcount being decremented by close(), it can just
give up garbage-collecting the SCC.
Therefore, we only need to signal the race during MSG_PEEK with
a proper memory barrier to make it visible to the GC.
Let's use seqcount_t to notify GC when MSG_PEEK occurs and let
it defer the SCC to the next run.
This way no locking is needed on the MSG_PEEK side, and we can
avoid imposing a penalty on every MSG_PEEK unnecessarily.
Note that we can retry within unix_scc_dead() if MSG_PEEK is
detected, but we do not do so to avoid hung task splat from
abusive MSG_PEEK calls.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7b1ffbd3b22e755d481d49647dcb7c5cfbde5844 , < 3106f326f67c03dd9da4ca64663d11e40138cf40
(git)
Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202 (git) Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < 72cf49ad50c16270b52bc512d9c2df5743922968 (git) Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < 37dd7ab332396eb8dd80b2dc7ea4b61abf767436 (git) Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < e5b31d988a41549037b8d8721a3c3cae893d8670 (git) Affected: 61a75360dca93c945ef6bd757f8b8a96f39b77cb (git) Affected: 6.6.93 , < 6.6.142 (semver) Affected: 6.1.141 , < 6.2 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c",
"net/unix/af_unix.h",
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3106f326f67c03dd9da4ca64663d11e40138cf40",
"status": "affected",
"version": "7b1ffbd3b22e755d481d49647dcb7c5cfbde5844",
"versionType": "git"
},
{
"lessThan": "e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"lessThan": "72cf49ad50c16270b52bc512d9c2df5743922968",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"lessThan": "37dd7ab332396eb8dd80b2dc7ea4b61abf767436",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"lessThan": "e5b31d988a41549037b8d8721a3c3cae893d8670",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"status": "affected",
"version": "61a75360dca93c945ef6bd757f8b8a96f39b77cb",
"versionType": "git"
},
{
"lessThan": "6.6.142",
"status": "affected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.141",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c",
"net/unix/af_unix.h",
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.6.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.141",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Give up GC if MSG_PEEK intervened.\n\nIgor Ushakov reported that GC purged the receive queue of\nan alive socket due to a race with MSG_PEEK with a nice repro.\n\nThis is the exact same issue previously fixed by commit\ncbcf01128d0a (\"af_unix: fix garbage collect vs MSG_PEEK\").\n\nAfter GC was replaced with the current algorithm, the cited\ncommit removed the locking dance in unix_peek_fds() and\nreintroduced the same issue.\n\nThe problem is that MSG_PEEK bumps a file refcount without\ninteracting with GC.\n\nConsider an SCC containing sk-A and sk-B, where sk-A is\nclose()d but can be recv()ed via sk-B.\n\nThe bad thing happens if sk-A is recv()ed with MSG_PEEK from\nsk-B and sk-B is close()d while GC is checking unix_vertex_dead()\nfor sk-A and sk-B.\n\n GC thread User thread\n --------- -----------\n unix_vertex_dead(sk-A)\n -\u003e true \u003c------.\n \\\n `------ recv(sk-B, MSG_PEEK)\n invalidate !! -\u003e sk-A\u0027s file refcount : 1 -\u003e 2\n\n close(sk-B)\n -\u003e sk-B\u0027s file refcount : 2 -\u003e 1\n unix_vertex_dead(sk-B)\n -\u003e true\n\nInitially, sk-A\u0027s file refcount is 1 by the inflight fd in sk-B\nrecvq. GC thinks sk-A is dead because the file refcount is the\nsame as the number of its inflight fds.\n\nHowever, sk-A\u0027s file refcount is bumped silently by MSG_PEEK,\nwhich invalidates the previous evaluation.\n\nAt this moment, sk-B\u0027s file refcount is 2; one by the open fd,\nand one by the inflight fd in sk-A. The subsequent close()\nreleases one refcount by the former.\n\nFinally, GC incorrectly concludes that both sk-A and sk-B are dead.\n\nOne option is to restore the locking dance in unix_peek_fds(),\nbut we can resolve this more elegantly thanks to the new algorithm.\n\nThe point is that the issue does not occur without the subsequent\nclose() and we actually do not need to synchronise MSG_PEEK with\nthe dead SCC detection.\n\nWhen the issue occurs, close() and GC touch the same file refcount.\nIf GC sees the refcount being decremented by close(), it can just\ngive up garbage-collecting the SCC.\n\nTherefore, we only need to signal the race during MSG_PEEK with\na proper memory barrier to make it visible to the GC.\n\nLet\u0027s use seqcount_t to notify GC when MSG_PEEK occurs and let\nit defer the SCC to the next run.\n\nThis way no locking is needed on the MSG_PEEK side, and we can\navoid imposing a penalty on every MSG_PEEK unnecessarily.\n\nNote that we can retry within unix_scc_dead() if MSG_PEEK is\ndetected, but we do not do so to avoid hung task splat from\nabusive MSG_PEEK calls."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:07.633Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3106f326f67c03dd9da4ca64663d11e40138cf40"
},
{
"url": "https://git.kernel.org/stable/c/e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202"
},
{
"url": "https://git.kernel.org/stable/c/72cf49ad50c16270b52bc512d9c2df5743922968"
},
{
"url": "https://git.kernel.org/stable/c/37dd7ab332396eb8dd80b2dc7ea4b61abf767436"
},
{
"url": "https://git.kernel.org/stable/c/e5b31d988a41549037b8d8721a3c3cae893d8670"
}
],
"title": "af_unix: Give up GC if MSG_PEEK intervened.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23394",
"datePublished": "2026-03-25T10:33:18.180Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-06-01T16:11:07.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23062 (GCVE-0-2026-23062)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs
attributes:
1. Off-by-one error: The loop condition used '<=' instead of '<',
causing access beyond array bounds. Since array indices are 0-based
and go from 0 to instances_count-1, the loop should use '<'.
2. Missing NULL check: The code dereferenced attr_name_kobj->name
without checking if attr_name_kobj was NULL, causing a null pointer
dereference in min_length_show() and other attribute show functions.
The panic occurred when fwupd tried to read BIOS configuration attributes:
Oops: general protection fault [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg]
Add a NULL check for attr_name_kobj before dereferencing and corrects
the loop boundary to match the pattern used elsewhere in the driver.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5f94f181ca25d8c5b77beb2da0cb466ddb6ece29 , < eb5ff1025c92117d5d1cc728bcfa294abe484da1
(git)
Affected: 5f94f181ca25d8c5b77beb2da0cb466ddb6ece29 , < eba49c1dee9c5e514ca18e52c545bba524e8a045 (git) Affected: 5f94f181ca25d8c5b77beb2da0cb466ddb6ece29 , < 193922a23d7294085a47d7719fdb7d66ad0a236f (git) Affected: 5f94f181ca25d8c5b77beb2da0cb466ddb6ece29 , < 25150715e0b049b99df664daf05dab12f41c3e13 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/bioscfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb5ff1025c92117d5d1cc728bcfa294abe484da1",
"status": "affected",
"version": "5f94f181ca25d8c5b77beb2da0cb466ddb6ece29",
"versionType": "git"
},
{
"lessThan": "eba49c1dee9c5e514ca18e52c545bba524e8a045",
"status": "affected",
"version": "5f94f181ca25d8c5b77beb2da0cb466ddb6ece29",
"versionType": "git"
},
{
"lessThan": "193922a23d7294085a47d7719fdb7d66ad0a236f",
"status": "affected",
"version": "5f94f181ca25d8c5b77beb2da0cb466ddb6ece29",
"versionType": "git"
},
{
"lessThan": "25150715e0b049b99df664daf05dab12f41c3e13",
"status": "affected",
"version": "5f94f181ca25d8c5b77beb2da0cb466ddb6ece29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/bioscfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro\n\nThe GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs\nattributes:\n\n1. Off-by-one error: The loop condition used \u0027\u003c=\u0027 instead of \u0027\u003c\u0027,\n causing access beyond array bounds. Since array indices are 0-based\n and go from 0 to instances_count-1, the loop should use \u0027\u003c\u0027.\n\n2. Missing NULL check: The code dereferenced attr_name_kobj-\u003ename\n without checking if attr_name_kobj was NULL, causing a null pointer\n dereference in min_length_show() and other attribute show functions.\n\nThe panic occurred when fwupd tried to read BIOS configuration attributes:\n\n Oops: general protection fault [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg]\n\nAdd a NULL check for attr_name_kobj before dereferencing and corrects\nthe loop boundary to match the pattern used elsewhere in the driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:15.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb5ff1025c92117d5d1cc728bcfa294abe484da1"
},
{
"url": "https://git.kernel.org/stable/c/eba49c1dee9c5e514ca18e52c545bba524e8a045"
},
{
"url": "https://git.kernel.org/stable/c/193922a23d7294085a47d7719fdb7d66ad0a236f"
},
{
"url": "https://git.kernel.org/stable/c/25150715e0b049b99df664daf05dab12f41c3e13"
}
],
"title": "platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23062",
"datePublished": "2026-02-04T16:07:44.420Z",
"dateReserved": "2026-01-13T15:37:45.953Z",
"dateUpdated": "2026-05-11T21:59:15.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68786 (GCVE-0-2025-68786)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
When size equals the current i_size (including 0), the code used to call
check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`
and can underflow for size==0. Skip the equal case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f44158485826c076335d6860d35872271a83791d , < 52fcbb92e0d3acfd1448b2a43b6595d540da5295
(git)
Affected: f44158485826c076335d6860d35872271a83791d , < da29cd197246c85c0473259f1cad897d9d28faea (git) Affected: f44158485826c076335d6860d35872271a83791d , < a6f4cfa3783804336491e0edcb250c25f9b59d33 (git) Affected: f44158485826c076335d6860d35872271a83791d , < 571204e4758a528fbd67330bd4b0dfbdafb33dd8 (git) Affected: f44158485826c076335d6860d35872271a83791d , < 5d510ac31626ed157d2182149559430350cf2104 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52fcbb92e0d3acfd1448b2a43b6595d540da5295",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "da29cd197246c85c0473259f1cad897d9d28faea",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "a6f4cfa3783804336491e0edcb250c25f9b59d33",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "571204e4758a528fbd67330bd4b0dfbdafb33dd8",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "5d510ac31626ed157d2182149559430350cf2104",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: skip lock-range check on equal size to avoid size==0 underflow\n\nWhen size equals the current i_size (including 0), the code used to call\ncheck_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`\nand can underflow for size==0. Skip the equal case."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:19.839Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295"
},
{
"url": "https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea"
},
{
"url": "https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33"
},
{
"url": "https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8"
},
{
"url": "https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104"
}
],
"title": "ksmbd: skip lock-range check on equal size to avoid size==0 underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68786",
"datePublished": "2026-01-13T15:28:59.578Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-05-11T21:53:19.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71220 (GCVE-0-2025-71220)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()
When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2283680a80571ca82d710bc6ecd8f8beac67d63 , < a2c68e256fb7a4ac34154c6e865a1389acca839f
(git)
Affected: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 , < 2b7b4df87fe6f2db6ee45f475de6b37b8b8e5d29 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 04dd114b682a4ccaeba2c2bad049c8b50ce740d8 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < ac18761b530b5dd40f59af8a25902282e5512854 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < fdda836fcee6fdbcccc24e3679097efb583f581f (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 7c28f8eef5ac5312794d8a52918076dcd787e53b (git) Affected: 5.15.145 , < 5.15.200 (semver) Affected: 6.1.71 , < 6.1.163 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2c68e256fb7a4ac34154c6e865a1389acca839f",
"status": "affected",
"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
"versionType": "git"
},
{
"lessThan": "2b7b4df87fe6f2db6ee45f475de6b37b8b8e5d29",
"status": "affected",
"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
"versionType": "git"
},
{
"lessThan": "04dd114b682a4ccaeba2c2bad049c8b50ce740d8",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "ac18761b530b5dd40f59af8a25902282e5512854",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "fdda836fcee6fdbcccc24e3679097efb583f581f",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "7c28f8eef5ac5312794d8a52918076dcd787e53b",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "5.15.200",
"status": "affected",
"version": "5.15.145",
"versionType": "semver"
},
{
"lessThan": "6.1.163",
"status": "affected",
"version": "6.1.71",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()\n\nWhen ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:31.433Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2c68e256fb7a4ac34154c6e865a1389acca839f"
},
{
"url": "https://git.kernel.org/stable/c/2b7b4df87fe6f2db6ee45f475de6b37b8b8e5d29"
},
{
"url": "https://git.kernel.org/stable/c/04dd114b682a4ccaeba2c2bad049c8b50ce740d8"
},
{
"url": "https://git.kernel.org/stable/c/ac18761b530b5dd40f59af8a25902282e5512854"
},
{
"url": "https://git.kernel.org/stable/c/fdda836fcee6fdbcccc24e3679097efb583f581f"
},
{
"url": "https://git.kernel.org/stable/c/7c28f8eef5ac5312794d8a52918076dcd787e53b"
}
],
"title": "smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71220",
"datePublished": "2026-02-14T16:27:03.946Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-05-23T16:03:31.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68349 (GCVE-0-2025-68349)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-06-16 19:27
VLAI?
EPSS
Title
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Fixes a crash when layout is null during this call stack:
write_inode
-> nfs4_write_inode
-> pnfs_layoutcommit_inode
pnfs_set_layoutcommit relies on the lseg refcount to keep the layout
around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt
to reference a null layout.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 084bebe82ad86f718a3af84f34761863e63164ed
(git)
Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 104080582ae0aa6dce6c6d75ff89062efe84673b (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < f718f9ea6094843b8c059b073af49ad61e9f49bb (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 59947dff0fb7c19c09ce6dccbcd253fd542b6c25 (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < ca2e7fdad7c683b64821c94a58b9b68733214dad (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < 38694f9aae00459ab443a7dc8b3949a6b33b560a (git) Affected: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a , < e0f8058f2cb56de0b7572f51cd563ca5debce746 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:27:27.700810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:27:54.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "084bebe82ad86f718a3af84f34761863e63164ed",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "104080582ae0aa6dce6c6d75ff89062efe84673b",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "f718f9ea6094843b8c059b073af49ad61e9f49bb",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "59947dff0fb7c19c09ce6dccbcd253fd542b6c25",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "ca2e7fdad7c683b64821c94a58b9b68733214dad",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "38694f9aae00459ab443a7dc8b3949a6b33b560a",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "e0f8058f2cb56de0b7572f51cd563ca5debce746",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid\n\nFixes a crash when layout is null during this call stack:\n\nwrite_inode\n -\u003e nfs4_write_inode\n -\u003e pnfs_layoutcommit_inode\n\npnfs_set_layoutcommit relies on the lseg refcount to keep the layout\naround. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt\nto reference a null layout."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:28.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/084bebe82ad86f718a3af84f34761863e63164ed"
},
{
"url": "https://git.kernel.org/stable/c/b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc"
},
{
"url": "https://git.kernel.org/stable/c/104080582ae0aa6dce6c6d75ff89062efe84673b"
},
{
"url": "https://git.kernel.org/stable/c/f718f9ea6094843b8c059b073af49ad61e9f49bb"
},
{
"url": "https://git.kernel.org/stable/c/59947dff0fb7c19c09ce6dccbcd253fd542b6c25"
},
{
"url": "https://git.kernel.org/stable/c/ca2e7fdad7c683b64821c94a58b9b68733214dad"
},
{
"url": "https://git.kernel.org/stable/c/38694f9aae00459ab443a7dc8b3949a6b33b560a"
},
{
"url": "https://git.kernel.org/stable/c/e0f8058f2cb56de0b7572f51cd563ca5debce746"
}
],
"title": "NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68349",
"datePublished": "2025-12-24T10:32:41.253Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-06-16T19:27:54.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71135 (GCVE-0-2025-71135)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
The variable mddev->private is first assigned to conf and then checked:
conf = mddev->private;
if (!conf) ...
If conf is NULL, then mddev->private is also NULL. In this case,
null-pointer dereferences can occur when calling raid5_quiesce():
raid5_quiesce(mddev, true);
raid5_quiesce(mddev, false);
since mddev->private is assigned to conf again in raid5_quiesce(), and conf
is dereferenced in several places, for example:
conf->quiesce = 0;
wake_up(&conf->wait_for_quiescent);
To fix this issue, the function should unlock mddev and return before
invoking raid5_quiesce() when conf is NULL, following the existing pattern
in raid5_change_consistency_policy().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
be19e6e4339d1579d5f2fae8ce4facf9521dbbfc , < 20597b7229aea8b5bc45cd92097640257c7fc33b
(git)
Affected: fa1944bbe6220eb929e2c02e5e8706b908565711 , < e5abb6af905de6b2fead8a0b3f32ab0b81468a01 (git) Affected: fa1944bbe6220eb929e2c02e5e8706b908565711 , < 7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 (git) Affected: 6.12.4 , < 6.12.64 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20597b7229aea8b5bc45cd92097640257c7fc33b",
"status": "affected",
"version": "be19e6e4339d1579d5f2fae8ce4facf9521dbbfc",
"versionType": "git"
},
{
"lessThan": "e5abb6af905de6b2fead8a0b3f32ab0b81468a01",
"status": "affected",
"version": "fa1944bbe6220eb929e2c02e5e8706b908565711",
"versionType": "git"
},
{
"lessThan": "7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9",
"status": "affected",
"version": "fa1944bbe6220eb929e2c02e5e8706b908565711",
"versionType": "git"
},
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()\n\nThe variable mddev-\u003eprivate is first assigned to conf and then checked:\n\n conf = mddev-\u003eprivate;\n if (!conf) ...\n\nIf conf is NULL, then mddev-\u003eprivate is also NULL. In this case,\nnull-pointer dereferences can occur when calling raid5_quiesce():\n\n raid5_quiesce(mddev, true);\n raid5_quiesce(mddev, false);\n\nsince mddev-\u003eprivate is assigned to conf again in raid5_quiesce(), and conf\nis dereferenced in several places, for example:\n\n conf-\u003equiesce = 0;\n wake_up(\u0026conf-\u003ewait_for_quiescent);\n\nTo fix this issue, the function should unlock mddev and return before\ninvoking raid5_quiesce() when conf is NULL, following the existing pattern\nin raid5_change_consistency_policy()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:18.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b"
},
{
"url": "https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01"
},
{
"url": "https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9"
}
],
"title": "md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71135",
"datePublished": "2026-01-14T15:07:49.891Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-05-23T16:03:18.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71095 (GCVE-0-2025-71095)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
net: stmmac: fix the crash issue for zero copy XDP_TX action
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix the crash issue for zero copy XDP_TX action
There is a crash issue when running zero copy XDP_TX action, the crash
log is shown below.
[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
[ 216.301694] Call trace:
[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
[ 216.326576] __napi_poll+0x40/0x218
[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
For XDP_TX action, the xdp_buff is converted to xdp_frame by
xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
depends on the memory type of the xdp_buff. For page pool based xdp_buff
it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
XSK pool based xdp_buff it produces xdp_frame with memory type
MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
memory type and always uses the page pool type, this leads to invalid
mappings and causes the crash. Therefore, check the xdp_buff memory type
in stmmac_xdp_xmit_back() to fix this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bba2556efad66e7eaa56fece13f7708caa1187f8 , < 3f7823219407f2f18044c2b72366a48810c5c821
(git)
Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < 4d0ceb7677e1c4616afb96abb4518f70b65abb0d (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < 45ee0462b88396a0bd1df1991f801c89994ea72b (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < 5e5988736a95b1de7f91b10ac2575454b70e4897 (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < a48e232210009be50591fdea8ba7c07b0f566a13 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f7823219407f2f18044c2b72366a48810c5c821",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "4d0ceb7677e1c4616afb96abb4518f70b65abb0d",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "45ee0462b88396a0bd1df1991f801c89994ea72b",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "5e5988736a95b1de7f91b10ac2575454b70e4897",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "a48e232210009be50591fdea8ba7c07b0f566a13",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix the crash issue for zero copy XDP_TX action\n\nThere is a crash issue when running zero copy XDP_TX action, the crash\nlog is shown below.\n\n[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000\n[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP\n[ 216.301694] Call trace:\n[ 216.304130] dcache_clean_poc+0x20/0x38 (P)\n[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0\n[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400\n[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368\n[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00\n[ 216.326576] __napi_poll+0x40/0x218\n[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n\nFor XDP_TX action, the xdp_buff is converted to xdp_frame by\nxdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame\ndepends on the memory type of the xdp_buff. For page pool based xdp_buff\nit produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy\nXSK pool based xdp_buff it produces xdp_frame with memory type\nMEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the\nmemory type and always uses the page pool type, this leads to invalid\nmappings and causes the crash. Therefore, check the xdp_buff memory type\nin stmmac_xdp_xmit_back() to fix this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:39.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821"
},
{
"url": "https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d"
},
{
"url": "https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b"
},
{
"url": "https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897"
},
{
"url": "https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13"
}
],
"title": "net: stmmac: fix the crash issue for zero copy XDP_TX action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71095",
"datePublished": "2026-01-13T15:34:55.392Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-05-11T21:54:39.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71132 (GCVE-0-2025-71132)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
smc91x: fix broken irq-context in PREEMPT_RT
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc91x: fix broken irq-context in PREEMPT_RT
When smc91x.c is built with PREEMPT_RT, the following splat occurs
in FVP_RevC:
[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
[ 13.062266] C
** replaying previous printk message **
[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
[ 13.062353] Hardware name: , BIOS
[ 13.062382] Workqueue: mld mld_ifc_work
[ 13.062469] Call trace:
[ 13.062494] show_stack+0x24/0x40 (C)
[ 13.062602] __dump_stack+0x28/0x48
[ 13.062710] dump_stack_lvl+0x7c/0xb0
[ 13.062818] dump_stack+0x18/0x34
[ 13.062926] process_scheduled_works+0x294/0x450
[ 13.063043] worker_thread+0x260/0x3d8
[ 13.063124] kthread+0x1c4/0x228
[ 13.063235] ret_from_fork+0x10/0x20
This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
342a93247e0837101f27bbcca26f402902df98dc , < 1c4cb705e733250d13243f6a69b8b5a92e39b9f6
(git)
Affected: 342a93247e0837101f27bbcca26f402902df98dc , < 9d222141b00156509d67d80c771fbefa92c43ace (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < ef277ae121b3249c99994652210a326b52d527b0 (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < 36561b86cb2501647662cfaf91286dd6973804a6 (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3 (git) Affected: 342a93247e0837101f27bbcca26f402902df98dc , < 6402078bd9d1ed46e79465e1faaa42e3458f8a33 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:13.928914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:20.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/smsc/smc91x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c4cb705e733250d13243f6a69b8b5a92e39b9f6",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "9d222141b00156509d67d80c771fbefa92c43ace",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "ef277ae121b3249c99994652210a326b52d527b0",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "36561b86cb2501647662cfaf91286dd6973804a6",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "6402078bd9d1ed46e79465e1faaa42e3458f8a33",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/smsc/smc91x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc91x: fix broken irq-context in PREEMPT_RT\n\nWhen smc91x.c is built with PREEMPT_RT, the following splat occurs\nin FVP_RevC:\n\n[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000\n[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]\n[ 13.062137] preempt=0x00000000 lock=0-\u003e0 RCU=0-\u003e1 workfn=mld_ifc_work\n[ 13.062266] C\n** replaying previous printk message **\n[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}\n[ 13.062353] Hardware name: , BIOS\n[ 13.062382] Workqueue: mld mld_ifc_work\n[ 13.062469] Call trace:\n[ 13.062494] show_stack+0x24/0x40 (C)\n[ 13.062602] __dump_stack+0x28/0x48\n[ 13.062710] dump_stack_lvl+0x7c/0xb0\n[ 13.062818] dump_stack+0x18/0x34\n[ 13.062926] process_scheduled_works+0x294/0x450\n[ 13.063043] worker_thread+0x260/0x3d8\n[ 13.063124] kthread+0x1c4/0x228\n[ 13.063235] ret_from_fork+0x10/0x20\n\nThis happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,\nbut smc_special_unlock() does not restore IRQs on PREEMPT_RT.\nThe reason is that smc_special_unlock() calls spin_unlock_irqrestore(),\nand rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke\nrcu_read_unlock() through __local_bh_enable_ip() when current-\u003esoftirq_disable_cnt becomes zero.\n\nTo address this issue, replace smc_special_trylock() with spin_trylock_irqsave()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:35.622Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6"
},
{
"url": "https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace"
},
{
"url": "https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0"
},
{
"url": "https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6"
},
{
"url": "https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3"
},
{
"url": "https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33"
}
],
"title": "smc91x: fix broken irq-context in PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71132",
"datePublished": "2026-01-14T15:07:47.860Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-06-11T18:44:20.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23212 (GCVE-0-2026-23212)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:16 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
bonding: annotate data-races around slave->last_rx
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: annotate data-races around slave->last_rx
slave->last_rx and slave->target_last_arp_rx[...] can be read and written
locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
syzbot reported:
BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
__netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
__netif_receive_skb_one_core net/core/dev.c:6150 [inline]
__netif_receive_skb+0x59/0x270 net/core/dev.c:6265
netif_receive_skb_internal net/core/dev.c:6351 [inline]
netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
...
write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0:
bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
__netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
__netif_receive_skb_one_core net/core/dev.c:6150 [inline]
__netif_receive_skb+0x59/0x270 net/core/dev.c:6265
netif_receive_skb_internal net/core/dev.c:6351 [inline]
netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
br_netif_receive_skb net/bridge/br_input.c:30 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
...
value changed: 0x0000000100005365 -> 0x0000000100005366
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f5b2b966f032f22d3a289045a5afd4afa09f09c6 , < a7516cb0165926d308187e231ccd330e5e3ebff7
(git)
Affected: f5b2b966f032f22d3a289045a5afd4afa09f09c6 , < 8c0be3277e7aefb2f900fc37ca3fe7df362e26f5 (git) Affected: f5b2b966f032f22d3a289045a5afd4afa09f09c6 , < b956289b83887e0a306067b6003c3fcd81bfdf84 (git) Affected: f5b2b966f032f22d3a289045a5afd4afa09f09c6 , < bd98324e327e41de04b13e372cc16f73150df254 (git) Affected: f5b2b966f032f22d3a289045a5afd4afa09f09c6 , < f6c3665b6dc53c3ab7d31b585446a953a74340ef (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:09.675357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:20.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/bonding/bond_options.c",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7516cb0165926d308187e231ccd330e5e3ebff7",
"status": "affected",
"version": "f5b2b966f032f22d3a289045a5afd4afa09f09c6",
"versionType": "git"
},
{
"lessThan": "8c0be3277e7aefb2f900fc37ca3fe7df362e26f5",
"status": "affected",
"version": "f5b2b966f032f22d3a289045a5afd4afa09f09c6",
"versionType": "git"
},
{
"lessThan": "b956289b83887e0a306067b6003c3fcd81bfdf84",
"status": "affected",
"version": "f5b2b966f032f22d3a289045a5afd4afa09f09c6",
"versionType": "git"
},
{
"lessThan": "bd98324e327e41de04b13e372cc16f73150df254",
"status": "affected",
"version": "f5b2b966f032f22d3a289045a5afd4afa09f09c6",
"versionType": "git"
},
{
"lessThan": "f6c3665b6dc53c3ab7d31b585446a953a74340ef",
"status": "affected",
"version": "f5b2b966f032f22d3a289045a5afd4afa09f09c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/bonding/bond_options.c",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: annotate data-races around slave-\u003elast_rx\n\nslave-\u003elast_rx and slave-\u003etarget_last_arp_rx[...] can be read and written\nlocklessly. Add READ_ONCE() and WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate\n\nwrite to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:\n bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335\n bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533\n __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039\n __netif_receive_skb_one_core net/core/dev.c:6150 [inline]\n __netif_receive_skb+0x59/0x270 net/core/dev.c:6265\n netif_receive_skb_internal net/core/dev.c:6351 [inline]\n netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410\n...\n\nwrite to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0:\n bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335\n bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533\n __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039\n __netif_receive_skb_one_core net/core/dev.c:6150 [inline]\n __netif_receive_skb+0x59/0x270 net/core/dev.c:6265\n netif_receive_skb_internal net/core/dev.c:6351 [inline]\n netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410\n br_netif_receive_skb net/bridge/br_input.c:30 [inline]\n NF_HOOK include/linux/netfilter.h:318 [inline]\n...\n\nvalue changed: 0x0000000100005365 -\u003e 0x0000000100005366"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:29.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7516cb0165926d308187e231ccd330e5e3ebff7"
},
{
"url": "https://git.kernel.org/stable/c/8c0be3277e7aefb2f900fc37ca3fe7df362e26f5"
},
{
"url": "https://git.kernel.org/stable/c/b956289b83887e0a306067b6003c3fcd81bfdf84"
},
{
"url": "https://git.kernel.org/stable/c/bd98324e327e41de04b13e372cc16f73150df254"
},
{
"url": "https://git.kernel.org/stable/c/f6c3665b6dc53c3ab7d31b585446a953a74340ef"
}
],
"title": "bonding: annotate data-races around slave-\u003elast_rx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23212",
"datePublished": "2026-02-18T14:16:28.104Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-06-11T18:44:20.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23125 (GCVE-0-2026-23125)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
initialization fails:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
Call Trace:
sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
The issue is triggered when sctp_auth_asoc_init_active_key() fails in
sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
command sequence is currently:
- SCTP_CMD_PEER_INIT
- SCTP_CMD_TIMER_STOP (T1_INIT)
- SCTP_CMD_TIMER_START (T1_COOKIE)
- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
- SCTP_CMD_ASSOC_SHKEY
- SCTP_CMD_GEN_COOKIE_ECHO
If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
to be queued by sctp_datamsg_from_user().
Since command interpretation stops on failure, no COOKIE_ECHO should been
sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
in sctp_outq_flush_data(), leading to the observed issue.
Similar to the other places where it calls sctp_auth_asoc_init_active_key()
right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
T1_COOKIE. This ensures that if shared key generation fails, authenticated
DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
giving the client another chance to process INIT_ACK and retry key setup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 5a309bedf02ee08b0653215f06c94d61ec7a214a
(git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 784428ab1889eb185a1459e9d6bc52df33d572ef (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < e94294798548e8cfbd80869e1d2f97efce92582c (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < e7e81abbcc5620c9532080538f9709a6ea382855 (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8 (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65 (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < a80c9d945aef55b23b54838334345f20251dad83 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:08.777994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:09.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a309bedf02ee08b0653215f06c94d61ec7a214a",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "784428ab1889eb185a1459e9d6bc52df33d572ef",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "e94294798548e8cfbd80869e1d2f97efce92582c",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "e7e81abbcc5620c9532080538f9709a6ea382855",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "a80c9d945aef55b23b54838334345f20251dad83",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\n\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\ninitialization fails:\n\n ==================================================================\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\n RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\n RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\n Call Trace:\n\n sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\n sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\n sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\n sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\n sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\n sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\n sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\n sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\n\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\ncommand sequence is currently:\n\n- SCTP_CMD_PEER_INIT\n- SCTP_CMD_TIMER_STOP (T1_INIT)\n- SCTP_CMD_TIMER_START (T1_COOKIE)\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\n- SCTP_CMD_ASSOC_SHKEY\n- SCTP_CMD_GEN_COOKIE_ECHO\n\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc-\u003eshkey remains NULL, while\nasoc-\u003epeer.auth_capable and asoc-\u003epeer.peer_chunks have already been set by\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\nto be queued by sctp_datamsg_from_user().\n\nSince command interpretation stops on failure, no COOKIE_ECHO should been\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\nin sctp_outq_flush_data(), leading to the observed issue.\n\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\ngiving the client another chance to process INIT_ACK and retry key setup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:36.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a"
},
{
"url": "https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef"
},
{
"url": "https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c"
},
{
"url": "https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855"
},
{
"url": "https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8"
},
{
"url": "https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65"
},
{
"url": "https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83"
}
],
"title": "sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23125",
"datePublished": "2026-02-14T15:09:54.756Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-06-11T18:44:09.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71127 (GCVE-0-2025-71127)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
wifi: mac80211: Discard Beacon frames to non-broadcast address
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Discard Beacon frames to non-broadcast address
Beacon frames are required to be sent to the broadcast address, see IEEE
Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame
shall be set to the broadcast address"). A unicast Beacon frame might be
used as a targeted attack to get one of the associated STAs to do
something (e.g., using CSA to move it to another channel). As such, it
is better have strict filtering for this on the received side and
discard all Beacon frames that are sent to an unexpected address.
This is even more important for cases where beacon protection is used.
The current implementation in mac80211 is correctly discarding unicast
Beacon frames if the Protected Frame bit in the Frame Control field is
set to 0. However, if that bit is set to 1, the logic used for checking
for configured BIGTK(s) does not actually work. If the driver does not
have logic for dropping unicast Beacon frames with Protected Frame bit
1, these frames would be accepted in mac80211 processing as valid Beacon
frames even though they are not protected. This would allow beacon
protection to be bypassed. While the logic for checking beacon
protection could be extended to cover this corner case, a more generic
check for discard all Beacon frames based on A1=unicast address covers
this without needing additional changes.
Address all these issues by dropping received Beacon frames if they are
sent to a non-broadcast address.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
af2d14b01c32d7cba65f73503586e5b621afb139 , < be0974be5c42584e027883ac2af7dab5e950098c
(git)
Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 0a59a3895f804469276d188effa511c72e752f35 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 88aab153d1528bc559292a12fb5105ee97528e1f (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 6e5bff40bb38741e40c33043ba0816fba5f93661 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 7b240a8935d554ad36a52c2c37c32039f9afaef2 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < a21704df4024708be698fb3fd5830d5b113b70e0 (git) Affected: af2d14b01c32d7cba65f73503586e5b621afb139 , < 193d18f60588e95d62e0f82b6a53893e5f2f19f8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:39.095624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:14.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be0974be5c42584e027883ac2af7dab5e950098c",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "0a59a3895f804469276d188effa511c72e752f35",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "88aab153d1528bc559292a12fb5105ee97528e1f",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "6e5bff40bb38741e40c33043ba0816fba5f93661",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "7b240a8935d554ad36a52c2c37c32039f9afaef2",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "a21704df4024708be698fb3fd5830d5b113b70e0",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "193d18f60588e95d62e0f82b6a53893e5f2f19f8",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Discard Beacon frames to non-broadcast address\n\nBeacon frames are required to be sent to the broadcast address, see IEEE\nStd 802.11-2020, 11.1.3.1 (\"The Address 1 field of the Beacon .. frame\nshall be set to the broadcast address\"). A unicast Beacon frame might be\nused as a targeted attack to get one of the associated STAs to do\nsomething (e.g., using CSA to move it to another channel). As such, it\nis better have strict filtering for this on the received side and\ndiscard all Beacon frames that are sent to an unexpected address.\n\nThis is even more important for cases where beacon protection is used.\nThe current implementation in mac80211 is correctly discarding unicast\nBeacon frames if the Protected Frame bit in the Frame Control field is\nset to 0. However, if that bit is set to 1, the logic used for checking\nfor configured BIGTK(s) does not actually work. If the driver does not\nhave logic for dropping unicast Beacon frames with Protected Frame bit\n1, these frames would be accepted in mac80211 processing as valid Beacon\nframes even though they are not protected. This would allow beacon\nprotection to be bypassed. While the logic for checking beacon\nprotection could be extended to cover this corner case, a more generic\ncheck for discard all Beacon frames based on A1=unicast address covers\nthis without needing additional changes.\n\nAddress all these issues by dropping received Beacon frames if they are\nsent to a non-broadcast address."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:29.932Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c"
},
{
"url": "https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35"
},
{
"url": "https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f"
},
{
"url": "https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661"
},
{
"url": "https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2"
},
{
"url": "https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0"
},
{
"url": "https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8"
}
],
"title": "wifi: mac80211: Discard Beacon frames to non-broadcast address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71127",
"datePublished": "2026-01-14T15:07:44.218Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-06-11T18:44:14.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47326 (GCVE-0-2026-47326)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:26 – Updated: 2026-05-28 19:25
VLAI?
EPSS
Title
Memory leak in Ubuntu Linux AppArmor large notification response allocation
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing release of memory after effective lifetime
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:20:50.758806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:25:40.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing release of memory after effective lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:26:58.224Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=8d858ecb7e2e216ca2987302a04c266f2355fefe"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Memory leak in Ubuntu Linux AppArmor large notification response allocation"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47326",
"datePublished": "2026-05-28T18:26:58.224Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-28T19:25:40.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23166 (GCVE-0-2026-23166)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes
during resume from suspend when rings[q_idx]->q_vector is NULL.
Tested adaptor:
60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)
Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]
SR-IOV state: both disabled and enabled can reproduce this issue.
kernel version: v6.18
Reproduce steps:
Boot up and execute suspend like systemctl suspend or rtcwake.
Log:
<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040
<1>[ 231.444052] #PF: supervisor read access in kernel mode
<1>[ 231.444484] #PF: error_code(0x0000) - not-present page
<6>[ 231.444913] PGD 0 P4D 0
<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI
<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170
<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89
<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202
<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010
<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000
<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000
<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000
<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000
<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0
<4>[ 231.451629] PKRU: 55555554
<4>[ 231.452076] Call Trace:
<4>[ 231.452549] <TASK>
<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]
<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]
<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.454425] pci_pm_resume+0x8c/0x140
<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.455347] dpm_run_callback+0x5f/0x160
<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170
<4>[ 231.456244] device_resume+0x177/0x270
<4>[ 231.456708] dpm_resume+0x209/0x2f0
<4>[ 231.457151] dpm_resume_end+0x15/0x30
<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0
<4>[ 231.458054] enter_state+0x10e/0x570
Add defensive checks for both the ring pointer and its q_vector
before dereferencing, allowing the system to resume successfully even when
q_vectors are unmapped.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2a5dc090b92cfa5270e20056074241c6db5c9cdd , < d75c7b7c3c2b8e3569043099e6bdcefc983856c5
(git)
Affected: 2a5dc090b92cfa5270e20056074241c6db5c9cdd , < 36126ddbe924727add05a594dedf230d3b575e4d (git) Affected: 2a5dc090b92cfa5270e20056074241c6db5c9cdd , < 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 (git) Affected: 2285c2faef19ee08a6bd6754f4c3ec07dceb2889 (git) Affected: 6.10.10 , < 6.11 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d75c7b7c3c2b8e3569043099e6bdcefc983856c5",
"status": "affected",
"version": "2a5dc090b92cfa5270e20056074241c6db5c9cdd",
"versionType": "git"
},
{
"lessThan": "36126ddbe924727add05a594dedf230d3b575e4d",
"status": "affected",
"version": "2a5dc090b92cfa5270e20056074241c6db5c9cdd",
"versionType": "git"
},
{
"lessThan": "9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85",
"status": "affected",
"version": "2a5dc090b92cfa5270e20056074241c6db5c9cdd",
"versionType": "git"
},
{
"status": "affected",
"version": "2285c2faef19ee08a6bd6754f4c3ec07dceb2889",
"versionType": "git"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix NULL pointer dereference in ice_vsi_set_napi_queues\n\nAdd NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes\nduring resume from suspend when rings[q_idx]-\u003eq_vector is NULL.\n\nTested adaptor:\n60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)\n Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]\n\nSR-IOV state: both disabled and enabled can reproduce this issue.\n\nkernel version: v6.18\n\nReproduce steps:\nBoot up and execute suspend like systemctl suspend or rtcwake.\n\nLog:\n\u003c1\u003e[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040\n\u003c1\u003e[ 231.444052] #PF: supervisor read access in kernel mode\n\u003c1\u003e[ 231.444484] #PF: error_code(0x0000) - not-present page\n\u003c6\u003e[ 231.444913] PGD 0 P4D 0\n\u003c4\u003e[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI\n\u003c4\u003e[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170\n\u003c4\u003e[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b \u003c48\u003e 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89\n\u003c4\u003e[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202\n\u003c4\u003e[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010\n\u003c4\u003e[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000\n\u003c4\u003e[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000\n\u003c4\u003e[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n\u003c4\u003e[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000\n\u003c4\u003e[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000\n\u003c4\u003e[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\u003c4\u003e[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0\n\u003c4\u003e[ 231.451629] PKRU: 55555554\n\u003c4\u003e[ 231.452076] Call Trace:\n\u003c4\u003e[ 231.452549] \u003cTASK\u003e\n\u003c4\u003e[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]\n\u003c4\u003e[ 231.453482] ice_resume+0xfd/0x220 [ice]\n\u003c4\u003e[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10\n\u003c4\u003e[ 231.454425] pci_pm_resume+0x8c/0x140\n\u003c4\u003e[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10\n\u003c4\u003e[ 231.455347] dpm_run_callback+0x5f/0x160\n\u003c4\u003e[ 231.455796] ? dpm_wait_for_superior+0x107/0x170\n\u003c4\u003e[ 231.456244] device_resume+0x177/0x270\n\u003c4\u003e[ 231.456708] dpm_resume+0x209/0x2f0\n\u003c4\u003e[ 231.457151] dpm_resume_end+0x15/0x30\n\u003c4\u003e[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0\n\u003c4\u003e[ 231.458054] enter_state+0x10e/0x570\n\nAdd defensive checks for both the ring pointer and its q_vector\nbefore dereferencing, allowing the system to resume successfully even when\nq_vectors are unmapped."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:02.615Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d75c7b7c3c2b8e3569043099e6bdcefc983856c5"
},
{
"url": "https://git.kernel.org/stable/c/36126ddbe924727add05a594dedf230d3b575e4d"
},
{
"url": "https://git.kernel.org/stable/c/9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85"
}
],
"title": "ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23166",
"datePublished": "2026-02-14T16:01:30.059Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-05-23T16:04:02.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23261 (GCVE-0-2026-23261)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
nvme-fc: release admin tagset if init fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: release admin tagset if init fails
nvme_fabrics creates an NVMe/FC controller in following path:
nvmf_dev_write()
-> nvmf_create_ctrl()
-> nvme_fc_create_ctrl()
-> nvme_fc_init_ctrl()
nvme_fc_init_ctrl() allocates the admin blk-mq resources right after
nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing
the controller state, scheduling connect work, etc.), we jump to the
fail_ctrl path, which tears down the controller references but never
frees the admin queue/tag set. The leaked blk-mq allocations match the
kmemleak report seen during blktests nvme/fc.
Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call
nvme_remove_admin_tag_set() when it is set so that all admin queue
allocations are reclaimed whenever controller setup aborts.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5fe335a80548e2eda5d51fab801108b323600e95 , < 7c54d3f5ebbc5982daaa004260242dc07ac943ea
(git)
Affected: 17c3a66d7ea2d303f783796d62f99e2e23b68c90 , < fa301aef50e3f3b5be6ee53457608beae5aa7a01 (git) Affected: ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 , < e810b290922c535feb34bc90ab549446fe94d2a3 (git) Affected: ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 , < d1877cc7270302081a315a81a0ee8331f19f95c8 (git) Affected: 0d1840b2dd8fe073c020c39bf8e8e89488070801 (git) Affected: 6.6.118 , < 6.6.124 (semver) Affected: 6.12.60 , < 6.12.70 (semver) Affected: 6.17.10 , < 6.18 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c54d3f5ebbc5982daaa004260242dc07ac943ea",
"status": "affected",
"version": "5fe335a80548e2eda5d51fab801108b323600e95",
"versionType": "git"
},
{
"lessThan": "fa301aef50e3f3b5be6ee53457608beae5aa7a01",
"status": "affected",
"version": "17c3a66d7ea2d303f783796d62f99e2e23b68c90",
"versionType": "git"
},
{
"lessThan": "e810b290922c535feb34bc90ab549446fe94d2a3",
"status": "affected",
"version": "ea3442efabd0aa3930c5bab73c3901ef38ef6ac3",
"versionType": "git"
},
{
"lessThan": "d1877cc7270302081a315a81a0ee8331f19f95c8",
"status": "affected",
"version": "ea3442efabd0aa3930c5bab73c3901ef38ef6ac3",
"versionType": "git"
},
{
"status": "affected",
"version": "0d1840b2dd8fe073c020c39bf8e8e89488070801",
"versionType": "git"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThan": "6.12.70",
"status": "affected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: release admin tagset if init fails\n\nnvme_fabrics creates an NVMe/FC controller in following path:\n\n nvmf_dev_write()\n -\u003e nvmf_create_ctrl()\n -\u003e nvme_fc_create_ctrl()\n -\u003e nvme_fc_init_ctrl()\n\nnvme_fc_init_ctrl() allocates the admin blk-mq resources right after\nnvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing\nthe controller state, scheduling connect work, etc.), we jump to the\nfail_ctrl path, which tears down the controller references but never\nfrees the admin queue/tag set. The leaked blk-mq allocations match the\nkmemleak report seen during blktests nvme/fc.\n\nCheck ctrl-\u003ectrl.admin_tagset in the fail_ctrl path and call\nnvme_remove_admin_tag_set() when it is set so that all admin queue\nallocations are reclaimed whenever controller setup aborts."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:22.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c54d3f5ebbc5982daaa004260242dc07ac943ea"
},
{
"url": "https://git.kernel.org/stable/c/fa301aef50e3f3b5be6ee53457608beae5aa7a01"
},
{
"url": "https://git.kernel.org/stable/c/e810b290922c535feb34bc90ab549446fe94d2a3"
},
{
"url": "https://git.kernel.org/stable/c/d1877cc7270302081a315a81a0ee8331f19f95c8"
}
],
"title": "nvme-fc: release admin tagset if init fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23261",
"datePublished": "2026-03-18T17:41:07.478Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-23T16:04:22.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71122 (GCVE-0-2025-71122)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
syzkaller found it could overflow math in the test infrastructure and
cause a WARN_ON by corrupting the reserved interval tree. This only
effects test kernels with CONFIG_IOMMUFD_TEST.
Validate the user input length in the test ioctl.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f4b20bb34c83dceade5470288f48f94ce3598ada , < 4cc829d61f10c20523fd4085c1546e741a792a97
(git)
Affected: f4b20bb34c83dceade5470288f48f94ce3598ada , < e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925 (git) Affected: f4b20bb34c83dceade5470288f48f94ce3598ada , < b166b8e0a381429fefd9180e67fbc834b3cee82f (git) Affected: f4b20bb34c83dceade5470288f48f94ce3598ada , < e6a973af11135439de32ece3b9cbe3bfc043bea8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/selftest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cc829d61f10c20523fd4085c1546e741a792a97",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "b166b8e0a381429fefd9180e67fbc834b3cee82f",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "e6a973af11135439de32ece3b9cbe3bfc043bea8",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/selftest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED\n\nsyzkaller found it could overflow math in the test infrastructure and\ncause a WARN_ON by corrupting the reserved interval tree. This only\neffects test kernels with CONFIG_IOMMUFD_TEST.\n\nValidate the user input length in the test ioctl."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:23.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cc829d61f10c20523fd4085c1546e741a792a97"
},
{
"url": "https://git.kernel.org/stable/c/e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925"
},
{
"url": "https://git.kernel.org/stable/c/b166b8e0a381429fefd9180e67fbc834b3cee82f"
},
{
"url": "https://git.kernel.org/stable/c/e6a973af11135439de32ece3b9cbe3bfc043bea8"
}
],
"title": "iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71122",
"datePublished": "2026-01-14T15:06:08.556Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-05-11T21:55:23.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23026 (GCVE-0-2026-23026)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Fix a memory leak in gpi_peripheral_config() where the original memory
pointed to by gchan->config could be lost if krealloc() fails.
The issue occurs when:
1. gchan->config points to previously allocated memory
2. krealloc() fails and returns NULL
3. The function directly assigns NULL to gchan->config, losing the
reference to the original memory
4. The original memory becomes unreachable and cannot be freed
Fix this by using a temporary variable to hold the krealloc() result
and only updating gchan->config when the allocation succeeds.
Found via static analysis and code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 4532f18e4ab36def1f55cd936d0fc002b2ce34c2
(git)
Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7 (git) Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 6bf4ef078fd11910988889a6c0b3698d2e0c89af (git) Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 01b1d781394fc9b83015e3a3cd46b17bda842bd8 (git) Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85 (git) Affected: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 , < 3f747004bbd641131d9396d87b5d2d3d1e182728 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:49.921Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/gpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4532f18e4ab36def1f55cd936d0fc002b2ce34c2",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "6bf4ef078fd11910988889a6c0b3698d2e0c89af",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "01b1d781394fc9b83015e3a3cd46b17bda842bd8",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "3f747004bbd641131d9396d87b5d2d3d1e182728",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/gpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()\n\nFix a memory leak in gpi_peripheral_config() where the original memory\npointed to by gchan-\u003econfig could be lost if krealloc() fails.\n\nThe issue occurs when:\n1. gchan-\u003econfig points to previously allocated memory\n2. krealloc() fails and returns NULL\n3. The function directly assigns NULL to gchan-\u003econfig, losing the\n reference to the original memory\n4. The original memory becomes unreachable and cannot be freed\n\nFix this by using a temporary variable to hold the krealloc() result\nand only updating gchan-\u003econfig when the allocation succeeds.\n\nFound via static analysis and code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:34.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4532f18e4ab36def1f55cd936d0fc002b2ce34c2"
},
{
"url": "https://git.kernel.org/stable/c/694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7"
},
{
"url": "https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af"
},
{
"url": "https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8"
},
{
"url": "https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85"
},
{
"url": "https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728"
}
],
"title": "dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23026",
"datePublished": "2026-01-31T11:42:05.185Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-06-02T13:00:49.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68769 (GCVE-0-2025-68769)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
f2fs: fix return value of f2fs_recover_fsync_data()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix return value of f2fs_recover_fsync_data()
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync
echo 111 >> /mnt/f2fs/foo
f2fs_io fsync /mnt/f2fs/foo
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
mount -o ro,norecovery /dev/vdd /mnt/f2fs
or
mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
F2FS-fs (vdd): Stopped filesystem due to reason: 0
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
Filesystem f2fs get_tree() didn't set fc->root, returned 1
------------[ cut here ]------------
kernel BUG at fs/super.c:1761!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vfs_get_tree.cold+0x18/0x1a
Call Trace:
<TASK>
fc_mount+0x13/0xa0
path_mount+0x34e/0xc50
__x64_sys_mount+0x121/0x150
do_syscall_64+0x84/0x800
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from
f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
ro,disable_roll_forward mount option, result in returning a positive
error number to vfs_get_tree(), fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725
(git)
Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 0de4977a1eeafe9d77701e3c031a1bcdba389243 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 9bc246018aaa3b46a7710428d0a2196c229f9d49 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < a4c67d96f92eefcfa5596a08f069e77b743c5865 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 473550e715654ad7612aa490d583cb7c25fe2ff3 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 4560db9678a2c5952b6205fbca468c6805c2ba2a (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 01fba45deaddcce0d0b01c411435d1acf6feab7b (git) Affected: 1499d39b74f5957e932639a86487ccea5a0a9740 (git) Affected: 4.4.172 , < 4.5 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "0de4977a1eeafe9d77701e3c031a1bcdba389243",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "9bc246018aaa3b46a7710428d0a2196c229f9d49",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "a4c67d96f92eefcfa5596a08f069e77b743c5865",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "473550e715654ad7612aa490d583cb7c25fe2ff3",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "4560db9678a2c5952b6205fbca468c6805c2ba2a",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "01fba45deaddcce0d0b01c411435d1acf6feab7b",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"status": "affected",
"version": "1499d39b74f5957e932639a86487ccea5a0a9740",
"versionType": "git"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.172",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.172",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_recover_fsync_data()\n\nWith below scripts, it will trigger panic in f2fs:\n\nmkfs.f2fs -f /dev/vdd\nmount /dev/vdd /mnt/f2fs\ntouch /mnt/f2fs/foo\nsync\necho 111 \u003e\u003e /mnt/f2fs/foo\nf2fs_io fsync /mnt/f2fs/foo\nf2fs_io shutdown 2 /mnt/f2fs\numount /mnt/f2fs\nmount -o ro,norecovery /dev/vdd /mnt/f2fs\nor\nmount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs\n\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0\nF2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f\nF2FS-fs (vdd): Stopped filesystem due to reason: 0\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1\nFilesystem f2fs get_tree() didn\u0027t set fc-\u003eroot, returned 1\n------------[ cut here ]------------\nkernel BUG at fs/super.c:1761!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:vfs_get_tree.cold+0x18/0x1a\nCall Trace:\n \u003cTASK\u003e\n fc_mount+0x13/0xa0\n path_mount+0x34e/0xc50\n __x64_sys_mount+0x121/0x150\n do_syscall_64+0x84/0x800\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fa6cc126cfe\n\nThe root cause is we missed to handle error number returned from\nf2fs_recover_fsync_data() when mounting image w/ ro,norecovery or\nro,disable_roll_forward mount option, result in returning a positive\nerror number to vfs_get_tree(), fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:51.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725"
},
{
"url": "https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243"
},
{
"url": "https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49"
},
{
"url": "https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865"
},
{
"url": "https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3"
},
{
"url": "https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a"
},
{
"url": "https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b"
}
],
"title": "f2fs: fix return value of f2fs_recover_fsync_data()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68769",
"datePublished": "2026-01-13T15:28:47.798Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-05-23T16:02:51.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71190 (GCVE-0-2025-71190)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
dmaengine: bcm-sba-raid: fix device leak on probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: bcm-sba-raid: fix device leak on probe
Make sure to drop the reference taken when looking up the mailbox device
during probe on probe failures and on driver unbind.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < 4316e4c4fd2c09f68a262365f21847cafa8fe9dd
(git)
Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < 4730f12a192d7314119b3d8331611ab151b87bdf (git) Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < bc98e68adfef3b25c06ff08f0808bb59f787420c (git) Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < c80ca7bdff158401440741bdcf9175bd8608580b (git) Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < db6f1d6d31711e73e6a214c73e6a8fb4cda0483d (git) Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < 2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b (git) Affected: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b , < 7c3a46ebf15a9796b763a54272407fdbf945bed8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:39.021Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:33.967836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:24.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/bcm-sba-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4316e4c4fd2c09f68a262365f21847cafa8fe9dd",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "4730f12a192d7314119b3d8331611ab151b87bdf",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "bc98e68adfef3b25c06ff08f0808bb59f787420c",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "c80ca7bdff158401440741bdcf9175bd8608580b",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "db6f1d6d31711e73e6a214c73e6a8fb4cda0483d",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "7c3a46ebf15a9796b763a54272407fdbf945bed8",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/bcm-sba-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: bcm-sba-raid: fix device leak on probe\n\nMake sure to drop the reference taken when looking up the mailbox device\nduring probe on probe failures and on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:24.302Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4316e4c4fd2c09f68a262365f21847cafa8fe9dd"
},
{
"url": "https://git.kernel.org/stable/c/4730f12a192d7314119b3d8331611ab151b87bdf"
},
{
"url": "https://git.kernel.org/stable/c/bc98e68adfef3b25c06ff08f0808bb59f787420c"
},
{
"url": "https://git.kernel.org/stable/c/c80ca7bdff158401440741bdcf9175bd8608580b"
},
{
"url": "https://git.kernel.org/stable/c/db6f1d6d31711e73e6a214c73e6a8fb4cda0483d"
},
{
"url": "https://git.kernel.org/stable/c/2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b"
},
{
"url": "https://git.kernel.org/stable/c/7c3a46ebf15a9796b763a54272407fdbf945bed8"
}
],
"title": "dmaengine: bcm-sba-raid: fix device leak on probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71190",
"datePublished": "2026-01-31T11:42:01.092Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-06-11T18:44:24.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71086 (GCVE-0-2025-71086)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
net: rose: fix invalid array index in rose_kill_by_device()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: fix invalid array index in rose_kill_by_device()
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
12e5a4719c99d7f4104e7e962393dfb8baa1c591 , < 819fb41ae54960f66025802400c9d3935eef4042
(git)
Affected: c0e527c532a07556ca44642f5873b002c44da22c , < ed2639414d43ba037f798eaf619e878309310451 (git) Affected: 3e0d1585799d8a991eba9678f297fd78d9f1846e , < 1418c12cd3bba79dc56b57b61c99efe40f579981 (git) Affected: ffced26692f83212aa09d0ece0213b23cc2f611d , < 9f6185a32496834d6980b168cffcccc2d6b17280 (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < b409ba9e1e63ccf3ab4cc061e33c1f804183543e (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < 92d900aac3a5721fb54f3328f1e089b44a861c38 (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < 6595beb40fb0ec47223d3f6058ee40354694c8e4 (git) Affected: bd7de4734535140fda33240c2335a07fdab6f88e (git) Affected: b10265532df7bc3666bc53261b7f03f0fd14b1c9 (git) Affected: 5.10.206 , < 5.10.248 (semver) Affected: 5.15.146 , < 5.15.198 (semver) Affected: 6.1.70 , < 6.1.160 (semver) Affected: 6.6.9 , < 6.6.120 (semver) Affected: 4.19.304 , < 4.20 (semver) Affected: 5.4.266 , < 5.5 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "819fb41ae54960f66025802400c9d3935eef4042",
"status": "affected",
"version": "12e5a4719c99d7f4104e7e962393dfb8baa1c591",
"versionType": "git"
},
{
"lessThan": "ed2639414d43ba037f798eaf619e878309310451",
"status": "affected",
"version": "c0e527c532a07556ca44642f5873b002c44da22c",
"versionType": "git"
},
{
"lessThan": "1418c12cd3bba79dc56b57b61c99efe40f579981",
"status": "affected",
"version": "3e0d1585799d8a991eba9678f297fd78d9f1846e",
"versionType": "git"
},
{
"lessThan": "9f6185a32496834d6980b168cffcccc2d6b17280",
"status": "affected",
"version": "ffced26692f83212aa09d0ece0213b23cc2f611d",
"versionType": "git"
},
{
"lessThan": "b409ba9e1e63ccf3ab4cc061e33c1f804183543e",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "92d900aac3a5721fb54f3328f1e089b44a861c38",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "6595beb40fb0ec47223d3f6058ee40354694c8e4",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"status": "affected",
"version": "bd7de4734535140fda33240c2335a07fdab6f88e",
"versionType": "git"
},
{
"status": "affected",
"version": "b10265532df7bc3666bc53261b7f03f0fd14b1c9",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.206",
"versionType": "semver"
},
{
"lessThan": "5.15.198",
"status": "affected",
"version": "5.15.146",
"versionType": "semver"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.70",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.9",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.304",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.266",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.266",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix invalid array index in rose_kill_by_device()\n\nrose_kill_by_device() collects sockets into a local array[] and then\niterates over them to disconnect sockets bound to a device being brought\ndown.\n\nThe loop mistakenly indexes array[cnt] instead of array[i]. For cnt \u003c\nARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==\nARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to\nan invalid socket pointer dereference and also leaks references taken\nvia sock_hold().\n\nFix the index to use i."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:08.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042"
},
{
"url": "https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451"
},
{
"url": "https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981"
},
{
"url": "https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280"
},
{
"url": "https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e"
},
{
"url": "https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38"
},
{
"url": "https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4"
}
],
"title": "net: rose: fix invalid array index in rose_kill_by_device()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71086",
"datePublished": "2026-01-13T15:34:49.007Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-05-23T16:03:08.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23083 (GCVE-0-2026-23083)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
fou: Don't allow 0 for FOU_ATTR_IPPROTO.
Summary
In the Linux kernel, the following vulnerability has been resolved:
fou: Don't allow 0 for FOU_ATTR_IPPROTO.
fou_udp_recv() has the same problem mentioned in the previous
patch.
If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
Let's forbid 0 for FOU_ATTR_IPPROTO.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23461551c00628c3f3fe9cf837bf53cf8f212b63 , < c7498f9bc390479ccfad7c7f2332237ff4945b03
(git)
Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 6e983789b7588ee59cbf303583546c043bad8e19 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 1cc98b8887cabb1808d2f4a37cd10a7be7574771 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < b7db31a52c3862a1a32202a273a4c32e7f5f4823 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 9b75dff8446ec871030d8daf5a69e74f5fe8b956 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:31.350182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:13.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"Documentation/netlink/specs/fou.yaml",
"net/ipv4/fou_nl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7498f9bc390479ccfad7c7f2332237ff4945b03",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "6e983789b7588ee59cbf303583546c043bad8e19",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "1cc98b8887cabb1808d2f4a37cd10a7be7574771",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "b7db31a52c3862a1a32202a273a4c32e7f5f4823",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "9b75dff8446ec871030d8daf5a69e74f5fe8b956",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"Documentation/netlink/specs/fou.yaml",
"net/ipv4/fou_nl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: Don\u0027t allow 0 for FOU_ATTR_IPPROTO.\n\nfou_udp_recv() has the same problem mentioned in the previous\npatch.\n\nIf FOU_ATTR_IPPROTO is set to 0, skb is not freed by\nfou_udp_recv() nor \"resubmit\"-ted in ip_protocol_deliver_rcu().\n\nLet\u0027s forbid 0 for FOU_ATTR_IPPROTO."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:40.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7498f9bc390479ccfad7c7f2332237ff4945b03"
},
{
"url": "https://git.kernel.org/stable/c/611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea"
},
{
"url": "https://git.kernel.org/stable/c/6e983789b7588ee59cbf303583546c043bad8e19"
},
{
"url": "https://git.kernel.org/stable/c/1cc98b8887cabb1808d2f4a37cd10a7be7574771"
},
{
"url": "https://git.kernel.org/stable/c/b7db31a52c3862a1a32202a273a4c32e7f5f4823"
},
{
"url": "https://git.kernel.org/stable/c/9b75dff8446ec871030d8daf5a69e74f5fe8b956"
},
{
"url": "https://git.kernel.org/stable/c/7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5"
}
],
"title": "fou: Don\u0027t allow 0 for FOU_ATTR_IPPROTO.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23083",
"datePublished": "2026-02-04T16:08:07.561Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-06-11T18:44:13.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23124 (GCVE-0-2026-23124)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ipv6: annotate data-race in ndisc_router_discovery()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: annotate data-race in ndisc_router_discovery()
syzbot found that ndisc_router_discovery() could read and write
in6_dev->ra_mtu without holding a lock [1]
This looks fine, IFLA_INET6_RA_MTU is best effort.
Add READ_ONCE()/WRITE_ONCE() to document the race.
Note that we might also reject illegal MTU values
(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.
[1]
BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery
read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:
ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:
ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
value changed: 0x00000000 -> 0xe5400659
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 4630897eb1a039b5d7b737b8dc9521d9d4b568b5
(git)
Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 2619499169fb1c2ac4974b0f2d87767fb543582b (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < fad8f4ff7928f4d52a062ffdcffa484989c79c47 (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 2a2b9d25f801afecf2f83cacce98afa8fd73e3c9 (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < e3c1040252e598f7b4e33a42dc7c38519bc22428 (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:30.553217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:02.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4630897eb1a039b5d7b737b8dc9521d9d4b568b5",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "2619499169fb1c2ac4974b0f2d87767fb543582b",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "fad8f4ff7928f4d52a062ffdcffa484989c79c47",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "2a2b9d25f801afecf2f83cacce98afa8fd73e3c9",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "e3c1040252e598f7b4e33a42dc7c38519bc22428",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "9a063f96d87efc3a6cc667f8de096a3d38d74bb5",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: annotate data-race in ndisc_router_discovery()\n\nsyzbot found that ndisc_router_discovery() could read and write\nin6_dev-\u003era_mtu without holding a lock [1]\n\nThis looks fine, IFLA_INET6_RA_MTU is best effort.\n\nAdd READ_ONCE()/WRITE_ONCE() to document the race.\n\nNote that we might also reject illegal MTU values\n(mtu \u003c IPV6_MIN_MTU || mtu \u003e skb-\u003edev-\u003emtu) in a future patch.\n\n[1]\nBUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery\n\nread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:\n ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nwrite to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:\n ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nvalue changed: 0x00000000 -\u003e 0xe5400659"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:35.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5"
},
{
"url": "https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b"
},
{
"url": "https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47"
},
{
"url": "https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9"
},
{
"url": "https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428"
},
{
"url": "https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5"
}
],
"title": "ipv6: annotate data-race in ndisc_router_discovery()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23124",
"datePublished": "2026-02-14T15:09:54.043Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-06-11T18:44:02.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36347 (GCVE-0-2024-36347)
Vulnerability from cvelistv5 – Published: 2025-06-27 22:14 – Updated: 2026-02-26 17:50
VLAI?
EPSS
Summary
Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment.
Severity ?
6.4 (Medium)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AMD | AMD EPYC™ 7001 Series |
Unaffected:
NaplesPI 1.0.0.P
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T03:55:55.838463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:21.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7001 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "NaplesPI 1.0.0.P"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7002 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RomePI 1.0.0.L"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7003 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MilanPI 1.0.0.F"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9004 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Genoa 1.0.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 4004 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI1.0.0.a"
},
{
"status": "unaffected",
"version": "ComboAM5PI1.1.0.3c"
},
{
"status": "unaffected",
"version": "ComboAM5PI1.2.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9005 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "TurinPI 1.0.0.4"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Instinct\u2122 MI300A",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MI300PI_SR5 1.0.0.8"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4PI 1.0.0.D"
},
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4PI 1.0.0.D"
},
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI 1.0.0.a"
},
{
"status": "unaffected",
"version": "ComboAM5PI 1.1.0.3c"
},
{
"status": "unaffected",
"version": "ComboAM5PI 1.2.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI 1.1.0.3c"
},
{
"status": "unaffected",
"version": "ComboAM5PI 1.2.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 9000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI 1.2.0.3c"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 3000 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "CastlePeakPI-SP3r3 1.0.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 7000 WX-Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "StormPeakPI-SP6 1.0.0.1k"
},
{
"status": "unaffected",
"version": "StormPeakPI-SP6 1.1.0.0i"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 3000WX Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ChagallWSPI-sWRX8 1.0.0.B"
},
{
"status": "unaffected",
"version": "CastlePeakWSPI-sWRX8 1.0.0.g"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000WX- Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ChagallWSPI-sWRX8 1.0.0.B"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PicassoPI-FP5 1.0.1.2b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Mobile Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PicassoPI-FP5 1.0.1.2b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RenoirPI-FP6 1.0.0.Eb"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "CezannePI-FP6 1.0.1.1b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MendocinoPI-FT6 1.0.0.7b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RembrandtPI-FP7 1.0.0.Bb"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RembrandtPI-FP7 1.0.0.Bb"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "CezannePI-FP6 1.0.1.1b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PhoenixPI-FP8-FP7 1.2.0.0"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PhoenixPI-FP8-FP7 1.2.0.0"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7045 Series Mobile Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "DragonRangeFL1 1.0.0.3g"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 AI 300 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "StrixKrakenPI-FP8_1.1.0.0b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 AI Max +",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "StrixHaloPI-FP11_1.0.0.1"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 9000HX Series Mobile Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "FireRangeFL1PI 1.0.0.0a"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 3000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "SnowyOwl PI 1.1.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 7002",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbRomePI-SP3 1.0.0.D"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 7003",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbMilan PI-SP3 1.0.0.A"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 8004",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.9"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 9004",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.9"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 97X4",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.9"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded R1000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP5 1.2.0.F"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded R2000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedR2KPI 1.0.0.5"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 5000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbAM4PI 1.0.0.7"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 7000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedAM5PI 1.0.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded V1000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP5 1.2.0.F"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122Embedded V2000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP6 1.0.0.B"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122Embedded V3000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP7R2 1.0.0.C"
}
]
}
],
"datePublic": "2025-06-27T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment.\u003cbr\u003e"
}
],
"value": "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T22:14:01.944Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2024-36347",
"datePublished": "2025-06-27T22:14:01.944Z",
"dateReserved": "2024-05-23T19:44:47.201Z",
"dateUpdated": "2026-02-26T17:50:21.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71193 (GCVE-0-2025-71193)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
Enabling runtime PM before attaching the QPHY instance as driver data
can lead to a NULL pointer dereference in runtime PM callbacks that
expect valid driver data. There is a small window where the suspend
callback may run after PM runtime enabling and before runtime forbid.
This causes a sporadic crash during boot:
```
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
[...]
CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
Workqueue: pm pm_runtime_work
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
lr : pm_generic_runtime_suspend+0x2c/0x44
[...]
```
Attach the QPHY instance as driver data before enabling runtime PM to
prevent NULL pointer dereference in runtime PM callbacks.
Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a
short window where an unnecessary runtime suspend can occur.
Use the devres-managed version to ensure PM runtime is symmetrically
disabled during driver removal for proper cleanup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
891a96f65ac3b12883ddbc6d1a9adf6e54dc903c , < beba460a299150b5d8dcbe3474a8f4bdf0205180
(git)
Affected: 891a96f65ac3b12883ddbc6d1a9adf6e54dc903c , < d50a9b7fd07296a1ab81c49ceba14cae3d31df86 (git) Affected: 891a96f65ac3b12883ddbc6d1a9adf6e54dc903c , < 4ac15caa27ff842b068a54f1c6a8ff8b31f658e7 (git) Affected: 891a96f65ac3b12883ddbc6d1a9adf6e54dc903c , < 1ca52c0983c34fca506921791202ed5bdafd5306 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qusb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "beba460a299150b5d8dcbe3474a8f4bdf0205180",
"status": "affected",
"version": "891a96f65ac3b12883ddbc6d1a9adf6e54dc903c",
"versionType": "git"
},
{
"lessThan": "d50a9b7fd07296a1ab81c49ceba14cae3d31df86",
"status": "affected",
"version": "891a96f65ac3b12883ddbc6d1a9adf6e54dc903c",
"versionType": "git"
},
{
"lessThan": "4ac15caa27ff842b068a54f1c6a8ff8b31f658e7",
"status": "affected",
"version": "891a96f65ac3b12883ddbc6d1a9adf6e54dc903c",
"versionType": "git"
},
{
"lessThan": "1ca52c0983c34fca506921791202ed5bdafd5306",
"status": "affected",
"version": "891a96f65ac3b12883ddbc6d1a9adf6e54dc903c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qusb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qusb2: Fix NULL pointer dereference on early suspend\n\nEnabling runtime PM before attaching the QPHY instance as driver data\ncan lead to a NULL pointer dereference in runtime PM callbacks that\nexpect valid driver data. There is a small window where the suspend\ncallback may run after PM runtime enabling and before runtime forbid.\nThis causes a sporadic crash during boot:\n\n```\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a1\n[...]\nCPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT\nWorkqueue: pm pm_runtime_work\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]\nlr : pm_generic_runtime_suspend+0x2c/0x44\n[...]\n```\n\nAttach the QPHY instance as driver data before enabling runtime PM to\nprevent NULL pointer dereference in runtime PM callbacks.\n\nReorder pm_runtime_enable() and pm_runtime_forbid() to prevent a\nshort window where an unnecessary runtime suspend can occur.\n\nUse the devres-managed version to ensure PM runtime is symmetrically\ndisabled during driver removal for proper cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:27.748Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180"
},
{
"url": "https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86"
},
{
"url": "https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7"
},
{
"url": "https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306"
}
],
"title": "phy: qcom-qusb2: Fix NULL pointer dereference on early suspend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71193",
"datePublished": "2026-02-04T16:04:14.514Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-05-11T21:56:27.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71188 (GCVE-0-2025-71188)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:41 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e5f4ae84be7421010780984bdc121eac15997327 , < 3d396ebfb3049a2b5fac51d2c967db5114b685e8
(git)
Affected: e5f4ae84be7421010780984bdc121eac15997327 , < 499ddae78c4baa9b94df76b2d2eb6b150d15377f (git) Affected: e5f4ae84be7421010780984bdc121eac15997327 , < adef147a8d8c3d767abf88ad2c381ffab2993086 (git) Affected: e5f4ae84be7421010780984bdc121eac15997327 , < 9fba97baa520c9446df51a64708daf27c5a7ed32 (git) Affected: e5f4ae84be7421010780984bdc121eac15997327 , < 992eb8055a6e5dbb808672d20d68e60d5a89b12b (git) Affected: e5f4ae84be7421010780984bdc121eac15997327 , < 1e47d80f6720f0224efd19bcf081d39637569c10 (git) Affected: e5f4ae84be7421010780984bdc121eac15997327 , < d4d63059dee7e7cae0c4d9a532ed558bc90efb55 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:36.620Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/lpc18xx-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d396ebfb3049a2b5fac51d2c967db5114b685e8",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "499ddae78c4baa9b94df76b2d2eb6b150d15377f",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "adef147a8d8c3d767abf88ad2c381ffab2993086",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "9fba97baa520c9446df51a64708daf27c5a7ed32",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "992eb8055a6e5dbb808672d20d68e60d5a89b12b",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "1e47d80f6720f0224efd19bcf081d39637569c10",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "d4d63059dee7e7cae0c4d9a532ed558bc90efb55",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/lpc18xx-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: lpc18xx-dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:22.014Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d396ebfb3049a2b5fac51d2c967db5114b685e8"
},
{
"url": "https://git.kernel.org/stable/c/499ddae78c4baa9b94df76b2d2eb6b150d15377f"
},
{
"url": "https://git.kernel.org/stable/c/adef147a8d8c3d767abf88ad2c381ffab2993086"
},
{
"url": "https://git.kernel.org/stable/c/9fba97baa520c9446df51a64708daf27c5a7ed32"
},
{
"url": "https://git.kernel.org/stable/c/992eb8055a6e5dbb808672d20d68e60d5a89b12b"
},
{
"url": "https://git.kernel.org/stable/c/1e47d80f6720f0224efd19bcf081d39637569c10"
},
{
"url": "https://git.kernel.org/stable/c/d4d63059dee7e7cae0c4d9a532ed558bc90efb55"
}
],
"title": "dmaengine: lpc18xx-dmamux: fix device leak on route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71188",
"datePublished": "2026-01-31T11:41:59.624Z",
"dateReserved": "2026-01-31T11:36:51.188Z",
"dateUpdated": "2026-06-02T13:00:36.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23273 (GCVE-0-2026-23273)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
macvlan: observe an RCU grace period in macvlan_common_newlink() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: observe an RCU grace period in macvlan_common_newlink() error path
valis reported that a race condition still happens after my prior patch.
macvlan_common_newlink() might have made @dev visible before
detecting an error, and its caller will directly call free_netdev(dev).
We must respect an RCU period, either in macvlan or the core networking
stack.
After adding a temporary mdelay(1000) in macvlan_forward_source_one()
to open the race window, valis repro was:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
(ip link add invalid% link p2 type macvlan mode source macaddr add
00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4
PING 1.2.3.4 (1.2.3.4): 56 data bytes
RTNETLINK answers: Invalid argument
BUG: KASAN: slab-use-after-free in macvlan_forward_source
(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
Read of size 8 at addr ffff888016bb89c0 by task e/175
CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:123)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
kasan_report (mm/kasan/report.c:597)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
? tasklet_init (kernel/softirq.c:983)
macvlan_handle_frame (drivers/net/macvlan.c:501)
Allocated by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
__kasan_kmalloc (mm/kasan/common.c:419)
__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657
mm/slub.c:7140)
alloc_netdev_mqs (net/core/dev.c:12012)
rtnl_create_link (net/core/rtnetlink.c:3648)
rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Freed by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
kasan_save_free_info (mm/kasan/generic.c:587)
__kasan_slab_free (mm/kasan/common.c:287)
kfree (mm/slub.c:6674 mm/slub.c:6882)
rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da5c6b8ae47e414be47e5e04def15b25d5c962dc , < 91e4ff8d966978901630fc29582c1a76d3c6e46c
(git)
Affected: 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a , < 3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4 (git) Affected: c43d0e787cbba569ec9d11579ed370b50fab6c9c , < 721eb342d9ba19bad5c4815ea3921465158b7362 (git) Affected: 11ba9f0dc865136174cb98834280fb21bbc950c7 , < 19c7d8ac51988d053709c1e85bd8482076af845d (git) Affected: 986967a162142710076782d5b93daab93a892980 , < a1f686d273d129b45712d95f4095843b864466bd (git) Affected: cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 , < d34f7a8aa9a25b7e64e0e46e444697c0f702374d (git) Affected: f8db6475a83649689c087a8f52486fcc53e627e9 , < 1e58ae87ad1e6e24368dea9aec9048c758cd0e2b (git) Affected: f8db6475a83649689c087a8f52486fcc53e627e9 , < e3f000f0dee1bfab52e2e61ca6a3835d9e187e35 (git) Affected: 5.10.250 , < 5.10.252 (semver) Affected: 5.15.200 , < 5.15.202 (semver) Affected: 6.1.163 , < 6.1.165 (semver) Affected: 6.6.124 , < 6.6.128 (semver) Affected: 6.12.70 , < 6.12.75 (semver) Affected: 6.18.10 , < 6.18.14 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91e4ff8d966978901630fc29582c1a76d3c6e46c",
"status": "affected",
"version": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"versionType": "git"
},
{
"lessThan": "3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4",
"status": "affected",
"version": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"versionType": "git"
},
{
"lessThan": "721eb342d9ba19bad5c4815ea3921465158b7362",
"status": "affected",
"version": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"versionType": "git"
},
{
"lessThan": "19c7d8ac51988d053709c1e85bd8482076af845d",
"status": "affected",
"version": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"versionType": "git"
},
{
"lessThan": "a1f686d273d129b45712d95f4095843b864466bd",
"status": "affected",
"version": "986967a162142710076782d5b93daab93a892980",
"versionType": "git"
},
{
"lessThan": "d34f7a8aa9a25b7e64e0e46e444697c0f702374d",
"status": "affected",
"version": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"versionType": "git"
},
{
"lessThan": "1e58ae87ad1e6e24368dea9aec9048c758cd0e2b",
"status": "affected",
"version": "f8db6475a83649689c087a8f52486fcc53e627e9",
"versionType": "git"
},
{
"lessThan": "e3f000f0dee1bfab52e2e61ca6a3835d9e187e35",
"status": "affected",
"version": "f8db6475a83649689c087a8f52486fcc53e627e9",
"versionType": "git"
},
{
"lessThan": "5.10.252",
"status": "affected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThan": "5.15.202",
"status": "affected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThan": "6.1.165",
"status": "affected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThan": "6.6.128",
"status": "affected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThan": "6.18.14",
"status": "affected",
"version": "6.18.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.10.250",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: observe an RCU grace period in macvlan_common_newlink() error path\n\nvalis reported that a race condition still happens after my prior patch.\n\nmacvlan_common_newlink() might have made @dev visible before\ndetecting an error, and its caller will directly call free_netdev(dev).\n\nWe must respect an RCU period, either in macvlan or the core networking\nstack.\n\nAfter adding a temporary mdelay(1000) in macvlan_forward_source_one()\nto open the race window, valis repro was:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\nip link add mv0 link p2 type macvlan mode source\n\n(ip link add invalid% link p2 type macvlan mode source macaddr add\n00:00:00:00:00:20 \u0026) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4\nPING 1.2.3.4 (1.2.3.4): 56 data bytes\nRTNETLINK answers: Invalid argument\n\nBUG: KASAN: slab-use-after-free in macvlan_forward_source\n(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nRead of size 8 at addr ffff888016bb89c0 by task e/175\n\nCPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl (lib/dump_stack.c:123)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nkasan_report (mm/kasan/report.c:597)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nmacvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\n? tasklet_init (kernel/softirq.c:983)\nmacvlan_handle_frame (drivers/net/macvlan.c:501)\n\nAllocated by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657\nmm/slub.c:7140)\nalloc_netdev_mqs (net/core/dev.c:12012)\nrtnl_create_link (net/core/rtnetlink.c:3648)\nrtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nFreed by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_free_info (mm/kasan/generic.c:587)\n__kasan_slab_free (mm/kasan/common.c:287)\nkfree (mm/slub.c:6674 mm/slub.c:6882)\nrtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:27.068Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c"
},
{
"url": "https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4"
},
{
"url": "https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362"
},
{
"url": "https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d"
},
{
"url": "https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd"
},
{
"url": "https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d"
},
{
"url": "https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b"
},
{
"url": "https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35"
}
],
"title": "macvlan: observe an RCU grace period in macvlan_common_newlink() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23273",
"datePublished": "2026-03-20T08:08:54.111Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-23T16:04:27.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68741 (GCVE-0-2025-68741)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-06-16 19:32
VLAI?
EPSS
Title
scsi: qla2xxx: Fix improper freeing of purex item
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix improper freeing of purex item
In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().
The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().
An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.
Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
875386b98857822b77ac7f95bdf367b70af5b78c , < 4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9
(git)
Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 8e9f0a0717ba31d5842721627ade1e62d7aec012 (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < cfe3e2f768d248fd3d965d561d0768a56dd0b9f8 (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 5fa1c8226b4532ad7011d295d3ab4ad45df105ae (git) Affected: 875386b98857822b77ac7f95bdf367b70af5b78c , < 78b1a242fe612a755f2158fd206ee6bb577d18ca (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:31:58.802980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:32:08.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "8e9f0a0717ba31d5842721627ade1e62d7aec012",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "cfe3e2f768d248fd3d965d561d0768a56dd0b9f8",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "5fa1c8226b4532ad7011d295d3ab4ad45df105ae",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "78b1a242fe612a755f2158fd206ee6bb577d18ca",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix improper freeing of purex item\n\nIn qla2xxx_process_purls_iocb(), an item is allocated via\nqla27xx_copy_multiple_pkt(), which internally calls\nqla24xx_alloc_purex_item().\n\nThe qla24xx_alloc_purex_item() function may return a pre-allocated item\nfrom a per-adapter pool for small allocations, instead of dynamically\nallocating memory with kzalloc().\n\nAn error handling path in qla2xxx_process_purls_iocb() incorrectly uses\nkfree() to release the item. If the item was from the pre-allocated\npool, calling kfree() on it is a bug that can lead to memory corruption.\n\nFix this by using the correct deallocation function,\nqla24xx_free_purex_item(), which properly handles both dynamically\nallocated and pre-allocated items."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:26.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9"
},
{
"url": "https://git.kernel.org/stable/c/8e9f0a0717ba31d5842721627ade1e62d7aec012"
},
{
"url": "https://git.kernel.org/stable/c/cfe3e2f768d248fd3d965d561d0768a56dd0b9f8"
},
{
"url": "https://git.kernel.org/stable/c/5fa1c8226b4532ad7011d295d3ab4ad45df105ae"
},
{
"url": "https://git.kernel.org/stable/c/78b1a242fe612a755f2158fd206ee6bb577d18ca"
}
],
"title": "scsi: qla2xxx: Fix improper freeing of purex item",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68741",
"datePublished": "2025-12-24T12:09:38.655Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-06-16T19:32:08.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23274 (GCVE-0-2026-23274)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-11 22:03
VLAI?
EPSS
Title
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.
If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.
Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
68983a354a655c35d3fb204489d383a2a051fda7 , < 32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44
(git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 144f88054ba0180467356f40895bd660b5dceeec (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 28c7cfaf0c0ab17cbd7754092116fd1af45271f9 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 54080355999381fed4a26129579a5765bab87491 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 5e7ece24c5cb75a60402aad4d803c7898ea40aa9 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f228b9ae2a7e84d1153616d8e71c4236cb1f1309 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_IDLETIMER.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "144f88054ba0180467356f40895bd660b5dceeec",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "28c7cfaf0c0ab17cbd7754092116fd1af45271f9",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "54080355999381fed4a26129579a5765bab87491",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "5e7ece24c5cb75a60402aad4d803c7898ea40aa9",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "f228b9ae2a7e84d1153616d8e71c4236cb1f1309",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_IDLETIMER.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer-\u003etimer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer-\u003etimer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:41.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44"
},
{
"url": "https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec"
},
{
"url": "https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9"
},
{
"url": "https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491"
},
{
"url": "https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9"
},
{
"url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"
},
{
"url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"
},
{
"url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"
}
],
"title": "netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23274",
"datePublished": "2026-03-20T08:08:54.918Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-11T22:03:41.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71222 (GCVE-0-2025-71222)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
wifi: wlcore: ensure skb headroom before skb_push
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wlcore: ensure skb headroom before skb_push
This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is
less than needed (typically 110 - 94 = 16 bytes).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5fc0f86b02afef1119b523623b4cde41475bc8c , < 88295a55fefe5414e64293638b6f7549646e58ed
(git)
Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < cd89a4656c03f8db0c57350aaec69cd3cfaa3522 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < 745a0810dbc96a0471e5f5e627ba1e978c3116d4 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < b167312390fdd461c81ead516f2b0b44e83a9edb (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < 71de0b6e04bbee5575caf9a1e4d424e7dcc50018 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < 689a7980e4788e13e766763d53569fb78dea2513 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < e75665dd096819b1184087ba5718bd93beafff51 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88295a55fefe5414e64293638b6f7549646e58ed",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "cd89a4656c03f8db0c57350aaec69cd3cfaa3522",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "745a0810dbc96a0471e5f5e627ba1e978c3116d4",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "b167312390fdd461c81ead516f2b0b44e83a9edb",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "71de0b6e04bbee5575caf9a1e4d424e7dcc50018",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "689a7980e4788e13e766763d53569fb78dea2513",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "e75665dd096819b1184087ba5718bd93beafff51",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: ensure skb headroom before skb_push\n\nThis avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is\nless than needed (typically 110 - 94 = 16 bytes)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:44.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88295a55fefe5414e64293638b6f7549646e58ed"
},
{
"url": "https://git.kernel.org/stable/c/cd89a4656c03f8db0c57350aaec69cd3cfaa3522"
},
{
"url": "https://git.kernel.org/stable/c/745a0810dbc96a0471e5f5e627ba1e978c3116d4"
},
{
"url": "https://git.kernel.org/stable/c/b167312390fdd461c81ead516f2b0b44e83a9edb"
},
{
"url": "https://git.kernel.org/stable/c/71de0b6e04bbee5575caf9a1e4d424e7dcc50018"
},
{
"url": "https://git.kernel.org/stable/c/689a7980e4788e13e766763d53569fb78dea2513"
},
{
"url": "https://git.kernel.org/stable/c/e75665dd096819b1184087ba5718bd93beafff51"
}
],
"title": "wifi: wlcore: ensure skb headroom before skb_push",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71222",
"datePublished": "2026-02-14T16:27:05.363Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-05-11T21:56:44.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23190 (GCVE-0-2026-23190)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI?
EPSS
Title
ASoC: amd: fix memory leak in acp3x pdm dma ops
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: amd: fix memory leak in acp3x pdm dma ops
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4a767b1d039a855c491c4853013804323c06f728 , < 9f23800c7eed06cb8ccae8a225f5e3d421b0d4cc
(git)
Affected: 4a767b1d039a855c491c4853013804323c06f728 , < d7ead6512650447a4cd6db774a2379acb259650c (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 6d33640404968fe9f14a1252b337362b62fff490 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 0e0120214b5dcb0bf6b2171bb4e68e38968b2861 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < c9c14d2abe4c5546fcd3a7347fadc4aad2b308d8 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 279cb9180510f7e13c3a4dfde8c16a8fbc7c5709 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/amd/renoir/acp3x-pdm-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f23800c7eed06cb8ccae8a225f5e3d421b0d4cc",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "d7ead6512650447a4cd6db774a2379acb259650c",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "6d33640404968fe9f14a1252b337362b62fff490",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "0e0120214b5dcb0bf6b2171bb4e68e38968b2861",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "c9c14d2abe4c5546fcd3a7347fadc4aad2b308d8",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "279cb9180510f7e13c3a4dfde8c16a8fbc7c5709",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/amd/renoir/acp3x-pdm-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: fix memory leak in acp3x pdm dma ops"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:04.082Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f23800c7eed06cb8ccae8a225f5e3d421b0d4cc"
},
{
"url": "https://git.kernel.org/stable/c/d7ead6512650447a4cd6db774a2379acb259650c"
},
{
"url": "https://git.kernel.org/stable/c/6d33640404968fe9f14a1252b337362b62fff490"
},
{
"url": "https://git.kernel.org/stable/c/0e0120214b5dcb0bf6b2171bb4e68e38968b2861"
},
{
"url": "https://git.kernel.org/stable/c/c9c14d2abe4c5546fcd3a7347fadc4aad2b308d8"
},
{
"url": "https://git.kernel.org/stable/c/279cb9180510f7e13c3a4dfde8c16a8fbc7c5709"
},
{
"url": "https://git.kernel.org/stable/c/7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6"
}
],
"title": "ASoC: amd: fix memory leak in acp3x pdm dma ops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23190",
"datePublished": "2026-02-14T16:27:18.203Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-05-11T22:02:04.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68345 (GCVE-0-2025-68345)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
The acpi_get_first_physical_node() function can return NULL, in which
case the get_device() function also returns NULL, but this value is
then dereferenced without checking,so add a check to prevent a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e63f9c81ca28b06eeeac3630faddc50717897351
(git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 7a35a505d76a4b6cd426b59ff2d800d0394cc5d3 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e6ba921b17797ccc545d80e0dbccb5fab91c248c (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c28946b7409b7b68fb0481ec738c8b04578b11c6 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 343fa9800cf9870ec681e21f0a6f2157b74ae520 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c34b04cc6178f33c08331568c7fd25c5b9a39f66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e63f9c81ca28b06eeeac3630faddc50717897351",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "7a35a505d76a4b6cd426b59ff2d800d0394cc5d3",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "e6ba921b17797ccc545d80e0dbccb5fab91c248c",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c28946b7409b7b68fb0481ec738c8b04578b11c6",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "343fa9800cf9870ec681e21f0a6f2157b74ae520",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c34b04cc6178f33c08331568c7fd25c5b9a39f66",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()\n\nThe acpi_get_first_physical_node() function can return NULL, in which\ncase the get_device() function also returns NULL, but this value is\nthen dereferenced without checking,so add a check to prevent a crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:24.058Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e63f9c81ca28b06eeeac3630faddc50717897351"
},
{
"url": "https://git.kernel.org/stable/c/7a35a505d76a4b6cd426b59ff2d800d0394cc5d3"
},
{
"url": "https://git.kernel.org/stable/c/e6ba921b17797ccc545d80e0dbccb5fab91c248c"
},
{
"url": "https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6"
},
{
"url": "https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520"
},
{
"url": "https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66"
}
],
"title": "ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68345",
"datePublished": "2025-12-24T10:32:38.378Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-05-11T21:51:24.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68811 (GCVE-0-2025-68811)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 16:29
VLAI?
EPSS
Title
svcrdma: use rc_pageoff for memcpy byte offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: use rc_pageoff for memcpy byte offset
svc_rdma_copy_inline_range added rc_curpage (page index) to the page
base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
land within the current page.
Found by ZeroPath (https://zeropath.com)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e122582680c6f8acd686a5a2af9c0e46fe90f2d , < e8623e9c451e23d84b870811f42fd872b4089ef6
(git)
Affected: 8e122582680c6f8acd686a5a2af9c0e46fe90f2d , < 2a77c8dd49bccf0ca232be7c836cec1209abb8da (git) Affected: 8e122582680c6f8acd686a5a2af9c0e46fe90f2d , < a8ee9099f30654917aa68f55d707b5627e1dbf77 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:28:47.245013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:29:00.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8623e9c451e23d84b870811f42fd872b4089ef6",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
},
{
"lessThan": "2a77c8dd49bccf0ca232be7c836cec1209abb8da",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
},
{
"lessThan": "a8ee9099f30654917aa68f55d707b5627e1dbf77",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: use rc_pageoff for memcpy byte offset\n\nsvc_rdma_copy_inline_range added rc_curpage (page index) to the page\nbase instead of the byte offset rc_pageoff. Use rc_pageoff so copies\nland within the current page.\n\nFound by ZeroPath (https://zeropath.com)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:47.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6"
},
{
"url": "https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da"
},
{
"url": "https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77"
}
],
"title": "svcrdma: use rc_pageoff for memcpy byte offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68811",
"datePublished": "2026-01-13T15:29:17.128Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-06-16T16:29:00.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71189 (GCVE-0-2025-71189)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
Make sure to drop the reference taken to the DMA master OF node also on
late route allocation failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
134d9c52fca26d2d199516e915da00f0cc6adc73 , < 6b87288581a0fcbe54b39da5c10e1aee2df8776e
(git)
Affected: 134d9c52fca26d2d199516e915da00f0cc6adc73 , < db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1 (git) Affected: 134d9c52fca26d2d199516e915da00f0cc6adc73 , < 8f7a391211381ed2f6802032c78c7820d166bc49 (git) Affected: 134d9c52fca26d2d199516e915da00f0cc6adc73 , < eabe40f8a53c29f531e92778ea243e379f4f7978 (git) Affected: 134d9c52fca26d2d199516e915da00f0cc6adc73 , < ec25e60f9f95464aa11411db31d0906b3fb7b9f2 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:37.787Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/dw/rzn1-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b87288581a0fcbe54b39da5c10e1aee2df8776e",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
},
{
"lessThan": "db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
},
{
"lessThan": "8f7a391211381ed2f6802032c78c7820d166bc49",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
},
{
"lessThan": "eabe40f8a53c29f531e92778ea243e379f4f7978",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
},
{
"lessThan": "ec25e60f9f95464aa11411db31d0906b3fb7b9f2",
"status": "affected",
"version": "134d9c52fca26d2d199516e915da00f0cc6adc73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/dw/rzn1-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw: dmamux: fix OF node leak on route allocation failure\n\nMake sure to drop the reference taken to the DMA master OF node also on\nlate route allocation failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:23.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b87288581a0fcbe54b39da5c10e1aee2df8776e"
},
{
"url": "https://git.kernel.org/stable/c/db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1"
},
{
"url": "https://git.kernel.org/stable/c/8f7a391211381ed2f6802032c78c7820d166bc49"
},
{
"url": "https://git.kernel.org/stable/c/eabe40f8a53c29f531e92778ea243e379f4f7978"
},
{
"url": "https://git.kernel.org/stable/c/ec25e60f9f95464aa11411db31d0906b3fb7b9f2"
}
],
"title": "dmaengine: dw: dmamux: fix OF node leak on route allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71189",
"datePublished": "2026-01-31T11:42:00.345Z",
"dateReserved": "2026-01-31T11:36:51.188Z",
"dateUpdated": "2026-06-02T13:00:37.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68749 (GCVE-0-2025-68749)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
accel/ivpu: Fix race condition when unbinding BOs
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Fix race condition when unbinding BOs
Fix 'Memory manager not clean during takedown' warning that occurs
when ivpu_gem_bo_free() removes the BO from the BOs list before it
gets unmapped. Then file_priv_unbind() triggers a warning in
drm_mm_takedown() during context teardown.
Protect the unmapping sequence with bo_list_lock to ensure the BO is
always fully unmapped when removed from the list. This ensures the BO
is either fully unmapped at context teardown time or present on the
list and unmapped by file_priv_unbind().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 0328bb097bef05a796217c54b3d651cc3782827c
(git)
Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < fb16493ebd8f171bcf0772262619618a131f30f7 (git) Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < d71333ffdd3707d84cfb95acfaf8ba892adc066b (git) Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 00812636df370bedf4e44a0c81b86ea96bca8628 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0328bb097bef05a796217c54b3d651cc3782827c",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "fb16493ebd8f171bcf0772262619618a131f30f7",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "d71333ffdd3707d84cfb95acfaf8ba892adc066b",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "00812636df370bedf4e44a0c81b86ea96bca8628",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix race condition when unbinding BOs\n\nFix \u0027Memory manager not clean during takedown\u0027 warning that occurs\nwhen ivpu_gem_bo_free() removes the BO from the BOs list before it\ngets unmapped. Then file_priv_unbind() triggers a warning in\ndrm_mm_takedown() during context teardown.\n\nProtect the unmapping sequence with bo_list_lock to ensure the BO is\nalways fully unmapped when removed from the list. This ensures the BO\nis either fully unmapped at context teardown time or present on the\nlist and unmapped by file_priv_unbind()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:36.187Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0328bb097bef05a796217c54b3d651cc3782827c"
},
{
"url": "https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7"
},
{
"url": "https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b"
},
{
"url": "https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628"
}
],
"title": "accel/ivpu: Fix race condition when unbinding BOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68749",
"datePublished": "2025-12-24T12:09:44.301Z",
"dateReserved": "2025-12-24T10:30:51.032Z",
"dateUpdated": "2026-05-11T21:52:36.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71084 (GCVE-0-2025-71084)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
RDMA/cm: Fix leaking the multicast GID table reference
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cm: Fix leaking the multicast GID table reference
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60d613b39e8d0c9f3b526e9c96445422b4562d76 , < d5ce588a9552878859a4d44b70b724216c188a5f
(git)
Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < abf38398724ecc888f62c678d288da40d11878af (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < ab668a58c4a2ccb6d54add7a76f2f955d15d0196 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < c0acdee513239e1d6e1b490f56be0e6837dfd162 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 57f3cb6c84159d12ba343574df2115fb18dd83ca (git) Affected: a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4 (git) Affected: 5.10.20 , < 5.10.248 (semver) Affected: 5.11.3 , < 5.12 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:17.315950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:21.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5ce588a9552878859a4d44b70b724216c188a5f",
"status": "affected",
"version": "60d613b39e8d0c9f3b526e9c96445422b4562d76",
"versionType": "git"
},
{
"lessThan": "abf38398724ecc888f62c678d288da40d11878af",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "ab668a58c4a2ccb6d54add7a76f2f955d15d0196",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "c0acdee513239e1d6e1b490f56be0e6837dfd162",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "57f3cb6c84159d12ba343574df2115fb18dd83ca",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"status": "affected",
"version": "a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4",
"versionType": "git"
},
{
"lessThan": "5.10.248",
"status": "affected",
"version": "5.10.20",
"versionType": "semver"
},
{
"lessThan": "5.12",
"status": "affected",
"version": "5.11.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix leaking the multicast GID table reference\n\nIf the CM ID is destroyed while the CM event for multicast creating is\nstill queued the cancel_work_sync() will prevent the work from running\nwhich also prevents destroying the ah_attr. This leaks a refcount and\ntriggers a WARN:\n\n GID entry ref leak for dev syz1 index 2 ref=573\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886\n\nDestroy the ah_attr after canceling the work, it is safe to call this\ntwice."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:07.795Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f"
},
{
"url": "https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af"
},
{
"url": "https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196"
},
{
"url": "https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162"
},
{
"url": "https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3"
},
{
"url": "https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5"
},
{
"url": "https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca"
}
],
"title": "RDMA/cm: Fix leaking the multicast GID table reference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71084",
"datePublished": "2026-01-13T15:34:47.665Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-06-11T18:44:21.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23091 (GCVE-0-2026-23091)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
intel_th: fix device leak on output open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
intel_th: fix device leak on output open()
Make sure to drop the reference taken when looking up the th device
during output device open() on errors and on close().
Note that a recent commit fixed the leak in a couple of open() error
paths but not all of them, and the reference is still leaking on
successful open().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
39f4034693b7c7bd1fe4cb58c93259d600f55561 , < af4b9467296b9a16ebc008147238070236982b6d
(git)
Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < 64015cbf06e8bb75b81ae95b997e847b55280f7f (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < b71e64ef7ff9443835d1333e3e80ab1e49e5209f (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < bf7785434b5d05d940d936b78925080950bd54dd (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < 0fca16c5591534cc1fec8b6181277ee3a3d0f26c (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < f9b059bda4276f2bb72cb98ec7875a747f042ea2 (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:22.525510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:22.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/intel_th/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af4b9467296b9a16ebc008147238070236982b6d",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "64015cbf06e8bb75b81ae95b997e847b55280f7f",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "b71e64ef7ff9443835d1333e3e80ab1e49e5209f",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "bf7785434b5d05d940d936b78925080950bd54dd",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "0fca16c5591534cc1fec8b6181277ee3a3d0f26c",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "f9b059bda4276f2bb72cb98ec7875a747f042ea2",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "95fc36a234da24bbc5f476f8104a5a15f99ed3e3",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/intel_th/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nintel_th: fix device leak on output open()\n\nMake sure to drop the reference taken when looking up the th device\nduring output device open() on errors and on close().\n\nNote that a recent commit fixed the leak in a couple of open() error\npaths but not all of them, and the reference is still leaking on\nsuccessful open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:49.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af4b9467296b9a16ebc008147238070236982b6d"
},
{
"url": "https://git.kernel.org/stable/c/64015cbf06e8bb75b81ae95b997e847b55280f7f"
},
{
"url": "https://git.kernel.org/stable/c/b71e64ef7ff9443835d1333e3e80ab1e49e5209f"
},
{
"url": "https://git.kernel.org/stable/c/bf7785434b5d05d940d936b78925080950bd54dd"
},
{
"url": "https://git.kernel.org/stable/c/0fca16c5591534cc1fec8b6181277ee3a3d0f26c"
},
{
"url": "https://git.kernel.org/stable/c/f9b059bda4276f2bb72cb98ec7875a747f042ea2"
},
{
"url": "https://git.kernel.org/stable/c/95fc36a234da24bbc5f476f8104a5a15f99ed3e3"
}
],
"title": "intel_th: fix device leak on output open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23091",
"datePublished": "2026-02-04T16:08:14.295Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-06-11T18:44:22.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23076 (GCVE-0-2026-23076)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ALSA: ctxfi: Fix potential OOB access in audio mixer handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ctxfi: Fix potential OOB access in audio mixer handling
In the audio mixer handling code of ctxfi driver, the conf field is
used as a kind of loop index, and it's referred in the index callbacks
(amixer_index() and sum_index()).
As spotted recently by fuzzers, the current code causes OOB access at
those functions.
| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48
| index 8 is out of range for type 'unsigned char [8]'
After the analysis, the cause was found to be the lack of the proper
(re-)initialization of conj field.
This patch addresses those OOB accesses by adding the proper
initializations of the loop indices.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8cc72361481f00253f1e468ade5795427386d593 , < 6524205326e0c1a21263b5c14e48e14ef7e449ae
(git)
Affected: 8cc72361481f00253f1e468ade5795427386d593 , < afca7ff5d5d4d63a1acb95461f55ca9a729feedf (git) Affected: 8cc72361481f00253f1e468ade5795427386d593 , < 8c1d09806e1441bc6a54b9a4f2818918046d5174 (git) Affected: 8cc72361481f00253f1e468ade5795427386d593 , < a8c42d11b0526a89192bd2f79facb4c60c8a1f38 (git) Affected: 8cc72361481f00253f1e468ade5795427386d593 , < d77ba72558cd66704f0fb7e0969f697e87c0f71c (git) Affected: 8cc72361481f00253f1e468ade5795427386d593 , < 873e2360d247eeee642878fcc3398babff7e387c (git) Affected: 8cc72361481f00253f1e468ade5795427386d593 , < 61006c540cbdedea83b05577dc7fb7fa18fe1276 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:28.584114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:23.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctamixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6524205326e0c1a21263b5c14e48e14ef7e449ae",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "afca7ff5d5d4d63a1acb95461f55ca9a729feedf",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "8c1d09806e1441bc6a54b9a4f2818918046d5174",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "a8c42d11b0526a89192bd2f79facb4c60c8a1f38",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "d77ba72558cd66704f0fb7e0969f697e87c0f71c",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "873e2360d247eeee642878fcc3398babff7e387c",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "61006c540cbdedea83b05577dc7fb7fa18fe1276",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctamixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Fix potential OOB access in audio mixer handling\n\nIn the audio mixer handling code of ctxfi driver, the conf field is\nused as a kind of loop index, and it\u0027s referred in the index callbacks\n(amixer_index() and sum_index()).\n\nAs spotted recently by fuzzers, the current code causes OOB access at\nthose functions.\n| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48\n| index 8 is out of range for type \u0027unsigned char [8]\u0027\n\nAfter the analysis, the cause was found to be the lack of the proper\n(re-)initialization of conj field.\n\nThis patch addresses those OOB accesses by adding the proper\ninitializations of the loop indices."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:32.239Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6524205326e0c1a21263b5c14e48e14ef7e449ae"
},
{
"url": "https://git.kernel.org/stable/c/afca7ff5d5d4d63a1acb95461f55ca9a729feedf"
},
{
"url": "https://git.kernel.org/stable/c/8c1d09806e1441bc6a54b9a4f2818918046d5174"
},
{
"url": "https://git.kernel.org/stable/c/a8c42d11b0526a89192bd2f79facb4c60c8a1f38"
},
{
"url": "https://git.kernel.org/stable/c/d77ba72558cd66704f0fb7e0969f697e87c0f71c"
},
{
"url": "https://git.kernel.org/stable/c/873e2360d247eeee642878fcc3398babff7e387c"
},
{
"url": "https://git.kernel.org/stable/c/61006c540cbdedea83b05577dc7fb7fa18fe1276"
}
],
"title": "ALSA: ctxfi: Fix potential OOB access in audio mixer handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23076",
"datePublished": "2026-02-04T16:08:01.204Z",
"dateReserved": "2026-01-13T15:37:45.958Z",
"dateUpdated": "2026-06-11T18:44:23.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68254 (GCVE-0-2025-68254)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-05-11 21:49
VLAI?
EPSS
Title
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
offsets lie within the received frame buffer. A malformed beacon with
an ESR IE positioned at the end of the buffer could cause an
out-of-bounds read, potentially triggering a kernel panic.
Add a boundary check to ensure that the ESR IE body and the subsequent
bytes are within the limits of the frame before attempting to access
them.
This prevents OOB reads caused by malformed beacon frames.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c03cb111628924827351e19baa5b073e9b0d723d
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < bb5940193d813449540d8d3a82abc045be41f48a (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c173ce97d3f0f0c0fefa39139d6d04ba60b5db22 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 38292407c2bb5b2b3131aaace4ecc7a829b40b76 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < bf323db1d883c209880bd92f3b12503e3531c3fc (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 502ddcc405b69fa92e0add6c1714d654504f6fd7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c03cb111628924827351e19baa5b073e9b0d723d",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "bb5940193d813449540d8d3a82abc045be41f48a",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "c173ce97d3f0f0c0fefa39139d6d04ba60b5db22",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d1ab7f9cee22e7b8a528da9ac953e4193b96cda5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "38292407c2bb5b2b3131aaace4ecc7a829b40b76",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "bf323db1d883c209880bd92f3b12503e3531c3fc",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "502ddcc405b69fa92e0add6c1714d654504f6fd7",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing\n\nThe Extended Supported Rates (ESR) IE handling in OnBeacon accessed\n*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these\noffsets lie within the received frame buffer. A malformed beacon with\nan ESR IE positioned at the end of the buffer could cause an\nout-of-bounds read, potentially triggering a kernel panic.\n\nAdd a boundary check to ensure that the ESR IE body and the subsequent\nbytes are within the limits of the frame before attempting to access\nthem.\n\nThis prevents OOB reads caused by malformed beacon frames."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:49.003Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c03cb111628924827351e19baa5b073e9b0d723d"
},
{
"url": "https://git.kernel.org/stable/c/bb5940193d813449540d8d3a82abc045be41f48a"
},
{
"url": "https://git.kernel.org/stable/c/c173ce97d3f0f0c0fefa39139d6d04ba60b5db22"
},
{
"url": "https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5"
},
{
"url": "https://git.kernel.org/stable/c/38292407c2bb5b2b3131aaace4ecc7a829b40b76"
},
{
"url": "https://git.kernel.org/stable/c/bf323db1d883c209880bd92f3b12503e3531c3fc"
},
{
"url": "https://git.kernel.org/stable/c/502ddcc405b69fa92e0add6c1714d654504f6fd7"
}
],
"title": "staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68254",
"datePublished": "2025-12-16T14:44:57.204Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2026-05-11T21:49:49.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23010 (GCVE-0-2026-23010)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
ipv6: Fix use-after-free in inet6_addr_del().
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix use-after-free in inet6_addr_del().
syzbot reported use-after-free of inet6_ifaddr in
inet6_addr_del(). [0]
The cited commit accidentally moved ipv6_del_addr() for
mngtmpaddr before reading its ifp->flags for temporary
addresses in inet6_addr_del().
Let's move ipv6_del_addr() down to fix the UAF.
[0]:
BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f164cf8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
</TASK>
Allocated by task 9593:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6099:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free_freelist_hook mm/slub.c:2569 [inline]
slab_free_bulk mm/slub.c:6696 [inline]
kmem_cache_free_bulk mm/slub.c:7383 [inline]
kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
kfree_bulk include/linux/slab.h:830 [inline]
kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqu
---truncated---
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ca97dd10424860a3806ad3a9e26b9dce2901ee0c , < 6e89d60b4f03014f7d412ce64b17a840840d490e
(git)
Affected: 836deb96383ed9c1a411f172954d74b3f74ec6ac , < 9356b69d03d0f50cce91cebdabd33dda023fbd64 (git) Affected: cb74207ef98317f8874a0b9780bb339c2eb700b0 , < 2684610a9c9c53f262fd864fa5c407e79f304804 (git) Affected: 00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f , < 8b6dcb565e419846bd521e31d5e1f98e4d0e1179 (git) Affected: 00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f , < ddf96c393a33aef4887e2e406c76c2f8cda1419c (git) Affected: 851b3bb105c595cc20b8dcc1b4de029061ce2b76 (git) Affected: 6.1.120 , < 6.1.162 (semver) Affected: 6.6.64 , < 6.6.122 (semver) Affected: 6.12.2 , < 6.12.67 (semver) Affected: 6.11.11 , < 6.12 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e89d60b4f03014f7d412ce64b17a840840d490e",
"status": "affected",
"version": "ca97dd10424860a3806ad3a9e26b9dce2901ee0c",
"versionType": "git"
},
{
"lessThan": "9356b69d03d0f50cce91cebdabd33dda023fbd64",
"status": "affected",
"version": "836deb96383ed9c1a411f172954d74b3f74ec6ac",
"versionType": "git"
},
{
"lessThan": "2684610a9c9c53f262fd864fa5c407e79f304804",
"status": "affected",
"version": "cb74207ef98317f8874a0b9780bb339c2eb700b0",
"versionType": "git"
},
{
"lessThan": "8b6dcb565e419846bd521e31d5e1f98e4d0e1179",
"status": "affected",
"version": "00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f",
"versionType": "git"
},
{
"lessThan": "ddf96c393a33aef4887e2e406c76c2f8cda1419c",
"status": "affected",
"version": "00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f",
"versionType": "git"
},
{
"status": "affected",
"version": "851b3bb105c595cc20b8dcc1b4de029061ce2b76",
"versionType": "git"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThan": "6.6.122",
"status": "affected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThan": "6.12.67",
"status": "affected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThan": "6.12",
"status": "affected",
"version": "6.11.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix use-after-free in inet6_addr_del().\n\nsyzbot reported use-after-free of inet6_ifaddr in\ninet6_addr_del(). [0]\n\nThe cited commit accidentally moved ipv6_del_addr() for\nmngtmpaddr before reading its ifp-\u003eflags for temporary\naddresses in inet6_addr_del().\n\nLet\u0027s move ipv6_del_addr() down to fix the UAF.\n\n[0]:\nBUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\nRead of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593\n\nCPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\n addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181\n inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f164cf8f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749\nRDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003\nRBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288\n \u003c/TASK\u003e\n\nAllocated by task 9593:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:397 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120\n inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050\n addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160\n inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6099:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free_freelist_hook mm/slub.c:2569 [inline]\n slab_free_bulk mm/slub.c:6696 [inline]\n kmem_cache_free_bulk mm/slub.c:7383 [inline]\n kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362\n kfree_bulk include/linux/slab.h:830 [inline]\n kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523\n kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]\n kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqu\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:40.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e89d60b4f03014f7d412ce64b17a840840d490e"
},
{
"url": "https://git.kernel.org/stable/c/9356b69d03d0f50cce91cebdabd33dda023fbd64"
},
{
"url": "https://git.kernel.org/stable/c/2684610a9c9c53f262fd864fa5c407e79f304804"
},
{
"url": "https://git.kernel.org/stable/c/8b6dcb565e419846bd521e31d5e1f98e4d0e1179"
},
{
"url": "https://git.kernel.org/stable/c/ddf96c393a33aef4887e2e406c76c2f8cda1419c"
}
],
"title": "ipv6: Fix use-after-free in inet6_addr_del().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23010",
"datePublished": "2026-01-25T14:36:23.593Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-05-23T16:03:40.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68358 (GCVE-0-2025-68358)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
From the memory-barriers.txt document regarding memory barrier ordering
guarantees:
(*) These guarantees do not apply to bitfields, because compilers often
generate code to modify these using non-atomic read-modify-write
sequences. Do not attempt to use bitfields to synchronize parallel
algorithms.
(*) Even in cases where bitfields are protected by locks, all fields
in a given bitfield must be protected by one lock. If two fields
in a given bitfield are protected by different locks, the compiler's
non-atomic read-modify-write sequences can cause an update to one
field to corrupt the value of an adjacent field.
btrfs_space_info has a bitfield sharing an underlying word consisting of
the fields full, chunk_alloc, and flush:
struct btrfs_space_info {
struct btrfs_fs_info * fs_info; /* 0 8 */
struct btrfs_space_info * parent; /* 8 8 */
...
int clamp; /* 172 4 */
unsigned int full:1; /* 176: 0 4 */
unsigned int chunk_alloc:1; /* 176: 1 4 */
unsigned int flush:1; /* 176: 2 4 */
...
Therefore, to be safe from parallel read-modify-writes losing a write to
one of the bitfield members protected by a lock, all writes to all the
bitfields must use the lock. They almost universally do, except for
btrfs_clear_space_info_full() which iterates over the space_infos and
writes out found->full = 0 without a lock.
Imagine that we have one thread completing a transaction in which we
finished deleting a block_group and are thus calling
btrfs_clear_space_info_full() while simultaneously the data reclaim
ticket infrastructure is running do_async_reclaim_data_space():
T1 T2
btrfs_commit_transaction
btrfs_clear_space_info_full
data_sinfo->full = 0
READ: full:0, chunk_alloc:0, flush:1
do_async_reclaim_data_space(data_sinfo)
spin_lock(&space_info->lock);
if(list_empty(tickets))
space_info->flush = 0;
READ: full: 0, chunk_alloc:0, flush:1
MOD/WRITE: full: 0, chunk_alloc:0, flush:0
spin_unlock(&space_info->lock);
return;
MOD/WRITE: full:0, chunk_alloc:0, flush:1
and now data_sinfo->flush is 1 but the reclaim worker has exited. This
breaks the invariant that flush is 0 iff there is no work queued or
running. Once this invariant is violated, future allocations that go
into __reserve_bytes() will add tickets to space_info->tickets but will
see space_info->flush is set to 1 and not queue the work. After this,
they will block forever on the resulting ticket, as it is now impossible
to kick the worker again.
I also confirmed by looking at the assembly of the affected kernel that
it is doing RMW operations. For example, to set the flush (3rd) bit to 0,
the assembly is:
andb $0xfb,0x60(%rbx)
and similarly for setting the full (1st) bit to 0:
andb $0xfe,-0x20(%rax)
So I think this is really a bug on practical systems. I have observed
a number of systems in this exact state, but am currently unable to
reproduce it.
Rather than leaving this footgun lying around for the future, take
advantage of the fact that there is room in the struct anyway, and that
it is already quite large and simply change the three bitfield members to
bools. This avoids writes to space_info->full having any effect on
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
957780eb2788d8c218d539e19a85653f51a96dc1 , < b0bb67385480a3aa4c54b139e4f371ddd06b5150
(git)
Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 55835646da78e83e7ad06abd741ca8fd8c0b0ea7 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < d4a81b8ec639895999275ea2472c69825cd67ea4 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < db4ae18e1b31e0421fb5312e56aefa382bbc6ece (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 6f442808a86eef847ee10afa9e6459494ed85bb3 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 742b90eaf394f0018352c0e10dc89763b2dd5267 (git) Affected: 957780eb2788d8c218d539e19a85653f51a96dc1 , < 38e818718c5e04961eea0fa8feff3f100ce40408 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/space-info.c",
"fs/btrfs/space-info.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0bb67385480a3aa4c54b139e4f371ddd06b5150",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "55835646da78e83e7ad06abd741ca8fd8c0b0ea7",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "d4a81b8ec639895999275ea2472c69825cd67ea4",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "db4ae18e1b31e0421fb5312e56aefa382bbc6ece",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "6f442808a86eef847ee10afa9e6459494ed85bb3",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "742b90eaf394f0018352c0e10dc89763b2dd5267",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
},
{
"lessThan": "38e818718c5e04961eea0fa8feff3f100ce40408",
"status": "affected",
"version": "957780eb2788d8c218d539e19a85653f51a96dc1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/space-info.c",
"fs/btrfs/space-info.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix racy bitfield write in btrfs_clear_space_info_full()\n\nFrom the memory-barriers.txt document regarding memory barrier ordering\nguarantees:\n\n (*) These guarantees do not apply to bitfields, because compilers often\n generate code to modify these using non-atomic read-modify-write\n sequences. Do not attempt to use bitfields to synchronize parallel\n algorithms.\n\n (*) Even in cases where bitfields are protected by locks, all fields\n in a given bitfield must be protected by one lock. If two fields\n in a given bitfield are protected by different locks, the compiler\u0027s\n non-atomic read-modify-write sequences can cause an update to one\n field to corrupt the value of an adjacent field.\n\nbtrfs_space_info has a bitfield sharing an underlying word consisting of\nthe fields full, chunk_alloc, and flush:\n\nstruct btrfs_space_info {\n struct btrfs_fs_info * fs_info; /* 0 8 */\n struct btrfs_space_info * parent; /* 8 8 */\n ...\n int clamp; /* 172 4 */\n unsigned int full:1; /* 176: 0 4 */\n unsigned int chunk_alloc:1; /* 176: 1 4 */\n unsigned int flush:1; /* 176: 2 4 */\n ...\n\nTherefore, to be safe from parallel read-modify-writes losing a write to\none of the bitfield members protected by a lock, all writes to all the\nbitfields must use the lock. They almost universally do, except for\nbtrfs_clear_space_info_full() which iterates over the space_infos and\nwrites out found-\u003efull = 0 without a lock.\n\nImagine that we have one thread completing a transaction in which we\nfinished deleting a block_group and are thus calling\nbtrfs_clear_space_info_full() while simultaneously the data reclaim\nticket infrastructure is running do_async_reclaim_data_space():\n\n T1 T2\nbtrfs_commit_transaction\n btrfs_clear_space_info_full\n data_sinfo-\u003efull = 0\n READ: full:0, chunk_alloc:0, flush:1\n do_async_reclaim_data_space(data_sinfo)\n spin_lock(\u0026space_info-\u003elock);\n if(list_empty(tickets))\n space_info-\u003eflush = 0;\n READ: full: 0, chunk_alloc:0, flush:1\n MOD/WRITE: full: 0, chunk_alloc:0, flush:0\n spin_unlock(\u0026space_info-\u003elock);\n return;\n MOD/WRITE: full:0, chunk_alloc:0, flush:1\n\nand now data_sinfo-\u003eflush is 1 but the reclaim worker has exited. This\nbreaks the invariant that flush is 0 iff there is no work queued or\nrunning. Once this invariant is violated, future allocations that go\ninto __reserve_bytes() will add tickets to space_info-\u003etickets but will\nsee space_info-\u003eflush is set to 1 and not queue the work. After this,\nthey will block forever on the resulting ticket, as it is now impossible\nto kick the worker again.\n\nI also confirmed by looking at the assembly of the affected kernel that\nit is doing RMW operations. For example, to set the flush (3rd) bit to 0,\nthe assembly is:\n andb $0xfb,0x60(%rbx)\nand similarly for setting the full (1st) bit to 0:\n andb $0xfe,-0x20(%rax)\n\nSo I think this is really a bug on practical systems. I have observed\na number of systems in this exact state, but am currently unable to\nreproduce it.\n\nRather than leaving this footgun lying around for the future, take\nadvantage of the fact that there is room in the struct anyway, and that\nit is already quite large and simply change the three bitfield members to\nbools. This avoids writes to space_info-\u003efull having any effect on\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:39.547Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0bb67385480a3aa4c54b139e4f371ddd06b5150"
},
{
"url": "https://git.kernel.org/stable/c/55835646da78e83e7ad06abd741ca8fd8c0b0ea7"
},
{
"url": "https://git.kernel.org/stable/c/d4a81b8ec639895999275ea2472c69825cd67ea4"
},
{
"url": "https://git.kernel.org/stable/c/db4ae18e1b31e0421fb5312e56aefa382bbc6ece"
},
{
"url": "https://git.kernel.org/stable/c/6f442808a86eef847ee10afa9e6459494ed85bb3"
},
{
"url": "https://git.kernel.org/stable/c/742b90eaf394f0018352c0e10dc89763b2dd5267"
},
{
"url": "https://git.kernel.org/stable/c/38e818718c5e04961eea0fa8feff3f100ce40408"
}
],
"title": "btrfs: fix racy bitfield write in btrfs_clear_space_info_full()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68358",
"datePublished": "2025-12-24T10:32:47.692Z",
"dateReserved": "2025-12-16T14:48:05.305Z",
"dateUpdated": "2026-05-11T21:51:39.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68776 (GCVE-0-2025-68776)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
Call Trace:
<TASK>
hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
__netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
__netif_receive_skb_one_core net/core/dev.c:6077 [inline]
__netif_receive_skb+0x72/0x380 net/core/dev.c:6192
netif_receive_skb_internal net/core/dev.c:6278 [inline]
netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0449f8e1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
</TASK>
Add a NULL check immediately after __pskb_copy() to handle allocation
failures gracefully.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f266a683a4804dc499efc6c2206ef68efed029d0 , < 3ce95a57d8a1f0e20b637cdeddaaed81831ca819
(git)
Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < c851e43b88b40bb7c20176c51cbf4f8c8d960dd9 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 7be6d25f4d974e44918ba3a5d58ebb9d36879087 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 8f289fa12926aae44347ca7d490e216555d8f255 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 1742974c24a9c1f1fd2e5edca0cbaccb720b397a (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 6220d38a08f8837575cd8f830928b49a3a5a5095 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 188e0fa5a679570ea35474575e724d8211423d17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ce95a57d8a1f0e20b637cdeddaaed81831ca819",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "c851e43b88b40bb7c20176c51cbf4f8c8d960dd9",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "7be6d25f4d974e44918ba3a5d58ebb9d36879087",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "8f289fa12926aae44347ca7d490e216555d8f255",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "1742974c24a9c1f1fd2e5edca0cbaccb720b397a",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "6220d38a08f8837575cd8f830928b49a3a5a5095",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "188e0fa5a679570ea35474575e724d8211423d17",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/hsr: fix NULL pointer dereference in prp_get_untagged_frame()\n\nprp_get_untagged_frame() calls __pskb_copy() to create frame-\u003eskb_std\nbut doesn\u0027t check if the allocation failed. If __pskb_copy() returns\nNULL, skb_clone() is called with a NULL pointer, causing a crash:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041\nCode: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 \u003c43\u003e 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c\nRSP: 0018:ffffc9000d00f200 EFLAGS: 00010207\nRAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480\nRDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000\nRBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee\nR10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000\nR13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00\nFS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]\n hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741\n hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84\n __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966\n __netif_receive_skb_one_core net/core/dev.c:6077 [inline]\n __netif_receive_skb+0x72/0x380 net/core/dev.c:6192\n netif_receive_skb_internal net/core/dev.c:6278 [inline]\n netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337\n tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485\n tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0449f8e1ff\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48\nRSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff\nRDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8\nRBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001\nR13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003\n \u003c/TASK\u003e\n\nAdd a NULL check immediately after __pskb_copy() to handle allocation\nfailures gracefully."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:08.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819"
},
{
"url": "https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9"
},
{
"url": "https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087"
},
{
"url": "https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255"
},
{
"url": "https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a"
},
{
"url": "https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095"
},
{
"url": "https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17"
}
],
"title": "net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68776",
"datePublished": "2026-01-13T15:28:52.766Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:08.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68806 (GCVE-0-2025-68806)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
ksmbd: fix buffer validation by including null terminator size in EA length
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix buffer validation by including null terminator size in EA length
The smb2_set_ea function, which handles Extended Attributes (EA),
was performing buffer validation checks that incorrectly omitted the size
of the null terminating character (+1 byte) for EA Name.
This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
the null terminator is expected to be present in the buffer, ensuring
the validation accurately reflects the total required buffer size.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d070c4dd2a5bed4e9832eec5b6c029c7d14892ea , < cae52c592a07e1d3fa3338a5f064a374a5f26750
(git)
Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < a28a375a5439eb474e9f284509a407efb479c925 (git) Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < d26af6d14da43ab92d07bc60437c62901dc522e6 (git) Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < 6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4 (git) Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < 95d7a890e4b03e198836d49d699408fd1867cb55 (git) Affected: bb5bf157b5be1643cccc7cbbe57fcdef9ae52c2c (git) Affected: 1a13ecb96230e8b7b91967e292836f7b01ec8111 (git) Affected: 404e7c01e16288b5e0171d1d8fd3328e806d0794 (git) Affected: 6.1.52 , < 6.1.160 (semver) Affected: 5.15.131 , < 5.16 (semver) Affected: 6.4.15 , < 6.5 (semver) Affected: 6.5.2 , < 6.6 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cae52c592a07e1d3fa3338a5f064a374a5f26750",
"status": "affected",
"version": "d070c4dd2a5bed4e9832eec5b6c029c7d14892ea",
"versionType": "git"
},
{
"lessThan": "a28a375a5439eb474e9f284509a407efb479c925",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "d26af6d14da43ab92d07bc60437c62901dc522e6",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "95d7a890e4b03e198836d49d699408fd1867cb55",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"status": "affected",
"version": "bb5bf157b5be1643cccc7cbbe57fcdef9ae52c2c",
"versionType": "git"
},
{
"status": "affected",
"version": "1a13ecb96230e8b7b91967e292836f7b01ec8111",
"versionType": "git"
},
{
"status": "affected",
"version": "404e7c01e16288b5e0171d1d8fd3328e806d0794",
"versionType": "git"
},
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.52",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.131",
"versionType": "semver"
},
{
"lessThan": "6.5",
"status": "affected",
"version": "6.4.15",
"versionType": "semver"
},
{
"lessThan": "6.6",
"status": "affected",
"version": "6.5.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix buffer validation by including null terminator size in EA length\n\nThe smb2_set_ea function, which handles Extended Attributes (EA),\nwas performing buffer validation checks that incorrectly omitted the size\nof the null terminating character (+1 byte) for EA Name.\nThis patch fixes the issue by explicitly adding \u0027+ 1\u0027 to EaNameLength where\nthe null terminator is expected to be present in the buffer, ensuring\nthe validation accurately reflects the total required buffer size."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:54.141Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750"
},
{
"url": "https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925"
},
{
"url": "https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6"
},
{
"url": "https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4"
},
{
"url": "https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55"
}
],
"title": "ksmbd: fix buffer validation by including null terminator size in EA length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68806",
"datePublished": "2026-01-13T15:29:13.797Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-05-23T16:02:54.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23123 (GCVE-0-2026-23123)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
interconnect: debugfs: initialize src_node and dst_node to empty strings
Summary
In the Linux kernel, the following vulnerability has been resolved:
interconnect: debugfs: initialize src_node and dst_node to empty strings
The debugfs_create_str() API assumes that the string pointer is either NULL
or points to valid kmalloc() memory. Leaving the pointer uninitialized can
cause problems.
Initialize src_node and dst_node to empty strings before creating the
debugfs entries to guarantee that reads and writes are safe.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
770c69f037c18cfaa37c3d6c6ef8bd257635513f , < aa79a5a959c7c414bd6fba01ea8dbaddd44f13e7
(git)
Affected: 770c69f037c18cfaa37c3d6c6ef8bd257635513f , < 935d0938b570589c8b0a1733d2cba3c39d027f25 (git) Affected: 770c69f037c18cfaa37c3d6c6ef8bd257635513f , < 5d7c7e1fb3ec24fdd0f9faa27b666d6789e891e8 (git) Affected: 770c69f037c18cfaa37c3d6c6ef8bd257635513f , < 8cc27f5c6dd17dd090f3a696683f04336c162ff5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/interconnect/debugfs-client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa79a5a959c7c414bd6fba01ea8dbaddd44f13e7",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
},
{
"lessThan": "935d0938b570589c8b0a1733d2cba3c39d027f25",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
},
{
"lessThan": "5d7c7e1fb3ec24fdd0f9faa27b666d6789e891e8",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
},
{
"lessThan": "8cc27f5c6dd17dd090f3a696683f04336c162ff5",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/interconnect/debugfs-client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: debugfs: initialize src_node and dst_node to empty strings\n\nThe debugfs_create_str() API assumes that the string pointer is either NULL\nor points to valid kmalloc() memory. Leaving the pointer uninitialized can\ncause problems.\n\nInitialize src_node and dst_node to empty strings before creating the\ndebugfs entries to guarantee that reads and writes are safe."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:34.413Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa79a5a959c7c414bd6fba01ea8dbaddd44f13e7"
},
{
"url": "https://git.kernel.org/stable/c/935d0938b570589c8b0a1733d2cba3c39d027f25"
},
{
"url": "https://git.kernel.org/stable/c/5d7c7e1fb3ec24fdd0f9faa27b666d6789e891e8"
},
{
"url": "https://git.kernel.org/stable/c/8cc27f5c6dd17dd090f3a696683f04336c162ff5"
}
],
"title": "interconnect: debugfs: initialize src_node and dst_node to empty strings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23123",
"datePublished": "2026-02-14T15:09:53.369Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-05-11T22:00:34.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68785 (GCVE-0-2025-68785)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-06-16 19:22
VLAI?
EPSS
Title
net: openvswitch: fix middle attribute validation in push_nsh() action
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix middle attribute validation in push_nsh() action
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
in the middle is OK. We don't even check that this attribute is the
OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
calls - first time directly while calling validate_push_nsh() and the
second time as part of the nla_for_each_nested() macro, which isn't
safe, potentially causing invalid memory access if the size of this
attribute is incorrect. The failure may not be noticed during
validation due to larger netlink buffer, but cause trouble later during
action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x2c/0x390
kasan_report+0xdd/0x110
kasan_check_range+0x35/0x1b0
__asan_memcpy+0x20/0x60
nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
push_nsh+0x82/0x120 [openvswitch]
do_execute_actions+0x1405/0x2840 [openvswitch]
ovs_execute_actions+0xd5/0x3b0 [openvswitch]
ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
genl_family_rcv_msg_doit+0x1d6/0x2b0
genl_family_rcv_msg+0x336/0x580
genl_rcv_msg+0x9f/0x130
netlink_rcv_skb+0x11f/0x370
genl_rcv+0x24/0x40
netlink_unicast+0x73e/0xaa0
netlink_sendmsg+0x744/0xbf0
__sys_sendto+0x3d6/0x450
do_syscall_64+0x79/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Let's add some checks that the attribute is properly sized and it's
the only one attribute inside the action. Technically, there is no
real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
pushing an NSH header already, it just creates extra nesting, but
that's how uAPI works today. So, keeping as it is.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < d0c135b8bbbcf92836068fd395bebeb7ae6c7bef
(git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 3bc2efff20a38b2c7ca18317649715df0dd62ced (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 1b569db9c2f28b599e40050524aae5f7332bc294 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 10ffc558246f2c75619aedda0921906095e46702 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < c999153bfb2d1d9b295b7010d920f2a7c6d7595f (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:21:59.526641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:22:11.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c135b8bbbcf92836068fd395bebeb7ae6c7bef",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "3bc2efff20a38b2c7ca18317649715df0dd62ced",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "1b569db9c2f28b599e40050524aae5f7332bc294",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "10ffc558246f2c75619aedda0921906095e46702",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "c999153bfb2d1d9b295b7010d920f2a7c6d7595f",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "5ace7ef87f059d68b5f50837ef3e8a1a4870c36e",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix middle attribute validation in push_nsh() action\n\nThe push_nsh() action structure looks like this:\n\n OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))\n\nThe outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK\u0027ed by the\nnla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost\nOVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK\u0027ed by the nla_for_each_nested()\ninside nsh_key_put_from_nlattr(). But nothing checks if the attribute\nin the middle is OK. We don\u0027t even check that this attribute is the\nOVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()\ncalls - first time directly while calling validate_push_nsh() and the\nsecond time as part of the nla_for_each_nested() macro, which isn\u0027t\nsafe, potentially causing invalid memory access if the size of this\nattribute is incorrect. The failure may not be noticed during\nvalidation due to larger netlink buffer, but cause trouble later during\naction execution where the buffer is allocated exactly to the size:\n\n BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n Read of size 184 at addr ffff88816459a634 by task a.out/22624\n\n CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x2c/0x390\n kasan_report+0xdd/0x110\n kasan_check_range+0x35/0x1b0\n __asan_memcpy+0x20/0x60\n nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n push_nsh+0x82/0x120 [openvswitch]\n do_execute_actions+0x1405/0x2840 [openvswitch]\n ovs_execute_actions+0xd5/0x3b0 [openvswitch]\n ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]\n genl_family_rcv_msg_doit+0x1d6/0x2b0\n genl_family_rcv_msg+0x336/0x580\n genl_rcv_msg+0x9f/0x130\n netlink_rcv_skb+0x11f/0x370\n genl_rcv+0x24/0x40\n netlink_unicast+0x73e/0xaa0\n netlink_sendmsg+0x744/0xbf0\n __sys_sendto+0x3d6/0x450\n do_syscall_64+0x79/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nLet\u0027s add some checks that the attribute is properly sized and it\u0027s\nthe only one attribute inside the action. Technically, there is no\nreal reason for OVS_KEY_ATTR_NSH to be there, as we know that we\u0027re\npushing an NSH header already, it just creates extra nesting, but\nthat\u0027s how uAPI works today. So, keeping as it is."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:18.670Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef"
},
{
"url": "https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced"
},
{
"url": "https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294"
},
{
"url": "https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702"
},
{
"url": "https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9"
},
{
"url": "https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f"
},
{
"url": "https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e"
}
],
"title": "net: openvswitch: fix middle attribute validation in push_nsh() action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68785",
"datePublished": "2026-01-13T15:28:58.930Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-06-16T19:22:11.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23145 (GCVE-0-2026-23145)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
The error branch for ext4_xattr_inode_update_ref forget to release the
refcount for iloc.bh. Find this when review code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 , < 7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f
(git)
Affected: 505e69f76ac497e788f4ea0267826ec7266b40c8 , < 6241cd1d0acc2363016ac55b8773ba1332dd59d7 (git) Affected: 3d6269028246f4484bfed403c947a114bb583631 , < 3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626 (git) Affected: 79ea7f3e11effe1bd9e753172981d9029133a278 , < 0b06cde92f2f960f4ebe3c988c69f2711f2a24dc (git) Affected: 6b879c4c6bbaab03c0ad2a983953bd1410bb165e , < 8e8542c539927ae3898a4d02941f84e252e2dea1 (git) Affected: 57295e835408d8d425bef58da5253465db3d6888 , < 06e26287f2e349a28ad363941ffd9076bfed8b2e (git) Affected: 57295e835408d8d425bef58da5253465db3d6888 , < d250bdf531d9cd4096fedbb9f172bb2ca660c868 (git) Affected: ea39e712c2f5ae148ee5515798ae03523673e002 (git) Affected: 440b003f449a4ff2a00b08c8eab9ba5cd28f3943 (git) Affected: 5.10.246 , < 5.10.249 (semver) Affected: 5.15.195 , < 5.15.199 (semver) Affected: 6.1.157 , < 6.1.162 (semver) Affected: 6.6.113 , < 6.6.122 (semver) Affected: 6.12.54 , < 6.12.67 (semver) Affected: 5.4.301 , < 5.5 (semver) Affected: 6.17.4 , < 6.18 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:26.723393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:01.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f",
"status": "affected",
"version": "1cfb3e4ddbdc8e02e637b8852540bd4718bf4814",
"versionType": "git"
},
{
"lessThan": "6241cd1d0acc2363016ac55b8773ba1332dd59d7",
"status": "affected",
"version": "505e69f76ac497e788f4ea0267826ec7266b40c8",
"versionType": "git"
},
{
"lessThan": "3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626",
"status": "affected",
"version": "3d6269028246f4484bfed403c947a114bb583631",
"versionType": "git"
},
{
"lessThan": "0b06cde92f2f960f4ebe3c988c69f2711f2a24dc",
"status": "affected",
"version": "79ea7f3e11effe1bd9e753172981d9029133a278",
"versionType": "git"
},
{
"lessThan": "8e8542c539927ae3898a4d02941f84e252e2dea1",
"status": "affected",
"version": "6b879c4c6bbaab03c0ad2a983953bd1410bb165e",
"versionType": "git"
},
{
"lessThan": "06e26287f2e349a28ad363941ffd9076bfed8b2e",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"lessThan": "d250bdf531d9cd4096fedbb9f172bb2ca660c868",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"status": "affected",
"version": "ea39e712c2f5ae148ee5515798ae03523673e002",
"versionType": "git"
},
{
"status": "affected",
"version": "440b003f449a4ff2a00b08c8eab9ba5cd28f3943",
"versionType": "git"
},
{
"lessThan": "5.10.249",
"status": "affected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThan": "5.15.199",
"status": "affected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThan": "6.6.122",
"status": "affected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThan": "6.12.67",
"status": "affected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_xattr_inode_update_ref\n\nThe error branch for ext4_xattr_inode_update_ref forget to release the\nrefcount for iloc.bh. Find this when review code."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:56.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f"
},
{
"url": "https://git.kernel.org/stable/c/6241cd1d0acc2363016ac55b8773ba1332dd59d7"
},
{
"url": "https://git.kernel.org/stable/c/3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626"
},
{
"url": "https://git.kernel.org/stable/c/0b06cde92f2f960f4ebe3c988c69f2711f2a24dc"
},
{
"url": "https://git.kernel.org/stable/c/8e8542c539927ae3898a4d02941f84e252e2dea1"
},
{
"url": "https://git.kernel.org/stable/c/06e26287f2e349a28ad363941ffd9076bfed8b2e"
},
{
"url": "https://git.kernel.org/stable/c/d250bdf531d9cd4096fedbb9f172bb2ca660c868"
}
],
"title": "ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23145",
"datePublished": "2026-02-14T15:36:10.207Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-06-11T18:44:01.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68777 (GCVE-0-2025-68777)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
access when used as index in 'config_pins[wire_order[i]]'.
Since config_pins has 4 elements (indices 0-3), the valid range for
wire_order should be 0-3. Fix the off-by-one error by using >= instead
of > in the validation check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < a7ff2360431561b56f559d3a628d1f096048d178
(git)
Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 136abe173a3cc2951d70c6e51fe7abdbadbb204b (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 08c0b561823a7026364efb38ed7f4a3af48ccfcd (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < bf95ec55805828c4f2b5241fb6b0c12388548570 (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 84e4d3543168912549271b34261f5e0f94952d6e (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 40e3042de43ffa0017a8460ff9b4cad7b8c7cb96 (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 248d3a73a0167dce15ba100477c3e778c4787178 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7ff2360431561b56f559d3a628d1f096048d178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "136abe173a3cc2951d70c6e51fe7abdbadbb204b",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "08c0b561823a7026364efb38ed7f4a3af48ccfcd",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "bf95ec55805828c4f2b5241fb6b0c12388548570",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "84e4d3543168912549271b34261f5e0f94952d6e",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "40e3042de43ffa0017a8460ff9b4cad7b8c7cb96",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "248d3a73a0167dce15ba100477c3e778c4787178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ti_am335x_tsc - fix off-by-one error in wire_order validation\n\nThe current validation \u0027wire_order[i] \u003e ARRAY_SIZE(config_pins)\u0027 allows\nwire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds\naccess when used as index in \u0027config_pins[wire_order[i]]\u0027.\n\nSince config_pins has 4 elements (indices 0-3), the valid range for\nwire_order should be 0-3. Fix the off-by-one error by using \u003e= instead\nof \u003e in the validation check."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:09.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178"
},
{
"url": "https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b"
},
{
"url": "https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd"
},
{
"url": "https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570"
},
{
"url": "https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e"
},
{
"url": "https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96"
},
{
"url": "https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178"
}
],
"title": "Input: ti_am335x_tsc - fix off-by-one error in wire_order validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68777",
"datePublished": "2026-01-13T15:28:53.416Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-05-11T21:53:09.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23068 (GCVE-0-2026-23068)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
spi: spi-sprd-adi: Fix double free in probe error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-sprd-adi: Fix double free in probe error path
The driver currently uses spi_alloc_host() to allocate the controller
but registers it using devm_spi_register_controller().
If devm_register_restart_handler() fails, the code jumps to the
put_ctlr label and calls spi_controller_put(). However, since the
controller was registered via a devm function, the device core will
automatically call spi_controller_put() again when the probe fails.
This results in a double-free of the spi_controller structure.
Fix this by switching to devm_spi_alloc_host() and removing the
manual spi_controller_put() call.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ac1775012058e13ef1522938e27f5973d9e3f053 , < bddd3d10d039729b81cfb0804520c8832a701a0e
(git)
Affected: ac1775012058e13ef1522938e27f5973d9e3f053 , < 417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c (git) Affected: ac1775012058e13ef1522938e27f5973d9e3f053 , < 346775f2b4cf839177e8e86b94aa180a06dc15b0 (git) Affected: ac1775012058e13ef1522938e27f5973d9e3f053 , < f6d6b3f172df118db582fe5ec43ae223a55d99cf (git) Affected: ac1775012058e13ef1522938e27f5973d9e3f053 , < 383d4f5cffcc8df930d95b06518a9d25a6d74aac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-sprd-adi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bddd3d10d039729b81cfb0804520c8832a701a0e",
"status": "affected",
"version": "ac1775012058e13ef1522938e27f5973d9e3f053",
"versionType": "git"
},
{
"lessThan": "417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c",
"status": "affected",
"version": "ac1775012058e13ef1522938e27f5973d9e3f053",
"versionType": "git"
},
{
"lessThan": "346775f2b4cf839177e8e86b94aa180a06dc15b0",
"status": "affected",
"version": "ac1775012058e13ef1522938e27f5973d9e3f053",
"versionType": "git"
},
{
"lessThan": "f6d6b3f172df118db582fe5ec43ae223a55d99cf",
"status": "affected",
"version": "ac1775012058e13ef1522938e27f5973d9e3f053",
"versionType": "git"
},
{
"lessThan": "383d4f5cffcc8df930d95b06518a9d25a6d74aac",
"status": "affected",
"version": "ac1775012058e13ef1522938e27f5973d9e3f053",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-sprd-adi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-sprd-adi: Fix double free in probe error path\n\nThe driver currently uses spi_alloc_host() to allocate the controller\nbut registers it using devm_spi_register_controller().\n\nIf devm_register_restart_handler() fails, the code jumps to the\nput_ctlr label and calls spi_controller_put(). However, since the\ncontroller was registered via a devm function, the device core will\nautomatically call spi_controller_put() again when the probe fails.\nThis results in a double-free of the spi_controller structure.\n\nFix this by switching to devm_spi_alloc_host() and removing the\nmanual spi_controller_put() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:22.846Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e"
},
{
"url": "https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c"
},
{
"url": "https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0"
},
{
"url": "https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf"
},
{
"url": "https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac"
}
],
"title": "spi: spi-sprd-adi: Fix double free in probe error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23068",
"datePublished": "2026-02-04T16:07:49.119Z",
"dateReserved": "2026-01-13T15:37:45.954Z",
"dateUpdated": "2026-05-11T21:59:22.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23176 (GCVE-0-2026-23176)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
toshiba_haps_add() leaks the haps object allocated by it if it returns
an error after allocating that object successfully.
toshiba_haps_remove() does not free the object pointed to by
toshiba_haps before clearing that pointer, so it becomes unreachable
allocated memory.
Address these memory leaks by using devm_kzalloc() for allocating
the memory in question.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23d0ba0c908ac10139f0351023c64198d7fc1409 , < 17f37c4cdf42a9e4915216b9e130fc8baef4cc64
(git)
Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < 5bce10f0f9435afaae3fc4df9a52b01d9b3853dc (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < f2093e87ddec13e7a920f326c078a5f765ba89c3 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < ca9ff71c15bc8e48529c2033294a519a7749b272 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < bf0474356875d005d420f8c6b9ac168566e72e87 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < f93ae43780b759a70734be9bc82c1adcf7f33208 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < 128497456756e1b952bd5a912cd073836465109d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/toshiba_haps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17f37c4cdf42a9e4915216b9e130fc8baef4cc64",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "5bce10f0f9435afaae3fc4df9a52b01d9b3853dc",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "f2093e87ddec13e7a920f326c078a5f765ba89c3",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "ca9ff71c15bc8e48529c2033294a519a7749b272",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "bf0474356875d005d420f8c6b9ac168566e72e87",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "f93ae43780b759a70734be9bc82c1adcf7f33208",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "128497456756e1b952bd5a912cd073836465109d",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/toshiba_haps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: toshiba_haps: Fix memory leaks in add/remove routines\n\ntoshiba_haps_add() leaks the haps object allocated by it if it returns\nan error after allocating that object successfully.\n\ntoshiba_haps_remove() does not free the object pointed to by\ntoshiba_haps before clearing that pointer, so it becomes unreachable\nallocated memory.\n\nAddress these memory leaks by using devm_kzalloc() for allocating\nthe memory in question."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:47.639Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17f37c4cdf42a9e4915216b9e130fc8baef4cc64"
},
{
"url": "https://git.kernel.org/stable/c/5bce10f0f9435afaae3fc4df9a52b01d9b3853dc"
},
{
"url": "https://git.kernel.org/stable/c/f2093e87ddec13e7a920f326c078a5f765ba89c3"
},
{
"url": "https://git.kernel.org/stable/c/ca9ff71c15bc8e48529c2033294a519a7749b272"
},
{
"url": "https://git.kernel.org/stable/c/bf0474356875d005d420f8c6b9ac168566e72e87"
},
{
"url": "https://git.kernel.org/stable/c/f93ae43780b759a70734be9bc82c1adcf7f33208"
},
{
"url": "https://git.kernel.org/stable/c/128497456756e1b952bd5a912cd073836465109d"
}
],
"title": "platform/x86: toshiba_haps: Fix memory leaks in add/remove routines",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23176",
"datePublished": "2026-02-14T16:27:08.764Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-05-11T22:01:47.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47329 (GCVE-0-2026-47329)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:27 – Updated: 2026-05-28 19:24
VLAI?
EPSS
Title
Incorrect validation of field size in Ubuntu Linux AppArmor notification responses
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.
Severity ?
CWE
- CWE-1284 - Improper validation of specified quantity in input
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:19:57.301800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:24:59.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper validation of specified quantity in input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:27:44.945Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=9ea8b64b3ad27d0501cf711efa98077998a33b14"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect validation of field size in Ubuntu Linux AppArmor notification responses"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47329",
"datePublished": "2026-05-28T18:27:44.945Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-28T19:24:59.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22111 (GCVE-0-2025-22111)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:13
VLAI?
EPSS
Title
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to
br_ioctl_call(), which causes unnecessary RTNL dance and the splat
below [0] under RTNL pressure.
Let's say Thread A is trying to detach a device from a bridge and
Thread B is trying to remove the bridge.
In dev_ioctl(), Thread A bumps the bridge device's refcnt by
netdev_hold() and releases RTNL because the following br_ioctl_call()
also re-acquires RTNL.
In the race window, Thread B could acquire RTNL and try to remove
the bridge device. Then, rtnl_unlock() by Thread B will release RTNL
and wait for netdev_put() by Thread A.
Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),
which may take long under RTNL pressure, resulting in the splat by
Thread B.
Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)
---------------------- ----------------------
sock_ioctl sock_ioctl
`- sock_do_ioctl `- br_ioctl_call
`- dev_ioctl `- br_ioctl_stub
|- rtnl_lock |
|- dev_ifsioc '
' |- dev = __dev_get_by_name(...)
|- netdev_hold(dev, ...) .
/ |- rtnl_unlock ------. |
| |- br_ioctl_call `---> |- rtnl_lock
Race | | `- br_ioctl_stub |- br_del_bridge
Window | | | |- dev = __dev_get_by_name(...)
| | | May take long | `- br_dev_delete(dev, ...)
| | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)
| | | | `- rtnl_unlock
\ | |- rtnl_lock <-' `- netdev_run_todo
| |- ... `- netdev_run_todo
| `- rtnl_unlock |- __rtnl_unlock
| |- netdev_wait_allrefs_any
|- netdev_put(dev, ...) <----------------'
Wait refcnt decrement
and log splat below
To avoid blocking SIOCBRDELBR unnecessarily, let's not call
dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.
In the dev_ioctl() path, we do the following:
1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()
2. Check CAP_NET_ADMIN in dev_ioctl()
3. Call dev_load() in dev_ioctl()
4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()
3. can be done by request_module() in br_ioctl_call(), so we move
1., 2., and 4. to br_ioctl_stub().
Note that 2. is also checked later in add_del_if(), but it's better
performed before RTNL.
SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since
the pre-git era, and there seems to be no specific reason to process
them there.
[0]:
unregister_netdevice: waiting for wpan3 to become free. Usage count = 2
ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]
netdev_hold include/linux/netdevice.h:4311 [inline]
dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624
dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826
sock_do_ioctl+0x1ca/0x260 net/socket.c:1213
sock_ioctl+0x23a/0x6c0 net/socket.c:1318
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
893b195875340cb44b54c9db99e708145f1210e8 , < f51e471cb1577d510c3096e126678e1ea20d2efd
(git)
Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 338a0f3c66aef4ee13052880d02200aae8f2d8a8 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < d767ce15045df510f55cdd2af5df0eee71f928d0 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 4888e1dcc341e9a132ef7b8516234b3c3296de56 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < 00fe0ac64efd1f5373b3dd9f1f84b19235371e39 (git) Affected: 893b195875340cb44b54c9db99e708145f1210e8 , < ed3ba9b6e280e14cc3148c1b226ba453f02fa76c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f51e471cb1577d510c3096e126678e1ea20d2efd",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "338a0f3c66aef4ee13052880d02200aae8f2d8a8",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "d767ce15045df510f55cdd2af5df0eee71f928d0",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "4888e1dcc341e9a132ef7b8516234b3c3296de56",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "00fe0ac64efd1f5373b3dd9f1f84b19235371e39",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "ed3ba9b6e280e14cc3148c1b226ba453f02fa76c",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet\u0027s say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device\u0027s refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device. Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)\n ---------------------- ----------------------\n sock_ioctl sock_ioctl\n `- sock_do_ioctl `- br_ioctl_call\n `- dev_ioctl `- br_ioctl_stub\n |- rtnl_lock |\n |- dev_ifsioc \u0027\n \u0027 |- dev = __dev_get_by_name(...)\n |- netdev_hold(dev, ...) .\n / |- rtnl_unlock ------. |\n | |- br_ioctl_call `---\u003e |- rtnl_lock\n Race | | `- br_ioctl_stub |- br_del_bridge\n Window | | | |- dev = __dev_get_by_name(...)\n | | | May take long | `- br_dev_delete(dev, ...)\n | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)\n | | | | `- rtnl_unlock\n \\ | |- rtnl_lock \u003c-\u0027 `- netdev_run_todo\n | |- ... `- netdev_run_todo\n | `- rtnl_unlock |- __rtnl_unlock\n | |- netdev_wait_allrefs_any\n |- netdev_put(dev, ...) \u003c----------------\u0027\n Wait refcnt decrement\n and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let\u0027s not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n 2. Check CAP_NET_ADMIN in dev_ioctl()\n 3. Call dev_load() in dev_ioctl()\n 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it\u0027s better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]\n netdev_hold include/linux/netdevice.h:4311 [inline]\n dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624\n dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826\n sock_do_ioctl+0x1ca/0x260 net/socket.c:1213\n sock_ioctl+0x23a/0x6c0 net/socket.c:1318\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:10.941Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f51e471cb1577d510c3096e126678e1ea20d2efd"
},
{
"url": "https://git.kernel.org/stable/c/338a0f3c66aef4ee13052880d02200aae8f2d8a8"
},
{
"url": "https://git.kernel.org/stable/c/d767ce15045df510f55cdd2af5df0eee71f928d0"
},
{
"url": "https://git.kernel.org/stable/c/4888e1dcc341e9a132ef7b8516234b3c3296de56"
},
{
"url": "https://git.kernel.org/stable/c/00fe0ac64efd1f5373b3dd9f1f84b19235371e39"
},
{
"url": "https://git.kernel.org/stable/c/ed3ba9b6e280e14cc3148c1b226ba453f02fa76c"
}
],
"title": "net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22111",
"datePublished": "2025-04-16T14:12:57.719Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-05-11T21:13:10.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23032 (GCVE-0-2026-23032)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
null_blk: fix kmemleak by releasing references to fault configfs items
Summary
In the Linux kernel, the following vulnerability has been resolved:
null_blk: fix kmemleak by releasing references to fault configfs items
When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
driver sets up fault injection support by creating the timeout_inject,
requeue_inject, and init_hctx_fault_inject configfs items as children
of the top-level nullbX configfs group.
However, when the nullbX device is removed, the references taken to
these fault-config configfs items are not released. As a result,
kmemleak reports a memory leak, for example:
unreferenced object 0xc00000021ff25c40 (size 32):
comm "mkdir", pid 10665, jiffies 4322121578
hex dump (first 32 bytes):
69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_
69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject..........
backtrace (crc 1a018c86):
__kmalloc_node_track_caller_noprof+0x494/0xbd8
kvasprintf+0x74/0xf4
config_item_set_name+0xf0/0x104
config_group_init_type_name+0x48/0xfc
fault_config_init+0x48/0xf0
0xc0080000180559e4
configfs_mkdir+0x304/0x814
vfs_mkdir+0x49c/0x604
do_mkdirat+0x314/0x3d0
sys_mkdir+0xa0/0xd8
system_call_exception+0x1b0/0x4f0
system_call_vectored_common+0x15c/0x2ec
Fix this by explicitly releasing the references to the fault-config
configfs items when dropping the reference to the top-level nullbX
configfs group.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < 1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2
(git)
Affected: bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < d59ba448ccd595d5d65e197216cf781a87db2b28 (git) Affected: bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < f1718da051282698aa8fa150bebb9724f6389fda (git) Affected: bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea , < 40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:53.339Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
},
{
"lessThan": "d59ba448ccd595d5d65e197216cf781a87db2b28",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
},
{
"lessThan": "f1718da051282698aa8fa150bebb9724f6389fda",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
},
{
"lessThan": "40b94ec7edbbb867c4e26a1a43d2b898f04b93c5",
"status": "affected",
"version": "bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix kmemleak by releasing references to fault configfs items\n\nWhen CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk\ndriver sets up fault injection support by creating the timeout_inject,\nrequeue_inject, and init_hctx_fault_inject configfs items as children\nof the top-level nullbX configfs group.\n\nHowever, when the nullbX device is removed, the references taken to\nthese fault-config configfs items are not released. As a result,\nkmemleak reports a memory leak, for example:\n\nunreferenced object 0xc00000021ff25c40 (size 32):\n comm \"mkdir\", pid 10665, jiffies 4322121578\n hex dump (first 32 bytes):\n 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_\n 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject..........\n backtrace (crc 1a018c86):\n __kmalloc_node_track_caller_noprof+0x494/0xbd8\n kvasprintf+0x74/0xf4\n config_item_set_name+0xf0/0x104\n config_group_init_type_name+0x48/0xfc\n fault_config_init+0x48/0xf0\n 0xc0080000180559e4\n configfs_mkdir+0x304/0x814\n vfs_mkdir+0x49c/0x604\n do_mkdirat+0x314/0x3d0\n sys_mkdir+0xa0/0xd8\n system_call_exception+0x1b0/0x4f0\n system_call_vectored_common+0x15c/0x2ec\n\nFix this by explicitly releasing the references to the fault-config\nconfigfs items when dropping the reference to the top-level nullbX\nconfigfs group."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:41.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2"
},
{
"url": "https://git.kernel.org/stable/c/d59ba448ccd595d5d65e197216cf781a87db2b28"
},
{
"url": "https://git.kernel.org/stable/c/f1718da051282698aa8fa150bebb9724f6389fda"
},
{
"url": "https://git.kernel.org/stable/c/40b94ec7edbbb867c4e26a1a43d2b898f04b93c5"
}
],
"title": "null_blk: fix kmemleak by releasing references to fault configfs items",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23032",
"datePublished": "2026-01-31T11:42:11.640Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-06-02T13:00:53.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68795 (GCVE-0-2025-68795)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 16:53
VLAI?
EPSS
Title
ethtool: Avoid overflowing userspace buffer on stats query
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethtool: Avoid overflowing userspace buffer on stats query
The ethtool -S command operates across three ioctl calls:
ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and
ETHTOOL_GSTATS for the values.
If the number of stats changes between these calls (e.g., due to device
reconfiguration), userspace's buffer allocation will be incorrect,
potentially leading to buffer overflow.
Drivers are generally expected to maintain stable stat counts, but some
drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making
this scenario possible.
Some drivers try to handle this internally:
- bnad_get_ethtool_stats() returns early in case stats.n_stats is not
equal to the driver's stats count.
- micrel/ksz884x also makes sure not to write anything beyond
stats.n_stats and overflow the buffer.
However, both use stats.n_stats which is already assigned with the value
returned from get_sset_count(), hence won't solve the issue described
here.
Change ethtool_get_strings(), ethtool_get_stats(),
ethtool_get_phy_stats() to not return anything in case of a mismatch
between userspace's size and get_sset_size(), to prevent buffer
overflow.
The returned n_stats value will be equal to zero, to reflect that
nothing has been returned.
This could result in one of two cases when using upstream ethtool,
depending on when the size change is detected:
1. When detected in ethtool_get_strings():
# ethtool -S eth2
no stats available
2. When detected in get stats, all stats will be reported as zero.
Both cases are presumably transient, and a subsequent ethtool call
should succeed.
Other than the overflow avoidance, these two cases are very evident (no
output/cleared stats), which is arguably better than presenting
incorrect/shifted stats.
I also considered returning an error instead of a "silent" response, but
that seems more destructive towards userspace apps.
Notes:
- This patch does not claim to fix the inherent race, it only makes sure
that we do not overflow the userspace buffer, and makes for a more
predictable behavior.
- RTNL lock is held during each ioctl, the race window exists between
the separate ioctl calls when the lock is released.
- Userspace ethtool always fills stats.n_stats, but it is likely that
these stats ioctls are implemented in other userspace applications
which might not fill it. The added code checks that it's not zero,
to prevent any regressions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3df375a1e75483b7d973c3cc2e46aa374db8428b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4afcb985355210e1688560dc47e64b94dad35d71 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ca9983bc3a1189bd72f9ae449d925a66b2616326 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7bea09f60f2ad5d232e2db8f1c14e850fd3fd416 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4066b5b546293f44cd6d0e84ece6e3ee7ff27093 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7b07be1ff1cb6c49869910518650e8d0abc7d25f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:53:04.833978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:53:15.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3df375a1e75483b7d973c3cc2e46aa374db8428b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4afcb985355210e1688560dc47e64b94dad35d71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca9983bc3a1189bd72f9ae449d925a66b2616326",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bea09f60f2ad5d232e2db8f1c14e850fd3fd416",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4066b5b546293f44cd6d0e84ece6e3ee7ff27093",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7b07be1ff1cb6c49869910518650e8d0abc7d25f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: Avoid overflowing userspace buffer on stats query\n\nThe ethtool -S command operates across three ioctl calls:\nETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and\nETHTOOL_GSTATS for the values.\n\nIf the number of stats changes between these calls (e.g., due to device\nreconfiguration), userspace\u0027s buffer allocation will be incorrect,\npotentially leading to buffer overflow.\n\nDrivers are generally expected to maintain stable stat counts, but some\ndrivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making\nthis scenario possible.\n\nSome drivers try to handle this internally:\n- bnad_get_ethtool_stats() returns early in case stats.n_stats is not\n equal to the driver\u0027s stats count.\n- micrel/ksz884x also makes sure not to write anything beyond\n stats.n_stats and overflow the buffer.\n\nHowever, both use stats.n_stats which is already assigned with the value\nreturned from get_sset_count(), hence won\u0027t solve the issue described\nhere.\n\nChange ethtool_get_strings(), ethtool_get_stats(),\nethtool_get_phy_stats() to not return anything in case of a mismatch\nbetween userspace\u0027s size and get_sset_size(), to prevent buffer\noverflow.\nThe returned n_stats value will be equal to zero, to reflect that\nnothing has been returned.\n\nThis could result in one of two cases when using upstream ethtool,\ndepending on when the size change is detected:\n1. When detected in ethtool_get_strings():\n # ethtool -S eth2\n no stats available\n\n2. When detected in get stats, all stats will be reported as zero.\n\nBoth cases are presumably transient, and a subsequent ethtool call\nshould succeed.\n\nOther than the overflow avoidance, these two cases are very evident (no\noutput/cleared stats), which is arguably better than presenting\nincorrect/shifted stats.\nI also considered returning an error instead of a \"silent\" response, but\nthat seems more destructive towards userspace apps.\n\nNotes:\n- This patch does not claim to fix the inherent race, it only makes sure\n that we do not overflow the userspace buffer, and makes for a more\n predictable behavior.\n\n- RTNL lock is held during each ioctl, the race window exists between\n the separate ioctl calls when the lock is released.\n\n- Userspace ethtool always fills stats.n_stats, but it is likely that\n these stats ioctls are implemented in other userspace applications\n which might not fill it. The added code checks that it\u0027s not zero,\n to prevent any regressions."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:29.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b"
},
{
"url": "https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5"
},
{
"url": "https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71"
},
{
"url": "https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326"
},
{
"url": "https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416"
},
{
"url": "https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093"
},
{
"url": "https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f"
}
],
"title": "ethtool: Avoid overflowing userspace buffer on stats query",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68795",
"datePublished": "2026-01-13T15:29:06.217Z",
"dateReserved": "2025-12-24T10:30:51.041Z",
"dateUpdated": "2026-06-16T16:53:15.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68801 (GCVE-0-2025-68801)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
mlxsw: spectrum_router: Fix neighbour use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_router: Fix neighbour use-after-free
We sometimes observe use-after-free when dereferencing a neighbour [1].
The problem seems to be that the driver stores a pointer to the
neighbour, but without holding a reference on it. A reference is only
taken when the neighbour is used by a nexthop.
Fix by simplifying the reference counting scheme. Always take a
reference when storing a neighbour pointer in a neighbour entry. Avoid
taking a referencing when the neighbour is used by a nexthop as the
neighbour entry associated with the nexthop already holds a reference.
Tested by running the test that uncovered the problem over 300 times.
Without this patch the problem was reproduced after a handful of
iterations.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310
Read of size 8 at addr ffff88817f8e3420 by task ip/3929
CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_address_description.constprop.0+0x6e/0x300
print_report+0xfc/0x1fb
kasan_report+0xe4/0x110
mlxsw_sp_neigh_entry_update+0x2d4/0x310
mlxsw_sp_router_rif_gone_sync+0x35f/0x510
mlxsw_sp_rif_destroy+0x1ea/0x730
mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0
__mlxsw_sp_inetaddr_lag_event+0xcc/0x130
__mlxsw_sp_inetaddr_event+0xf5/0x3c0
mlxsw_sp_router_netdevice_event+0x1015/0x1580
notifier_call_chain+0xcc/0x150
call_netdevice_notifiers_info+0x7e/0x100
__netdev_upper_dev_unlink+0x10b/0x210
netdev_upper_dev_unlink+0x79/0xa0
vrf_del_slave+0x18/0x50
do_set_master+0x146/0x7d0
do_setlink.isra.0+0x9a0/0x2880
rtnl_newlink+0x637/0xb20
rtnetlink_rcv_msg+0x6fe/0xb90
netlink_rcv_skb+0x123/0x380
netlink_unicast+0x4a3/0x770
netlink_sendmsg+0x75b/0xc90
__sock_sendmsg+0xbe/0x160
____sys_sendmsg+0x5b2/0x7d0
___sys_sendmsg+0xfd/0x180
__sys_sendmsg+0x124/0x1c0
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[...]
Allocated by task 109:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x2c1/0x790
neigh_alloc+0x6af/0x8f0
___neigh_create+0x63/0xe90
mlxsw_sp_nexthop_neigh_init+0x430/0x7e0
mlxsw_sp_nexthop_type_init+0x212/0x960
mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280
mlxsw_sp_nexthop6_group_get+0x392/0x6a0
mlxsw_sp_fib6_entry_create+0x46a/0xfd0
mlxsw_sp_router_fib6_replace+0x1ed/0x5f0
mlxsw_sp_router_fib6_event_work+0x10a/0x2a0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Freed by task 154:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kmem_cache_free_bulk.part.0+0x1eb/0x5e0
kvfree_rcu_bulk+0x1f2/0x260
kfree_rcu_work+0x130/0x1b0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Last potentially related work creation:
kasan_save_stack+0x30/0x50
kasan_record_aux_stack+0x8c/0xa0
kvfree_call_rcu+0x93/0x5b0
mlxsw_sp_router_neigh_event_work+0x67d/0x860
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6cf3c971dc84cb36579515ddb488919b9e9fb6de , < a2dfe6758fc63e542105bee8b17a3a7485684db0
(git)
Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < c437fbfd4382412598cdda1f8e2881b523668cc2 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 4a3c569005f42ab5e5b2ad637132a33bf102cc08 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 675c5aeadf6472672c472dc0f26401e4fcfbf254 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 8b0e69763ef948fb872a7767df4be665d18f5fd4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2dfe6758fc63e542105bee8b17a3a7485684db0",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "c437fbfd4382412598cdda1f8e2881b523668cc2",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "4a3c569005f42ab5e5b2ad637132a33bf102cc08",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "675c5aeadf6472672c472dc0f26401e4fcfbf254",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "8b0e69763ef948fb872a7767df4be665d18f5fd4",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_router: Fix neighbour use-after-free\n\nWe sometimes observe use-after-free when dereferencing a neighbour [1].\nThe problem seems to be that the driver stores a pointer to the\nneighbour, but without holding a reference on it. A reference is only\ntaken when the neighbour is used by a nexthop.\n\nFix by simplifying the reference counting scheme. Always take a\nreference when storing a neighbour pointer in a neighbour entry. Avoid\ntaking a referencing when the neighbour is used by a nexthop as the\nneighbour entry associated with the nexthop already holds a reference.\n\nTested by running the test that uncovered the problem over 300 times.\nWithout this patch the problem was reproduced after a handful of\niterations.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310\nRead of size 8 at addr ffff88817f8e3420 by task ip/3929\n\nCPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x6e/0x300\n print_report+0xfc/0x1fb\n kasan_report+0xe4/0x110\n mlxsw_sp_neigh_entry_update+0x2d4/0x310\n mlxsw_sp_router_rif_gone_sync+0x35f/0x510\n mlxsw_sp_rif_destroy+0x1ea/0x730\n mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0\n __mlxsw_sp_inetaddr_lag_event+0xcc/0x130\n __mlxsw_sp_inetaddr_event+0xf5/0x3c0\n mlxsw_sp_router_netdevice_event+0x1015/0x1580\n notifier_call_chain+0xcc/0x150\n call_netdevice_notifiers_info+0x7e/0x100\n __netdev_upper_dev_unlink+0x10b/0x210\n netdev_upper_dev_unlink+0x79/0xa0\n vrf_del_slave+0x18/0x50\n do_set_master+0x146/0x7d0\n do_setlink.isra.0+0x9a0/0x2880\n rtnl_newlink+0x637/0xb20\n rtnetlink_rcv_msg+0x6fe/0xb90\n netlink_rcv_skb+0x123/0x380\n netlink_unicast+0x4a3/0x770\n netlink_sendmsg+0x75b/0xc90\n __sock_sendmsg+0xbe/0x160\n ____sys_sendmsg+0x5b2/0x7d0\n ___sys_sendmsg+0xfd/0x180\n __sys_sendmsg+0x124/0x1c0\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[...]\n\nAllocated by task 109:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x2c1/0x790\n neigh_alloc+0x6af/0x8f0\n ___neigh_create+0x63/0xe90\n mlxsw_sp_nexthop_neigh_init+0x430/0x7e0\n mlxsw_sp_nexthop_type_init+0x212/0x960\n mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280\n mlxsw_sp_nexthop6_group_get+0x392/0x6a0\n mlxsw_sp_fib6_entry_create+0x46a/0xfd0\n mlxsw_sp_router_fib6_replace+0x1ed/0x5f0\n mlxsw_sp_router_fib6_event_work+0x10a/0x2a0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nFreed by task 154:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x43/0x70\n kmem_cache_free_bulk.part.0+0x1eb/0x5e0\n kvfree_rcu_bulk+0x1f2/0x260\n kfree_rcu_work+0x130/0x1b0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nLast potentially related work creation:\n kasan_save_stack+0x30/0x50\n kasan_record_aux_stack+0x8c/0xa0\n kvfree_call_rcu+0x93/0x5b0\n mlxsw_sp_router_neigh_event_work+0x67d/0x860\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:36.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0"
},
{
"url": "https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc"
},
{
"url": "https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2"
},
{
"url": "https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08"
},
{
"url": "https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a"
},
{
"url": "https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254"
},
{
"url": "https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4"
}
],
"title": "mlxsw: spectrum_router: Fix neighbour use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68801",
"datePublished": "2026-01-13T15:29:10.349Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-05-11T21:53:36.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68727 (GCVE-0-2025-68727)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
ntfs3: Fix uninit buffer allocated by __getname()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: Fix uninit buffer allocated by __getname()
Fix uninit errors caused after buffer allocation given to 'de'; by
initializing the buffer with zeroes. The fix was found by using KMSAN.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 90e23db1a85956026999c18e76f402542cb004da
(git)
Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 53f4d6cb97096590410f3719f75cdf9fc5120f37 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 4b1fd82848fdf0e01b3320815b261006c1722c3e (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < d88d4b455b6794f48d7adad52593f1700c7bd50e (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < b40a4eb4a0543d49686a6e693745009dac3b86a9 (git) Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e23db1a85956026999c18e76f402542cb004da",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "53f4d6cb97096590410f3719f75cdf9fc5120f37",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "4b1fd82848fdf0e01b3320815b261006c1722c3e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "d88d4b455b6794f48d7adad52593f1700c7bd50e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "b40a4eb4a0543d49686a6e693745009dac3b86a9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Fix uninit buffer allocated by __getname()\n\nFix uninit errors caused after buffer allocation given to \u0027de\u0027; by\ninitializing the buffer with zeroes. The fix was found by using KMSAN."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:10.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e23db1a85956026999c18e76f402542cb004da"
},
{
"url": "https://git.kernel.org/stable/c/53f4d6cb97096590410f3719f75cdf9fc5120f37"
},
{
"url": "https://git.kernel.org/stable/c/dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9"
},
{
"url": "https://git.kernel.org/stable/c/4b1fd82848fdf0e01b3320815b261006c1722c3e"
},
{
"url": "https://git.kernel.org/stable/c/d88d4b455b6794f48d7adad52593f1700c7bd50e"
},
{
"url": "https://git.kernel.org/stable/c/b40a4eb4a0543d49686a6e693745009dac3b86a9"
},
{
"url": "https://git.kernel.org/stable/c/9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6"
}
],
"title": "ntfs3: Fix uninit buffer allocated by __getname()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68727",
"datePublished": "2025-12-24T10:33:11.085Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-05-11T21:52:10.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71225 (GCVE-0-2025-71225)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:21 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
md: suspend array while updating raid_disks via sysfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: suspend array while updating raid_disks via sysfs
In raid1_reshape(), freeze_array() is called before modifying the r1bio
memory pool (conf->r1bio_pool) and conf->raid_disks, and
unfreeze_array() is called after the update is completed.
However, freeze_array() only waits until nr_sync_pending and
(nr_pending - nr_queued) of all buckets reaches zero. When an I/O error
occurs, nr_queued is increased and the corresponding r1bio is queued to
either retry_list or bio_end_io_list. As a result, freeze_array() may
unblock before these r1bios are released.
This can lead to a situation where conf->raid_disks and the mempool have
already been updated while queued r1bios, allocated with the old
raid_disks value, are later released. Consequently, free_r1bio() may
access memory out of bounds in put_all_bios() and release r1bios of the
wrong size to the new mempool, potentially causing issues with the
mempool as well.
Since only normal I/O might increase nr_queued while an I/O error occurs,
suspending the array avoids this issue.
Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends
the array. Therefore, we suspend the array when updating raid_disks
via sysfs to avoid this issue too.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e2d59925221cd562e07fee38ec8839f7209ae603 , < 165d1359f945b72c5f90088f60d48ff46115269e
(git)
Affected: e2d59925221cd562e07fee38ec8839f7209ae603 , < 0107b18cd8ac17eb3e54786adc05a85cdbb6ef22 (git) Affected: e2d59925221cd562e07fee38ec8839f7209ae603 , < 2cc583653bbe050bacd1cadcc9776d39bf449740 (git) Affected: 1b9203bb4c658c0242afa6fdb025c71d2fc3ad76 (git) Affected: 8ccf6cfb157419847f3cb2bfdfbcdbd39860e8e9 (git) Affected: 3.4.59 , < 3.5 (semver) Affected: 3.9.7 , < 3.10 (semver) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:16.509027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:10.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "165d1359f945b72c5f90088f60d48ff46115269e",
"status": "affected",
"version": "e2d59925221cd562e07fee38ec8839f7209ae603",
"versionType": "git"
},
{
"lessThan": "0107b18cd8ac17eb3e54786adc05a85cdbb6ef22",
"status": "affected",
"version": "e2d59925221cd562e07fee38ec8839f7209ae603",
"versionType": "git"
},
{
"lessThan": "2cc583653bbe050bacd1cadcc9776d39bf449740",
"status": "affected",
"version": "e2d59925221cd562e07fee38ec8839f7209ae603",
"versionType": "git"
},
{
"status": "affected",
"version": "1b9203bb4c658c0242afa6fdb025c71d2fc3ad76",
"versionType": "git"
},
{
"status": "affected",
"version": "8ccf6cfb157419847f3cb2bfdfbcdbd39860e8e9",
"versionType": "git"
},
{
"lessThan": "3.5",
"status": "affected",
"version": "3.4.59",
"versionType": "semver"
},
{
"lessThan": "3.10",
"status": "affected",
"version": "3.9.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.9.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: suspend array while updating raid_disks via sysfs\n\nIn raid1_reshape(), freeze_array() is called before modifying the r1bio\nmemory pool (conf-\u003er1bio_pool) and conf-\u003eraid_disks, and\nunfreeze_array() is called after the update is completed.\n\nHowever, freeze_array() only waits until nr_sync_pending and\n(nr_pending - nr_queued) of all buckets reaches zero. When an I/O error\noccurs, nr_queued is increased and the corresponding r1bio is queued to\neither retry_list or bio_end_io_list. As a result, freeze_array() may\nunblock before these r1bios are released.\n\nThis can lead to a situation where conf-\u003eraid_disks and the mempool have\nalready been updated while queued r1bios, allocated with the old\nraid_disks value, are later released. Consequently, free_r1bio() may\naccess memory out of bounds in put_all_bios() and release r1bios of the\nwrong size to the new mempool, potentially causing issues with the\nmempool as well.\n\nSince only normal I/O might increase nr_queued while an I/O error occurs,\nsuspending the array avoids this issue.\n\nNote: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends\nthe array. Therefore, we suspend the array when updating raid_disks\nvia sysfs to avoid this issue too."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:33.621Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/165d1359f945b72c5f90088f60d48ff46115269e"
},
{
"url": "https://git.kernel.org/stable/c/0107b18cd8ac17eb3e54786adc05a85cdbb6ef22"
},
{
"url": "https://git.kernel.org/stable/c/2cc583653bbe050bacd1cadcc9776d39bf449740"
}
],
"title": "md: suspend array while updating raid_disks via sysfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71225",
"datePublished": "2026-02-18T14:21:46.249Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-06-11T18:44:10.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68766 (GCVE-0-2025-68766)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
it results in an out of bounds access.
The code checks for invalid values, but doesn't set the error code. Return
-EINVAL in that case, instead of returning success.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00fa3461c86dd289b441d4d5a6bb236064bd207b , < 324c60a67c4b9668497940f667db14d216cc7b1b
(git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < c21c606ad398eeb86a0f3aaff9ba4f2665e286c6 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 3873afcb57614c1aaa5b6715554d6d1c22cac95a (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 09efe7cfbf919c4d763bc425473fcfee0dc98356 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "324c60a67c4b9668497940f667db14d216cc7b1b",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "c21c606ad398eeb86a0f3aaff9ba4f2665e286c6",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "3873afcb57614c1aaa5b6715554d6d1c22cac95a",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "09efe7cfbf919c4d763bc425473fcfee0dc98356",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()\n\nIf irq_domain_translate_twocell() sets \"hwirq\" to \u003e= MCHP_EIC_NIRQ (2) then\nit results in an out of bounds access.\n\nThe code checks for invalid values, but doesn\u0027t set the error code. Return\n-EINVAL in that case, instead of returning success."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:56.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b"
},
{
"url": "https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6"
},
{
"url": "https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a"
},
{
"url": "https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356"
},
{
"url": "https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552"
},
{
"url": "https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7"
}
],
"title": "irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68766",
"datePublished": "2026-01-05T09:44:13.935Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-05-11T21:52:56.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23260 (GCVE-0-2026-23260)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-11 22:03
VLAI?
EPSS
Title
regmap: maple: free entry on mas_store_gfp() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: maple: free entry on mas_store_gfp() failure
regcache_maple_write() allocates a new block ('entry') to merge
adjacent ranges and then stores it with mas_store_gfp().
When mas_store_gfp() fails, the new 'entry' remains allocated and
is never freed, leaking memory.
Free 'entry' on the failure path; on success continue freeing the
replaced neighbor blocks ('lower', 'upper').
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f033c26de5a5734625d2dd1dc196745fae186f1b , < d61171cf097156030142643942c217759a9cc806
(git)
Affected: f033c26de5a5734625d2dd1dc196745fae186f1b , < 811b45e2d795d955bb7fd9c816b40036f4fde350 (git) Affected: f033c26de5a5734625d2dd1dc196745fae186f1b , < f08f2d2907675926ac5657b25f86d921f269602a (git) Affected: f033c26de5a5734625d2dd1dc196745fae186f1b , < f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regcache-maple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d61171cf097156030142643942c217759a9cc806",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
},
{
"lessThan": "811b45e2d795d955bb7fd9c816b40036f4fde350",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
},
{
"lessThan": "f08f2d2907675926ac5657b25f86d921f269602a",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
},
{
"lessThan": "f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regcache-maple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: maple: free entry on mas_store_gfp() failure\n\nregcache_maple_write() allocates a new block (\u0027entry\u0027) to merge\nadjacent ranges and then stores it with mas_store_gfp().\nWhen mas_store_gfp() fails, the new \u0027entry\u0027 remains allocated and\nis never freed, leaking memory.\n\nFree \u0027entry\u0027 on the failure path; on success continue freeing the\nreplaced neighbor blocks (\u0027lower\u0027, \u0027upper\u0027)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:25.152Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d61171cf097156030142643942c217759a9cc806"
},
{
"url": "https://git.kernel.org/stable/c/811b45e2d795d955bb7fd9c816b40036f4fde350"
},
{
"url": "https://git.kernel.org/stable/c/f08f2d2907675926ac5657b25f86d921f269602a"
},
{
"url": "https://git.kernel.org/stable/c/f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8"
}
],
"title": "regmap: maple: free entry on mas_store_gfp() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23260",
"datePublished": "2026-03-18T17:41:06.738Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-11T22:03:25.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71133 (GCVE-0-2025-71133)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
RDMA/irdma: avoid invalid read in irdma_net_event
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: avoid invalid read in irdma_net_event
irdma_net_event() should not dereference anything from "neigh" (alias
"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
Other events come with different structures pointed to by "ptr" and they
may be smaller than struct neighbour.
Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
The bug is mostly harmless, but it triggers KASAN on debug kernels:
BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
Hardware name: [...]
Workqueue: events rt6_probe_deferred
Call Trace:
<IRQ>
dump_stack_lvl+0x60/0xb0
print_address_description.constprop.0+0x2c/0x3f0
print_report+0xb4/0x270
kasan_report+0x92/0xc0
irdma_net_event+0x32e/0x3b0 [irdma]
notifier_call_chain+0x9e/0x180
atomic_notifier_call_chain+0x5c/0x110
rt6_do_redirect+0xb91/0x1080
tcp_v6_err+0xe9b/0x13e0
icmpv6_notify+0x2b2/0x630
ndisc_redirect_rcv+0x328/0x530
icmpv6_rcv+0xc16/0x1360
ip6_protocol_deliver_rcu+0xb84/0x12e0
ip6_input_finish+0x117/0x240
ip6_input+0xc4/0x370
ipv6_rcv+0x420/0x7d0
__netif_receive_skb_one_core+0x118/0x1b0
process_backlog+0xd1/0x5d0
__napi_poll.constprop.0+0xa3/0x440
net_rx_action+0x78a/0xba0
handle_softirqs+0x2d4/0x9c0
do_softirq+0xad/0xe0
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < db93ae6fa66f1c61ae63400191195e3ee58021da
(git)
Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < 305c02e541befe4a44ffde30ed374970f41aeb6c (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < fc23d05f0b3fb4d80657e7afebae2cae686b31c8 (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < bf197c7c79ef6458d1ee84dd7db251b51784885f (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < d9b9affd103f51b42322da4ed5ac025b560bc354 (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:56.336188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:07.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db93ae6fa66f1c61ae63400191195e3ee58021da",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "305c02e541befe4a44ffde30ed374970f41aeb6c",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "fc23d05f0b3fb4d80657e7afebae2cae686b31c8",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "bf197c7c79ef6458d1ee84dd7db251b51784885f",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "d9b9affd103f51b42322da4ed5ac025b560bc354",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "6f05611728e9d0ab024832a4f1abb74a5f5d0bb0",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: avoid invalid read in irdma_net_event\n\nirdma_net_event() should not dereference anything from \"neigh\" (alias\n\"ptr\") until it has checked that the event is NETEVENT_NEIGH_UPDATE.\nOther events come with different structures pointed to by \"ptr\" and they\nmay be smaller than struct neighbour.\n\nMove the read of neigh-\u003edev under the NETEVENT_NEIGH_UPDATE case.\n\nThe bug is mostly harmless, but it triggers KASAN on debug kernels:\n\n BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]\n Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Call Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x60/0xb0\n print_address_description.constprop.0+0x2c/0x3f0\n print_report+0xb4/0x270\n kasan_report+0x92/0xc0\n irdma_net_event+0x32e/0x3b0 [irdma]\n notifier_call_chain+0x9e/0x180\n atomic_notifier_call_chain+0x5c/0x110\n rt6_do_redirect+0xb91/0x1080\n tcp_v6_err+0xe9b/0x13e0\n icmpv6_notify+0x2b2/0x630\n ndisc_redirect_rcv+0x328/0x530\n icmpv6_rcv+0xc16/0x1360\n ip6_protocol_deliver_rcu+0xb84/0x12e0\n ip6_input_finish+0x117/0x240\n ip6_input+0xc4/0x370\n ipv6_rcv+0x420/0x7d0\n __netif_receive_skb_one_core+0x118/0x1b0\n process_backlog+0xd1/0x5d0\n __napi_poll.constprop.0+0xa3/0x440\n net_rx_action+0x78a/0xba0\n handle_softirqs+0x2d4/0x9c0\n do_softirq+0xad/0xe0\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:36.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da"
},
{
"url": "https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c"
},
{
"url": "https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8"
},
{
"url": "https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f"
},
{
"url": "https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354"
},
{
"url": "https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0"
}
],
"title": "RDMA/irdma: avoid invalid read in irdma_net_event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71133",
"datePublished": "2026-01-14T15:07:48.524Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-06-11T18:44:07.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23262 (GCVE-0-2026-23262)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-05-11 22:03
VLAI?
EPSS
Title
gve: Fix stats report corruption on queue count change
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: Fix stats report corruption on queue count change
The driver and the NIC share a region in memory for stats reporting.
The NIC calculates its offset into this region based on the total size
of the stats region and the size of the NIC's stats.
When the number of queues is changed, the driver's stats region is
resized. If the queue count is increased, the NIC can write past
the end of the allocated stats region, causing memory corruption.
If the queue count is decreased, there is a gap between the driver
and NIC stats, leading to incorrect stats reporting.
This change fixes the issue by allocating stats region with maximum
size, and the offset calculation for NIC stats is changed to match
with the calculation of the NIC.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < f432f7613c220db32c2c6942420daf7b3f2e7d7e
(git)
Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 9d93332397405b62a3300b22d04ac65d990b91ff (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 837c662f47dac43efa1aef2dd433c6b4b4c073af (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < df54838ab61826ecc1a562ffa5e280c3ab7289a7 (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 9fa0a755db3e1945fe00f73fe27d85ef6c8818b7 (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 11f8311f69e4c361717371b4901ff92daeb76e9c (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 7b9ebcce0296e104a0d82a6b09d68564806158ff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_ethtool.c",
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f432f7613c220db32c2c6942420daf7b3f2e7d7e",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "9d93332397405b62a3300b22d04ac65d990b91ff",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "837c662f47dac43efa1aef2dd433c6b4b4c073af",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "df54838ab61826ecc1a562ffa5e280c3ab7289a7",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "9fa0a755db3e1945fe00f73fe27d85ef6c8818b7",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "11f8311f69e4c361717371b4901ff92daeb76e9c",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "7b9ebcce0296e104a0d82a6b09d68564806158ff",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_ethtool.c",
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Fix stats report corruption on queue count change\n\nThe driver and the NIC share a region in memory for stats reporting.\nThe NIC calculates its offset into this region based on the total size\nof the stats region and the size of the NIC\u0027s stats.\n\nWhen the number of queues is changed, the driver\u0027s stats region is\nresized. If the queue count is increased, the NIC can write past\nthe end of the allocated stats region, causing memory corruption.\nIf the queue count is decreased, there is a gap between the driver\nand NIC stats, leading to incorrect stats reporting.\n\nThis change fixes the issue by allocating stats region with maximum\nsize, and the offset calculation for NIC stats is changed to match\nwith the calculation of the NIC."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:27.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f432f7613c220db32c2c6942420daf7b3f2e7d7e"
},
{
"url": "https://git.kernel.org/stable/c/9d93332397405b62a3300b22d04ac65d990b91ff"
},
{
"url": "https://git.kernel.org/stable/c/837c662f47dac43efa1aef2dd433c6b4b4c073af"
},
{
"url": "https://git.kernel.org/stable/c/df54838ab61826ecc1a562ffa5e280c3ab7289a7"
},
{
"url": "https://git.kernel.org/stable/c/9fa0a755db3e1945fe00f73fe27d85ef6c8818b7"
},
{
"url": "https://git.kernel.org/stable/c/11f8311f69e4c361717371b4901ff92daeb76e9c"
},
{
"url": "https://git.kernel.org/stable/c/7b9ebcce0296e104a0d82a6b09d68564806158ff"
}
],
"title": "gve: Fix stats report corruption on queue count change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23262",
"datePublished": "2026-03-18T17:41:08.380Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-05-11T22:03:27.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23198 (GCVE-0-2026-23198)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-06-16 20:34
VLAI?
EPSS
Title
KVM: Don't clobber irqfd routing type when deassigning irqfd
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Don't clobber irqfd routing type when deassigning irqfd
When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's
routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86
and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to
handle a concurrent routing update, verify that the irqfd is still active
before consuming the routing information. As evidenced by the x86 and
arm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),
clobbering the entry type without notifying arch code is surprising and
error prone.
As a bonus, checking that the irqfd is active provides a convenient
location for documenting _why_ KVM must not consume the routing entry for
an irqfd that is in the process of being deassigned: once the irqfd is
deleted from the list (which happens *before* the eventfd is detached), it
will no longer receive updates via kvm_irq_routing_update(), and so KVM
could deliver an event using stale routing information (relative to
KVM_SET_GSI_ROUTING returning to userspace).
As an even better bonus, explicitly checking for the irqfd being active
fixes a similar bug to the one the clobbering is trying to prevent: if an
irqfd is deactivated, and then its routing is changed,
kvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing()
(because the irqfd isn't in the list). And so if the irqfd is in bypass
mode, IRQs will continue to be posted using the old routing information.
As for kvm_arch_irq_bypass_del_producer(), clobbering the routing type
results in KVM incorrectly keeping the IRQ in bypass mode, which is
especially problematic on AMD as KVM tracks IRQs that are being posted to
a vCPU in a list whose lifetime is tied to the irqfd.
Without the help of KASAN to detect use-after-free, the most common
sympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to
the memory for irqfd structure being re-allocated and zeroed, resulting
in irqfd->irq_bypass_data being NULL when read by
avic_update_iommu_vcpu_affinity():
BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test
Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE
Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025
RIP: 0010:amd_iommu_update_ga+0x19/0xe0
Call Trace:
<TASK>
avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd]
__avic_vcpu_load+0xf4/0x130 [kvm_amd]
kvm_arch_vcpu_load+0x89/0x210 [kvm]
vcpu_load+0x30/0x40 [kvm]
kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm]
kvm_vcpu_ioctl+0x571/0x6a0 [kvm]
__se_sys_ioctl+0x6d/0xb0
do_syscall_64+0x6f/0x9d0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x46893b
</TASK>
---[ end trace 0000000000000000 ]---
If AVIC is inhibited when the irfd is deassigned, the bug will manifest as
list corruption, e.g. on the next irqfd assignment.
list_add corruption. next->prev should be prev (ffff8d474d5cd588),
but was 0000000000000000. (next=ffff8d8658f86530).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:31!
Oops: invalid opcode: 0000 [#1] SMP
CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test
Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE
Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025
RIP: 0010:__list_add_valid_or_report+0x97/0xc0
Call Trace:
<TASK>
avic_pi_update_irte+0x28e/0x2b0 [kvm_amd]
kvm_pi_update_irte+0xbf/0x190 [kvm]
kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm]
irq_bypass_register_consumer+0xcd/0x170 [irqbypa
---truncated---
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f70c20aaf141adb715a2d750c55154073b02a9c3 , < 959a063e7f12524bc1871ad1f519787967bbcd45
(git)
Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < 2284bc168b148a17b5ca3b37b3d95c411f18a08d (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < 6d14ba1e144e796b5fc81044f08cfba9024ca195 (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < b61f9b2fcf181451d0a319889478cc53c001123e (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < ff48c9312d042bfbe826ca675e98acc6c623211c (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < 4385b2f2843549bfb932e0dcf76bf4b065543a3c (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < b4d37cdb77a0015f51fee083598fa227cc07aaf1 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:33:50.365342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:34:00.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/eventfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "959a063e7f12524bc1871ad1f519787967bbcd45",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "2284bc168b148a17b5ca3b37b3d95c411f18a08d",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "6d14ba1e144e796b5fc81044f08cfba9024ca195",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "b61f9b2fcf181451d0a319889478cc53c001123e",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "ff48c9312d042bfbe826ca675e98acc6c623211c",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "4385b2f2843549bfb932e0dcf76bf4b065543a3c",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "b4d37cdb77a0015f51fee083598fa227cc07aaf1",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/eventfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t clobber irqfd routing type when deassigning irqfd\n\nWhen deassigning a KVM_IRQFD, don\u0027t clobber the irqfd\u0027s copy of the IRQ\u0027s\nrouting entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86\nand arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to\nhandle a concurrent routing update, verify that the irqfd is still active\nbefore consuming the routing information. As evidenced by the x86 and\narm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),\nclobbering the entry type without notifying arch code is surprising and\nerror prone.\n\nAs a bonus, checking that the irqfd is active provides a convenient\nlocation for documenting _why_ KVM must not consume the routing entry for\nan irqfd that is in the process of being deassigned: once the irqfd is\ndeleted from the list (which happens *before* the eventfd is detached), it\nwill no longer receive updates via kvm_irq_routing_update(), and so KVM\ncould deliver an event using stale routing information (relative to\nKVM_SET_GSI_ROUTING returning to userspace).\n\nAs an even better bonus, explicitly checking for the irqfd being active\nfixes a similar bug to the one the clobbering is trying to prevent: if an\nirqfd is deactivated, and then its routing is changed,\nkvm_irq_routing_update() won\u0027t invoke kvm_arch_update_irqfd_routing()\n(because the irqfd isn\u0027t in the list). And so if the irqfd is in bypass\nmode, IRQs will continue to be posted using the old routing information.\n\nAs for kvm_arch_irq_bypass_del_producer(), clobbering the routing type\nresults in KVM incorrectly keeping the IRQ in bypass mode, which is\nespecially problematic on AMD as KVM tracks IRQs that are being posted to\na vCPU in a list whose lifetime is tied to the irqfd.\n\nWithout the help of KASAN to detect use-after-free, the most common\nsympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to\nthe memory for irqfd structure being re-allocated and zeroed, resulting\nin irqfd-\u003eirq_bypass_data being NULL when read by\navic_update_iommu_vcpu_affinity():\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test\n Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE\n Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n RIP: 0010:amd_iommu_update_ga+0x19/0xe0\n Call Trace:\n \u003cTASK\u003e\n avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd]\n __avic_vcpu_load+0xf4/0x130 [kvm_amd]\n kvm_arch_vcpu_load+0x89/0x210 [kvm]\n vcpu_load+0x30/0x40 [kvm]\n kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm]\n kvm_vcpu_ioctl+0x571/0x6a0 [kvm]\n __se_sys_ioctl+0x6d/0xb0\n do_syscall_64+0x6f/0x9d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x46893b\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nIf AVIC is inhibited when the irfd is deassigned, the bug will manifest as\nlist corruption, e.g. on the next irqfd assignment.\n\n list_add corruption. next-\u003eprev should be prev (ffff8d474d5cd588),\n but was 0000000000000000. (next=ffff8d8658f86530).\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:31!\n Oops: invalid opcode: 0000 [#1] SMP\n CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test\n Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE\n Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n RIP: 0010:__list_add_valid_or_report+0x97/0xc0\n Call Trace:\n \u003cTASK\u003e\n avic_pi_update_irte+0x28e/0x2b0 [kvm_amd]\n kvm_pi_update_irte+0xbf/0x190 [kvm]\n kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm]\n irq_bypass_register_consumer+0xcd/0x170 [irqbypa\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:13.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/959a063e7f12524bc1871ad1f519787967bbcd45"
},
{
"url": "https://git.kernel.org/stable/c/2284bc168b148a17b5ca3b37b3d95c411f18a08d"
},
{
"url": "https://git.kernel.org/stable/c/6d14ba1e144e796b5fc81044f08cfba9024ca195"
},
{
"url": "https://git.kernel.org/stable/c/b61f9b2fcf181451d0a319889478cc53c001123e"
},
{
"url": "https://git.kernel.org/stable/c/ff48c9312d042bfbe826ca675e98acc6c623211c"
},
{
"url": "https://git.kernel.org/stable/c/4385b2f2843549bfb932e0dcf76bf4b065543a3c"
},
{
"url": "https://git.kernel.org/stable/c/b4d37cdb77a0015f51fee083598fa227cc07aaf1"
}
],
"title": "KVM: Don\u0027t clobber irqfd routing type when deassigning irqfd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23198",
"datePublished": "2026-02-14T16:27:23.621Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-06-16T20:34:00.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68758 (GCVE-0-2025-68758)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
backlight: led-bl: Add devlink to supplier LEDs
Summary
In the Linux kernel, the following vulnerability has been resolved:
backlight: led-bl: Add devlink to supplier LEDs
LED Backlight is a consumer of one or multiple LED class devices, but
devlink is currently unable to create correct supplier-producer links when
the supplier is a class device. It creates instead a link where the
supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree
overlay:
// An LED driver chip
pca9632@62 {
compatible = "nxp,pca9632";
reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 {
reg = <3>;
label = "addon:led:pwm";
};
};
backlight-addon {
compatible = "led-backlight";
leds = <&addon_led_pwm>;
brightness-levels = <255>;
default-brightness-level = <255>;
};
In this example, the devlink should be created between the backlight-addon
(consumer) and the pca9632@62 (supplier). Instead it is created between the
backlight-addon (consumer) and the parent of the pca9632@62, which is
typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the
backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
led_put+0xe0/0x140
devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is
unbinding the LED class device (pca9632@62) before unbinding the consumer
(backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind
echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the
supplying LED device, as other drivers and subsystems do as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 64739adf3eef063b8e2c72b7e919eac8c6480bf0
(git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < cd01a24b3e52d6777b49c917d841f125fe9eebd0 (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < e06df738a9ad8417f1c4c7cd6992cda320e9e7ca (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 30cbe4b642745a9488a0f0d78be43afe69d7555c (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 0e63ea4378489e09eb5e920c8a50c10caacf563a (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9 (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 08c9dc6b0f2c68e5e7c374ac4499e321e435d46c (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 9341d6698f4cfdfc374fb6944158d111ebe16a9d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64739adf3eef063b8e2c72b7e919eac8c6480bf0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "cd01a24b3e52d6777b49c917d841f125fe9eebd0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "e06df738a9ad8417f1c4c7cd6992cda320e9e7ca",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "30cbe4b642745a9488a0f0d78be43afe69d7555c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "0e63ea4378489e09eb5e920c8a50c10caacf563a",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "08c9dc6b0f2c68e5e7c374ac4499e321e435d46c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "9341d6698f4cfdfc374fb6944158d111ebe16a9d",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n // An LED driver chip\n pca9632@62 {\n compatible = \"nxp,pca9632\";\n reg = \u003c0x62\u003e;\n\n\t// ...\n\n addon_led_pwm: led-pwm@3 {\n reg = \u003c3\u003e;\n label = \"addon:led:pwm\";\n };\n };\n\n backlight-addon {\n compatible = \"led-backlight\";\n leds = \u003c\u0026addon_led_pwm\u003e;\n brightness-levels = \u003c255\u003e;\n default-brightness-level = \u003c255\u003e;\n };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n ...\n Call trace:\n led_put+0xe0/0x140\n devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n echo 11-0062 \u003e/sys/bus/i2c/drivers/leds-pca963x/unbind\n echo ...backlight-dock \u003e/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:46.981Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64739adf3eef063b8e2c72b7e919eac8c6480bf0"
},
{
"url": "https://git.kernel.org/stable/c/cd01a24b3e52d6777b49c917d841f125fe9eebd0"
},
{
"url": "https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca"
},
{
"url": "https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c"
},
{
"url": "https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a"
},
{
"url": "https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"
},
{
"url": "https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"
},
{
"url": "https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d"
}
],
"title": "backlight: led-bl: Add devlink to supplier LEDs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68758",
"datePublished": "2026-01-05T09:32:31.399Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-05-11T21:52:46.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23031 (GCVE-0-2026-23031)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
parent->rx_submitted anchor and submitted. In the complete callback
gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
gs_can_close() the URBs are freed by calling
usb_kill_anchored_urbs(parent->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in gs_can_close().
Fix the memory leak by anchoring the URB in the
gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < 9c151898cc259a7784be60ba38664f42ede39b31
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < ec5ccc2af9e5b045671f3f604b57512feda8bcc5 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < f905bcfa971edb89e398c98957838d8c6381c0c7 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 08624b7206ddb9148eeffc2384ebda2c47b6d1e9 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 9f669a38ca70839229b7ba0f851820850a2fe1f7 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 7352e1d5932a0e777e39fa4b619801191f57e603 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:52.214Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c151898cc259a7784be60ba38664f42ede39b31",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "ec5ccc2af9e5b045671f3f604b57512feda8bcc5",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "f905bcfa971edb89e398c98957838d8c6381c0c7",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "08624b7206ddb9148eeffc2384ebda2c47b6d1e9",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "9f669a38ca70839229b7ba0f851820850a2fe1f7",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "7352e1d5932a0e777e39fa4b619801191f57e603",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak\n\nIn gs_can_open(), the URBs for USB-in transfers are allocated, added to the\nparent-\u003erx_submitted anchor and submitted. In the complete callback\ngs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In\ngs_can_close() the URBs are freed by calling\nusb_kill_anchored_urbs(parent-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in gs_can_close().\n\nFix the memory leak by anchoring the URB in the\ngs_usb_receive_bulk_callback() to the parent-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:40.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c151898cc259a7784be60ba38664f42ede39b31"
},
{
"url": "https://git.kernel.org/stable/c/ec5ccc2af9e5b045671f3f604b57512feda8bcc5"
},
{
"url": "https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7"
},
{
"url": "https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9"
},
{
"url": "https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7"
},
{
"url": "https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23031",
"datePublished": "2026-01-31T11:42:09.276Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-06-02T13:00:52.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23206 (GCVE-0-2026-23206)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI?
EPSS
Title
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
The driver allocates arrays for ports, FDBs, and filter blocks using
kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the
device reports zero interfaces (either due to hardware configuration
or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)
instead of NULL.
Later in dpaa2_switch_probe(), the NAPI initialization unconditionally
accesses ethsw->ports[0]->netdev, which attempts to dereference
ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.
Add a check to ensure num_ifs is greater than zero after retrieving
device attributes. This prevents the zero-sized allocations and
subsequent invalid pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0b1b71370458860579831e77485883fcf2e8fbbe , < 2fcccca88456b592bd668db13aa1d29ed257ca2b
(git)
Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < 80165ff16051448d6f840585ebe13f2400415df3 (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < b97415c4362f739e25ec6f71012277086fabdf6f (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < 4acc40db06ffd0fd92683505342b00c8a7394c60 (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < 155eb99aff2920153bf21217ae29565fff81e6af (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < ed48a84a72fefb20a82dd90a7caa7807e90c6f66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fcccca88456b592bd668db13aa1d29ed257ca2b",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "80165ff16051448d6f840585ebe13f2400415df3",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "b97415c4362f739e25ec6f71012277086fabdf6f",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "4acc40db06ffd0fd92683505342b00c8a7394c60",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "155eb99aff2920153bf21217ae29565fff81e6af",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "ed48a84a72fefb20a82dd90a7caa7807e90c6f66",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero\n\nThe driver allocates arrays for ports, FDBs, and filter blocks using\nkcalloc() with ethsw-\u003esw_attr.num_ifs as the element count. When the\ndevice reports zero interfaces (either due to hardware configuration\nor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)\ninstead of NULL.\n\nLater in dpaa2_switch_probe(), the NAPI initialization unconditionally\naccesses ethsw-\u003eports[0]-\u003enetdev, which attempts to dereference\nZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.\n\nAdd a check to ensure num_ifs is greater than zero after retrieving\ndevice attributes. This prevents the zero-sized allocations and\nsubsequent invalid pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:22.500Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b"
},
{
"url": "https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3"
},
{
"url": "https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f"
},
{
"url": "https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60"
},
{
"url": "https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af"
},
{
"url": "https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66"
}
],
"title": "dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23206",
"datePublished": "2026-02-14T16:27:29.095Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-05-11T22:02:22.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71224 (GCVE-0-2025-71224)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only
present after JOIN_OCB.
RX may run before JOIN_OCB is executed, in which case the OCB interface
is not operational. Skip RX peer handling when the interface is not
joined to avoid warnings in the RX path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
239281f803e2efdb77d906ef296086b6917e5d71 , < fcc768760df08337525cde28e8460e36f9855af8
(git)
Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < b04c75366a5471ae2dd7f4c33b7f1e2c08b9b32d (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < 8fd1c63e016893b7f6c1cf799410da4eaa98c090 (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < ffe1e19c3b0e5b9eb9e04fad4bce7d1dc407fd77 (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < 536447521b3b9be1975c7f1db9054bdf2ab779cb (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < e0bd226804f8e0098711042c93d64f3b720b36c0 (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < ff4071c60018a668249dc6a2df7d16330543540e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fcc768760df08337525cde28e8460e36f9855af8",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "b04c75366a5471ae2dd7f4c33b7f1e2c08b9b32d",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "8fd1c63e016893b7f6c1cf799410da4eaa98c090",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "ffe1e19c3b0e5b9eb9e04fad4bce7d1dc407fd77",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "536447521b3b9be1975c7f1db9054bdf2ab779cb",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "e0bd226804f8e0098711042c93d64f3b720b36c0",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "ff4071c60018a668249dc6a2df7d16330543540e",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: ocb: skip rx_no_sta when interface is not joined\n\nieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only\npresent after JOIN_OCB.\n\nRX may run before JOIN_OCB is executed, in which case the OCB interface\nis not operational. Skip RX peer handling when the interface is not\njoined to avoid warnings in the RX path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:46.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fcc768760df08337525cde28e8460e36f9855af8"
},
{
"url": "https://git.kernel.org/stable/c/b04c75366a5471ae2dd7f4c33b7f1e2c08b9b32d"
},
{
"url": "https://git.kernel.org/stable/c/8fd1c63e016893b7f6c1cf799410da4eaa98c090"
},
{
"url": "https://git.kernel.org/stable/c/ffe1e19c3b0e5b9eb9e04fad4bce7d1dc407fd77"
},
{
"url": "https://git.kernel.org/stable/c/536447521b3b9be1975c7f1db9054bdf2ab779cb"
},
{
"url": "https://git.kernel.org/stable/c/e0bd226804f8e0098711042c93d64f3b720b36c0"
},
{
"url": "https://git.kernel.org/stable/c/ff4071c60018a668249dc6a2df7d16330543540e"
}
],
"title": "wifi: mac80211: ocb: skip rx_no_sta when interface is not joined",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71224",
"datePublished": "2026-02-14T16:27:06.752Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-05-11T21:56:46.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68813 (GCVE-0-2025-68813)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 19:15
VLAI?
EPSS
Title
ipvs: fix ipv4 null-ptr-deref in route error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed0de45a1008991fdaa27a0152befcb74d126a8b , < dd72a93c80408f06327dd2d956eb1a656d0b5903
(git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 312d7cd88882fc6cadcc08b02287497aaaf94bcd (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < cdeff10851c37a002d87a035818ebd60fdb74447 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 4729ff0581fbb7ad098b6153b76b6f5aac94618a (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 25ab24df31f7af843c96a38e0781b9165216e1a8 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 689a627d14788ad772e0fa24c2e57a23dbc7ce90 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < ad891bb3d079a46a821bf2b8867854645191bab0 (git) Affected: 6c2fa855d8178699706b1192db2f1f8102b0ba1e (git) Affected: fbf569d2beee2a4a7a0bc8b619c26101d1211a88 (git) Affected: ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 (git) Affected: 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 (git) Affected: 8a430e56a6485267a1b2d3747209d26c54d1a34b (git) Affected: 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 (git) Affected: 3.18.139 , < 3.19 (semver) Affected: 4.4.179 , < 4.5 (semver) Affected: 4.9.171 , < 4.10 (semver) Affected: 4.14.114 , < 4.15 (semver) Affected: 4.19.37 , < 4.20 (semver) Affected: 5.0.10 , < 5.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:15:40.029608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:15:49.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd72a93c80408f06327dd2d956eb1a656d0b5903",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "312d7cd88882fc6cadcc08b02287497aaaf94bcd",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "cdeff10851c37a002d87a035818ebd60fdb74447",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "4729ff0581fbb7ad098b6153b76b6f5aac94618a",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "25ab24df31f7af843c96a38e0781b9165216e1a8",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "689a627d14788ad772e0fa24c2e57a23dbc7ce90",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "ad891bb3d079a46a821bf2b8867854645191bab0",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"status": "affected",
"version": "6c2fa855d8178699706b1192db2f1f8102b0ba1e",
"versionType": "git"
},
{
"status": "affected",
"version": "fbf569d2beee2a4a7a0bc8b619c26101d1211a88",
"versionType": "git"
},
{
"status": "affected",
"version": "ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38",
"versionType": "git"
},
{
"status": "affected",
"version": "3d988fcddbe7b8673a231958bd2fba61b5a7ced9",
"versionType": "git"
},
{
"status": "affected",
"version": "8a430e56a6485267a1b2d3747209d26c54d1a34b",
"versionType": "git"
},
{
"status": "affected",
"version": "6bd1ee0a993fc9574ae43c1994c54a60cb23a380",
"versionType": "git"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.139",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.179",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.171",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.114",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.37",
"versionType": "semver"
},
{
"lessThan": "5.1",
"status": "affected",
"version": "5.0.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n \u003cTASK\u003e\n spec_dst_fill net/ipv4/ip_options.c:232\n spec_dst_fill net/ipv4/ip_options.c:229\n __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n ipv4_send_dest_unreach net/ipv4/route.c:1252\n ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n dst_link_failure include/net/dst.h:437\n __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:55.189Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"
},
{
"url": "https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"
},
{
"url": "https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"
},
{
"url": "https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"
},
{
"url": "https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"
},
{
"url": "https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"
},
{
"url": "https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"
}
],
"title": "ipvs: fix ipv4 null-ptr-deref in route error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68813",
"datePublished": "2026-01-13T15:29:18.483Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-06-16T19:15:49.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23231 (GCVE-0-2026-23231)
Vulnerability from cvelistv5 – Published: 2026-03-04 12:58 – Updated: 2026-06-16 20:18
VLAI?
EPSS
Title
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2a6586ecfa4ce1413daaafee250d2590e05f1a33
(git)
Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 7017745068a9068904e1e7a1b170a5785647cc81 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < f3fe58ce37926a10115ede527d59b91bcc05400a (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < dbd0af8083dd201f07c49110b2ee93710abdff28 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 71e99ee20fc3f662555118cf1159443250647533 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:01:06.839Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:18:23.569815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:18:32.493Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a6586ecfa4ce1413daaafee250d2590e05f1a33",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "7017745068a9068904e1e7a1b170a5785647cc81",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "f3fe58ce37926a10115ede527d59b91bcc05400a",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "dbd0af8083dd201f07c49110b2ee93710abdff28",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "71e99ee20fc3f662555118cf1159443250647533",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nf_tables_addchain()\n\nnf_tables_addchain() publishes the chain to table-\u003echains via\nlist_add_tail_rcu() (in nft_chain_add()) before registering hooks.\nIf nf_tables_register_hook() then fails, the error path calls\nnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()\nwith no RCU grace period in between.\n\nThis creates two use-after-free conditions:\n\n 1) Control-plane: nf_tables_dump_chains() traverses table-\u003echains\n under rcu_read_lock(). A concurrent dump can still be walking\n the chain when the error path frees it.\n\n 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly\n installs the IPv4 hook before IPv6 registration fails. Packets\n entering nft_do_chain() via the transient IPv4 hook can still be\n dereferencing chain-\u003eblob_gen_X when the error path frees the\n chain.\n\nAdd synchronize_rcu() between nft_chain_del() and the chain destroy\nso that all RCU readers -- both dump threads and in-flight packet\nevaluation -- have finished before the chain is freed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:51.735Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a6586ecfa4ce1413daaafee250d2590e05f1a33"
},
{
"url": "https://git.kernel.org/stable/c/7017745068a9068904e1e7a1b170a5785647cc81"
},
{
"url": "https://git.kernel.org/stable/c/f3fe58ce37926a10115ede527d59b91bcc05400a"
},
{
"url": "https://git.kernel.org/stable/c/dbd0af8083dd201f07c49110b2ee93710abdff28"
},
{
"url": "https://git.kernel.org/stable/c/2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b"
},
{
"url": "https://git.kernel.org/stable/c/71e99ee20fc3f662555118cf1159443250647533"
}
],
"title": "netfilter: nf_tables: fix use-after-free in nf_tables_addchain()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23231",
"datePublished": "2026-03-04T12:58:42.029Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-06-16T20:18:32.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68797 (GCVE-0-2025-68797)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-05-11 21:53
VLAI?
EPSS
Title
char: applicom: fix NULL pointer dereference in ac_ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
char: applicom: fix NULL pointer dereference in ac_ioctl
Discovered by Atuin - Automated Vulnerability Discovery Engine.
In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.
If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.
Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5a6240804fb7bbd4f5f6e706955248a6f4c1abbc
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d1b0452280029d05a98c75631131ee61c0b0d084 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b8b353e09888bccee405e0dd6feafb60360f478 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d285517429a75423789e6408653e57b6fdfc8e54 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 74883565c621eec6cd2e35fe6d27454cf2810c23 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f83e3e9f89181b42f6076a115d767a7552c4a39e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82d12088c297fa1cef670e1718b3d24f414c23f7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a6240804fb7bbd4f5f6e706955248a6f4c1abbc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d1b0452280029d05a98c75631131ee61c0b0d084",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b8b353e09888bccee405e0dd6feafb60360f478",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d285517429a75423789e6408653e57b6fdfc8e54",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "74883565c621eec6cd2e35fe6d27454cf2810c23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f83e3e9f89181b42f6076a115d767a7552c4a39e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82d12088c297fa1cef670e1718b3d24f414c23f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: applicom: fix NULL pointer dereference in ac_ioctl\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nIn ac_ioctl, the validation of IndexCard and the check for a valid\nRamIO pointer are skipped when cmd is 6. However, the function\nunconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the\nend.\n\nIf cmd is 6, IndexCard may reference a board that does not exist\n(where RamIO is NULL), leading to a NULL pointer dereference.\n\nFix this by skipping the readb access when cmd is 6, as this\ncommand is a global information query and does not target a specific\nboard context."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:31.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc"
},
{
"url": "https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084"
},
{
"url": "https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478"
},
{
"url": "https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54"
},
{
"url": "https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23"
},
{
"url": "https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e"
},
{
"url": "https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7"
}
],
"title": "char: applicom: fix NULL pointer dereference in ac_ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68797",
"datePublished": "2026-01-13T15:29:07.575Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-05-11T21:53:31.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23121 (GCVE-0-2026-23121)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 17:53
VLAI?
EPSS
Title
mISDN: annotate data-race around dev->work
Summary
In the Linux kernel, the following vulnerability has been resolved:
mISDN: annotate data-race around dev->work
dev->work can re read locklessly in mISDN_read()
and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.
BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read
write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:
misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]
mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xce/0x140 fs/ioctl.c:583
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:
mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112
do_loop_readv_writev fs/read_write.c:847 [inline]
vfs_readv+0x3fb/0x690 fs/read_write.c:1020
do_readv+0xe7/0x210 fs/read_write.c:1080
__do_sys_readv fs/read_write.c:1165 [inline]
__se_sys_readv fs/read_write.c:1162 [inline]
__x64_sys_readv+0x45/0x50 fs/read_write.c:1162
x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000000 -> 0x00000001
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1b2b03f8e514e4f68e293846ba511a948b80243c , < d5d99cb9e0839093cd53aa3b28176fce2f820ca0
(git)
Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 13f3b3b87068898056db4c79ee67052fbde11d43 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < accc3f8266d2a49881dbcf78c459477f4efa0ff3 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < aa6e33cd74ca4965f2bbcb025e0b672fb0168a69 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 7ac345a93af31358e18e9606eb7b354691bf6757 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 8175dbf174d487afab81e936a862a8d9b8a1ccb6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:15.361866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:36.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5d99cb9e0839093cd53aa3b28176fce2f820ca0",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "13f3b3b87068898056db4c79ee67052fbde11d43",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "accc3f8266d2a49881dbcf78c459477f4efa0ff3",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "aa6e33cd74ca4965f2bbcb025e0b672fb0168a69",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "7ac345a93af31358e18e9606eb7b354691bf6757",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "8175dbf174d487afab81e936a862a8d9b8a1ccb6",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: annotate data-race around dev-\u003ework\n\ndev-\u003ework can re read locklessly in mISDN_read()\nand mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.\n\nBUG: KCSAN: data-race in mISDN_ioctl / mISDN_read\n\nwrite to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:\n misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]\n mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583\n __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583\n x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:\n mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112\n do_loop_readv_writev fs/read_write.c:847 [inline]\n vfs_readv+0x3fb/0x690 fs/read_write.c:1020\n do_readv+0xe7/0x210 fs/read_write.c:1080\n __do_sys_readv fs/read_write.c:1165 [inline]\n __se_sys_readv fs/read_write.c:1162 [inline]\n __x64_sys_readv+0x45/0x50 fs/read_write.c:1162\n x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000 -\u003e 0x00000001"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:32.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5d99cb9e0839093cd53aa3b28176fce2f820ca0"
},
{
"url": "https://git.kernel.org/stable/c/13f3b3b87068898056db4c79ee67052fbde11d43"
},
{
"url": "https://git.kernel.org/stable/c/accc3f8266d2a49881dbcf78c459477f4efa0ff3"
},
{
"url": "https://git.kernel.org/stable/c/fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7"
},
{
"url": "https://git.kernel.org/stable/c/aa6e33cd74ca4965f2bbcb025e0b672fb0168a69"
},
{
"url": "https://git.kernel.org/stable/c/7ac345a93af31358e18e9606eb7b354691bf6757"
},
{
"url": "https://git.kernel.org/stable/c/8175dbf174d487afab81e936a862a8d9b8a1ccb6"
}
],
"title": "mISDN: annotate data-race around dev-\u003ework",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23121",
"datePublished": "2026-02-14T15:09:51.912Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-06-11T17:53:36.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71183 (GCVE-0-2025-71183)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:38 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
btrfs: always detect conflicting inodes when logging inode refs
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: always detect conflicting inodes when logging inode refs
After rename exchanging (either with the rename exchange operation or
regular renames in multiple non-atomic steps) two inodes and at least
one of them is a directory, we can end up with a log tree that contains
only of the inodes and after a power failure that can result in an attempt
to delete the other inode when it should not because it was not deleted
before the power failure. In some case that delete attempt fails when
the target inode is a directory that contains a subvolume inside it, since
the log replay code is not prepared to deal with directory entries that
point to root items (only inode items).
1) We have directories "dir1" (inode A) and "dir2" (inode B) under the
same parent directory;
2) We have a file (inode C) under directory "dir1" (inode A);
3) We have a subvolume inside directory "dir2" (inode B);
4) All these inodes were persisted in a past transaction and we are
currently at transaction N;
5) We rename the file (inode C), so at btrfs_log_new_name() we update
inode C's last_unlink_trans to N;
6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B),
so after the exchange "dir1" is inode B and "dir2" is inode A.
During the rename exchange we call btrfs_log_new_name() for inodes
A and B, but because they are directories, we don't update their
last_unlink_trans to N;
7) An fsync against the file (inode C) is done, and because its inode
has a last_unlink_trans with a value of N we log its parent directory
(inode A) (through btrfs_log_all_parents(), called from
btrfs_log_inode_parent()).
8) So we end up with inode B not logged, which now has the old name
of inode A. At copy_inode_items_to_log(), when logging inode A, we
did not check if we had any conflicting inode to log because inode
A has a generation lower than the current transaction (created in
a past transaction);
9) After a power failure, when replaying the log tree, since we find that
inode A has a new name that conflicts with the name of inode B in the
fs tree, we attempt to delete inode B... this is wrong since that
directory was never deleted before the power failure, and because there
is a subvolume inside that directory, attempting to delete it will fail
since replay_dir_deletes() and btrfs_unlink_inode() are not prepared
to deal with dir items that point to roots instead of inodes.
When that happens the mount fails and we get a stack trace like the
following:
[87.2314] BTRFS info (device dm-0): start tree-log replay
[87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259
[87.2332] ------------[ cut here ]------------
[87.2338] BTRFS: Transaction aborted (error -2)
[87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs]
[87.2368] Modules linked in: btrfs loop dm_thin_pool (...)
[87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full)
[87.2489] Tainted: [W]=WARN
[87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs]
[87.2538] Code: c0 89 04 24 (...)
[87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286
[87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000
[87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff
[87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840
[87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0
[87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10
[87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000
[87.
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
56f23fdbb600e6087db7b009775b95ce07cc3195 , < c7f0207db68d5a1b4af23acbef1a8e8ddc431ebb
(git)
Affected: 56f23fdbb600e6087db7b009775b95ce07cc3195 , < a63998cd6687c14b160dccb0bbcf281b2eb0dab3 (git) Affected: 56f23fdbb600e6087db7b009775b95ce07cc3195 , < 0c2413c69129f6ce60157f7b53d9ba880260400b (git) Affected: 56f23fdbb600e6087db7b009775b95ce07cc3195 , < d52af58dd463821c5c516aebb031a58934f696ea (git) Affected: 56f23fdbb600e6087db7b009775b95ce07cc3195 , < 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 (git) Affected: 048605483fbdd1e77ead32a7cd7b95cc17eaaf0e (git) Affected: 033ad030df0ea932a21499582fea59e1df95769b (git) Affected: 1653a3b0e9436c10eb307c318776cf91fe18ff08 (git) Affected: ff440e9185e96cbb94481fc8b6192b944dcfc061 (git) Affected: 3.18.32 , < 3.19 (semver) Affected: 4.1.23 , < 4.2 (semver) Affected: 4.4.8 , < 4.5 (semver) Affected: 4.5.2 , < 4.6 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7f0207db68d5a1b4af23acbef1a8e8ddc431ebb",
"status": "affected",
"version": "56f23fdbb600e6087db7b009775b95ce07cc3195",
"versionType": "git"
},
{
"lessThan": "a63998cd6687c14b160dccb0bbcf281b2eb0dab3",
"status": "affected",
"version": "56f23fdbb600e6087db7b009775b95ce07cc3195",
"versionType": "git"
},
{
"lessThan": "0c2413c69129f6ce60157f7b53d9ba880260400b",
"status": "affected",
"version": "56f23fdbb600e6087db7b009775b95ce07cc3195",
"versionType": "git"
},
{
"lessThan": "d52af58dd463821c5c516aebb031a58934f696ea",
"status": "affected",
"version": "56f23fdbb600e6087db7b009775b95ce07cc3195",
"versionType": "git"
},
{
"lessThan": "7ba0b6461bc4edb3005ea6e00cdae189bcf908a5",
"status": "affected",
"version": "56f23fdbb600e6087db7b009775b95ce07cc3195",
"versionType": "git"
},
{
"status": "affected",
"version": "048605483fbdd1e77ead32a7cd7b95cc17eaaf0e",
"versionType": "git"
},
{
"status": "affected",
"version": "033ad030df0ea932a21499582fea59e1df95769b",
"versionType": "git"
},
{
"status": "affected",
"version": "1653a3b0e9436c10eb307c318776cf91fe18ff08",
"versionType": "git"
},
{
"status": "affected",
"version": "ff440e9185e96cbb94481fc8b6192b944dcfc061",
"versionType": "git"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.32",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.23",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.8",
"versionType": "semver"
},
{
"lessThan": "4.6",
"status": "affected",
"version": "4.5.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: always detect conflicting inodes when logging inode refs\n\nAfter rename exchanging (either with the rename exchange operation or\nregular renames in multiple non-atomic steps) two inodes and at least\none of them is a directory, we can end up with a log tree that contains\nonly of the inodes and after a power failure that can result in an attempt\nto delete the other inode when it should not because it was not deleted\nbefore the power failure. In some case that delete attempt fails when\nthe target inode is a directory that contains a subvolume inside it, since\nthe log replay code is not prepared to deal with directory entries that\npoint to root items (only inode items).\n\n1) We have directories \"dir1\" (inode A) and \"dir2\" (inode B) under the\n same parent directory;\n\n2) We have a file (inode C) under directory \"dir1\" (inode A);\n\n3) We have a subvolume inside directory \"dir2\" (inode B);\n\n4) All these inodes were persisted in a past transaction and we are\n currently at transaction N;\n\n5) We rename the file (inode C), so at btrfs_log_new_name() we update\n inode C\u0027s last_unlink_trans to N;\n\n6) We get a rename exchange for \"dir1\" (inode A) and \"dir2\" (inode B),\n so after the exchange \"dir1\" is inode B and \"dir2\" is inode A.\n During the rename exchange we call btrfs_log_new_name() for inodes\n A and B, but because they are directories, we don\u0027t update their\n last_unlink_trans to N;\n\n7) An fsync against the file (inode C) is done, and because its inode\n has a last_unlink_trans with a value of N we log its parent directory\n (inode A) (through btrfs_log_all_parents(), called from\n btrfs_log_inode_parent()).\n\n8) So we end up with inode B not logged, which now has the old name\n of inode A. At copy_inode_items_to_log(), when logging inode A, we\n did not check if we had any conflicting inode to log because inode\n A has a generation lower than the current transaction (created in\n a past transaction);\n\n9) After a power failure, when replaying the log tree, since we find that\n inode A has a new name that conflicts with the name of inode B in the\n fs tree, we attempt to delete inode B... this is wrong since that\n directory was never deleted before the power failure, and because there\n is a subvolume inside that directory, attempting to delete it will fail\n since replay_dir_deletes() and btrfs_unlink_inode() are not prepared\n to deal with dir items that point to roots instead of inodes.\n\n When that happens the mount fails and we get a stack trace like the\n following:\n\n [87.2314] BTRFS info (device dm-0): start tree-log replay\n [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259\n [87.2332] ------------[ cut here ]------------\n [87.2338] BTRFS: Transaction aborted (error -2)\n [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs]\n [87.2368] Modules linked in: btrfs loop dm_thin_pool (...)\n [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full)\n [87.2489] Tainted: [W]=WARN\n [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs]\n [87.2538] Code: c0 89 04 24 (...)\n [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286\n [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000\n [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff\n [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840\n [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0\n [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10\n [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000\n [87.\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:29.348Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7f0207db68d5a1b4af23acbef1a8e8ddc431ebb"
},
{
"url": "https://git.kernel.org/stable/c/a63998cd6687c14b160dccb0bbcf281b2eb0dab3"
},
{
"url": "https://git.kernel.org/stable/c/0c2413c69129f6ce60157f7b53d9ba880260400b"
},
{
"url": "https://git.kernel.org/stable/c/d52af58dd463821c5c516aebb031a58934f696ea"
},
{
"url": "https://git.kernel.org/stable/c/7ba0b6461bc4edb3005ea6e00cdae189bcf908a5"
}
],
"title": "btrfs: always detect conflicting inodes when logging inode refs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71183",
"datePublished": "2026-01-31T11:38:56.067Z",
"dateReserved": "2026-01-31T11:36:51.186Z",
"dateUpdated": "2026-05-23T16:03:29.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23071 (GCVE-0-2026-23071)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
regmap: Fix race condition in hwspinlock irqsave routine
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: Fix race condition in hwspinlock irqsave routine
Previously, the address of the shared member '&map->spinlock_flags' was
passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race
condition where multiple contexts contending for the lock could overwrite
the shared flags variable, potentially corrupting the state for the
current lock owner.
Fix this by using a local stack variable 'flags' to store the IRQ state
temporarily.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8698b9364710e7bac84b3af07dd410e39c8c2e08 , < e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5
(git)
Affected: 8698b9364710e7bac84b3af07dd410e39c8c2e08 , < 766e243ae8c8b27087a4cc605752c0d5ee2daeab (git) Affected: 8698b9364710e7bac84b3af07dd410e39c8c2e08 , < f1e2fe26a51eca95b41420af76d22c2e613efd5e (git) Affected: 8698b9364710e7bac84b3af07dd410e39c8c2e08 , < 24f31be6ad70537fd7706269d99c92cade465a09 (git) Affected: 8698b9364710e7bac84b3af07dd410e39c8c2e08 , < 4aab0ca0a0f7760e33edcb4e47576064d05128f5 (git) Affected: 8698b9364710e7bac84b3af07dd410e39c8c2e08 , < c2d2cf710dc3ee1a69e00b4ed8de607a92a07889 (git) Affected: 8698b9364710e7bac84b3af07dd410e39c8c2e08 , < 4b58aac989c1e3fafb1c68a733811859df388250 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:57.245934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:07.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "766e243ae8c8b27087a4cc605752c0d5ee2daeab",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "f1e2fe26a51eca95b41420af76d22c2e613efd5e",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "24f31be6ad70537fd7706269d99c92cade465a09",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "4aab0ca0a0f7760e33edcb4e47576064d05128f5",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "c2d2cf710dc3ee1a69e00b4ed8de607a92a07889",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "4b58aac989c1e3fafb1c68a733811859df388250",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: Fix race condition in hwspinlock irqsave routine\n\nPreviously, the address of the shared member \u0027\u0026map-\u003espinlock_flags\u0027 was\npassed directly to \u0027hwspin_lock_timeout_irqsave\u0027. This creates a race\ncondition where multiple contexts contending for the lock could overwrite\nthe shared flags variable, potentially corrupting the state for the\ncurrent lock owner.\n\nFix this by using a local stack variable \u0027flags\u0027 to store the IRQ state\ntemporarily."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:26.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5"
},
{
"url": "https://git.kernel.org/stable/c/766e243ae8c8b27087a4cc605752c0d5ee2daeab"
},
{
"url": "https://git.kernel.org/stable/c/f1e2fe26a51eca95b41420af76d22c2e613efd5e"
},
{
"url": "https://git.kernel.org/stable/c/24f31be6ad70537fd7706269d99c92cade465a09"
},
{
"url": "https://git.kernel.org/stable/c/4aab0ca0a0f7760e33edcb4e47576064d05128f5"
},
{
"url": "https://git.kernel.org/stable/c/c2d2cf710dc3ee1a69e00b4ed8de607a92a07889"
},
{
"url": "https://git.kernel.org/stable/c/4b58aac989c1e3fafb1c68a733811859df388250"
}
],
"title": "regmap: Fix race condition in hwspinlock irqsave routine",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23071",
"datePublished": "2026-02-04T16:07:51.603Z",
"dateReserved": "2026-01-13T15:37:45.955Z",
"dateUpdated": "2026-06-11T18:44:07.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23061 (GCVE-0-2026-23061)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
URBs for USB-in transfers are allocated, added to the dev->rx_submitted
anchor and submitted. In the complete callback
kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
kvaser_usb_remove_interfaces() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
080f40a6fa28dab299da7a652e444b1e2d9231e7 , < d9d824582f2ec76459ffab449e9b05c7bc49645c
(git)
Affected: 080f40a6fa28dab299da7a652e444b1e2d9231e7 , < 40a3334ffda479c63e416e61ff086485e24401f7 (git) Affected: 080f40a6fa28dab299da7a652e444b1e2d9231e7 , < c1b39fa24c140bc616f51fef4175c1743e2bb132 (git) Affected: 080f40a6fa28dab299da7a652e444b1e2d9231e7 , < 7c308f7530bffafa994e0aa8dc651a312f4b9ff4 (git) Affected: 080f40a6fa28dab299da7a652e444b1e2d9231e7 , < 94a7fc42e21c7d9d1c49778cd1db52de5df52a01 (git) Affected: 080f40a6fa28dab299da7a652e444b1e2d9231e7 , < 3b1a593eab941c3f32417896cc7df564191f2482 (git) Affected: 080f40a6fa28dab299da7a652e444b1e2d9231e7 , < 248e8e1a125fa875158df521b30f2cc7e27eeeaa (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:41.081796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:04.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9d824582f2ec76459ffab449e9b05c7bc49645c",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "40a3334ffda479c63e416e61ff086485e24401f7",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "c1b39fa24c140bc616f51fef4175c1743e2bb132",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "7c308f7530bffafa994e0aa8dc651a312f4b9ff4",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "94a7fc42e21c7d9d1c49778cd1db52de5df52a01",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "3b1a593eab941c3f32417896cc7df564191f2482",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "248e8e1a125fa875158df521b30f2cc7e27eeeaa",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn kvaser_usb_set_{,data_}bittiming() -\u003e kvaser_usb_setup_rx_urbs(), the\nURBs for USB-in transfers are allocated, added to the dev-\u003erx_submitted\nanchor and submitted. In the complete callback\nkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nkvaser_usb_remove_interfaces() the URBs are freed by calling\nusb_kill_anchored_urbs(\u0026dev-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nkvaser_usb_read_bulk_callback() to the dev-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:14.748Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c"
},
{
"url": "https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7"
},
{
"url": "https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132"
},
{
"url": "https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4"
},
{
"url": "https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01"
},
{
"url": "https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482"
},
{
"url": "https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa"
}
],
"title": "can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23061",
"datePublished": "2026-02-04T16:07:43.626Z",
"dateReserved": "2026-01-13T15:37:45.952Z",
"dateUpdated": "2026-06-11T18:44:04.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43494 (GCVE-0-2026-43494)
Vulnerability from cvelistv5 – Published: 2026-05-21 10:49 – Updated: 2026-06-30 12:08
VLAI?
EPSS
Title
net/rds: reset op_nents when zerocopy page pin fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rds: reset op_nents when zerocopy page pin fails
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
Severity ?
7.8 (High)
CWE
- CWE-1341 - Multiple Releases of Same Resource or Handle
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < c6e51512a784c4a7b86e1a044988696e3b3721fa
(git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 03014551938a0887fa55f18ce49b70158a9c0113 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < d84ce1786ce40fdd3dd98db47aec5527817e1ef6 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 9115669faedccdda100428e2d26fd0aac8c50799 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 0bbbff00a15b1df2cac9014d6cf4b6890f473353 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 640e37f58f991546a87540d067279c2c1fa9fe51 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 290e833d1acb1093bc121fcdc97f5e6161157479 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < e174929793195e0cd6a4adb0cad731b39f9019b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-21T15:04:20.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel, specifically within the `net/rds` module. When a zerocopy page pin operation fails, a counter used for memory management (`op_nents`) is not correctly reset. This can result in a double-free vulnerability, where the same memory is released twice. A local attacker could potentially exploit this to cause the system to crash (denial of service) or, in some cases, execute unauthorized code."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1341",
"description": "Multiple Releases of Same Resource or Handle",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:33.155Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43494"
},
{
"name": "RHBZ#2480434",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480434"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43494.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-21T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: net/rds: reset op_nents when zerocopy page pin fails",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6e51512a784c4a7b86e1a044988696e3b3721fa",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "03014551938a0887fa55f18ce49b70158a9c0113",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "d84ce1786ce40fdd3dd98db47aec5527817e1ef6",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "9115669faedccdda100428e2d26fd0aac8c50799",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "0bbbff00a15b1df2cac9014d6cf4b6890f473353",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "640e37f58f991546a87540d067279c2c1fa9fe51",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "290e833d1acb1093bc121fcdc97f5e6161157479",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "e174929793195e0cd6a4adb0cad731b39f9019b4",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: reset op_nents when zerocopy page pin fails\n\nWhen iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),\nthe pinned pages are released with put_page(), and\nrm-\u003edata.op_mmp_znotifier is cleared. But we fail to properly\nclear rm-\u003edata.op_nents.\n\nLater when rds_message_purge() is called from rds_sendmsg() the\ncleanup loop iterates over the incorrectly non zero number of\nop_nents and frees them again.\n\nFix this by properly resetting op_nents when it should be in\nrds_message_zcopy_from_user()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:45:20.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fa"
},
{
"url": "https://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113"
},
{
"url": "https://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6"
},
{
"url": "https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799"
},
{
"url": "https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353"
},
{
"url": "https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51"
},
{
"url": "https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479"
},
{
"url": "https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4"
},
{
"url": "https://github.com/v12-security/pocs/tree/main/pintheft"
}
],
"title": "net/rds: reset op_nents when zerocopy page pin fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43494",
"datePublished": "2026-05-21T10:49:21.310Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-06-30T12:08:33.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68823 (GCVE-0-2025-68823)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-01 16:05
VLAI?
EPSS
Title
ublk: fix deadlock when reading partition table
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fix deadlock when reading partition table
When one process(such as udev) opens ublk block device (e.g., to read
the partition table via bdev_open()), a deadlock[1] can occur:
1. bdev_open() grabs disk->open_mutex
2. The process issues read I/O to ublk backend to read partition table
3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()
runs bio->bi_end_io() callbacks
4. If this triggers fput() on file descriptor of ublk block device, the
work may be deferred to current task's task work (see fput() implementation)
5. This eventually calls blkdev_release() from the same context
6. blkdev_release() tries to grab disk->open_mutex again
7. Deadlock: same task waiting for a mutex it already holds
The fix is to run blk_update_request() and blk_mq_end_request() with bottom
halves disabled. This forces blkdev_release() to run in kernel work-queue
context instead of current task work context, and allows ublk server to make
forward progress, and avoids the deadlock.
[axboe: rewrite comment in ublk]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
71f28f3136aff5890cd56de78abc673f8393cad9 , < 27bb79b7717b2fbb111a1c13548b2786ee712dca
(git)
Affected: 71f28f3136aff5890cd56de78abc673f8393cad9 , < 64c0b7e2293757e8320f13434cd809f1c9257a62 (git) Affected: 71f28f3136aff5890cd56de78abc673f8393cad9 , < 9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7 (git) Affected: 71f28f3136aff5890cd56de78abc673f8393cad9 , < 0460e09a614291f06c008443f47393c37b7358e7 (git) Affected: 71f28f3136aff5890cd56de78abc673f8393cad9 , < c258f5c4502c9667bccf5d76fa731ab9c96687c1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27bb79b7717b2fbb111a1c13548b2786ee712dca",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "64c0b7e2293757e8320f13434cd809f1c9257a62",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "0460e09a614291f06c008443f47393c37b7358e7",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "c258f5c4502c9667bccf5d76fa731ab9c96687c1",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix deadlock when reading partition table\n\nWhen one process(such as udev) opens ublk block device (e.g., to read\nthe partition table via bdev_open()), a deadlock[1] can occur:\n\n1. bdev_open() grabs disk-\u003eopen_mutex\n2. The process issues read I/O to ublk backend to read partition table\n3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()\n runs bio-\u003ebi_end_io() callbacks\n4. If this triggers fput() on file descriptor of ublk block device, the\n work may be deferred to current task\u0027s task work (see fput() implementation)\n5. This eventually calls blkdev_release() from the same context\n6. blkdev_release() tries to grab disk-\u003eopen_mutex again\n7. Deadlock: same task waiting for a mutex it already holds\n\nThe fix is to run blk_update_request() and blk_mq_end_request() with bottom\nhalves disabled. This forces blkdev_release() to run in kernel work-queue\ncontext instead of current task work context, and allows ublk server to make\nforward progress, and avoids the deadlock.\n\n[axboe: rewrite comment in ublk]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:05:45.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27bb79b7717b2fbb111a1c13548b2786ee712dca"
},
{
"url": "https://git.kernel.org/stable/c/64c0b7e2293757e8320f13434cd809f1c9257a62"
},
{
"url": "https://git.kernel.org/stable/c/9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7"
},
{
"url": "https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7"
},
{
"url": "https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1"
}
],
"title": "ublk: fix deadlock when reading partition table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68823",
"datePublished": "2026-01-13T15:29:25.392Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-06-01T16:05:45.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71137 (GCVE-0-2025-71137)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-11 21:55
VLAI?
EPSS
Title
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
This patch ensures that the RX ring size (rx_pending) is not
set below the permitted length. This avoids UBSAN
shift-out-of-bounds errors when users passes small or zero
ring sizes via ethtool -G.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 5d8dfa3abb9a845302e021cf9c92d941abbc011a
(git)
Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 4cc4cfe4d23c883120b6f3d41145edbaa281f2ab (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 658caf3b8aad65f8b8e102670ca4f68c7030f655 (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < b23a2e15589466a027c9baa3fb5813c9f6a6c6dc (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < aa743b0d98448282b2cb37356db8db2a48524624 (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 442848e457f5a9f71a4e7e14d24d73dae278ebe3 (git) Affected: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 , < 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d8dfa3abb9a845302e021cf9c92d941abbc011a",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "4cc4cfe4d23c883120b6f3d41145edbaa281f2ab",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "658caf3b8aad65f8b8e102670ca4f68c7030f655",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "b23a2e15589466a027c9baa3fb5813c9f6a6c6dc",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "aa743b0d98448282b2cb37356db8db2a48524624",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "442848e457f5a9f71a4e7e14d24d73dae278ebe3",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: fix \"UBSAN: shift-out-of-bounds error\"\n\nThis patch ensures that the RX ring size (rx_pending) is not\nset below the permitted length. This avoids UBSAN\nshift-out-of-bounds errors when users passes small or zero\nring sizes via ethtool -G."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:41.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a"
},
{
"url": "https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab"
},
{
"url": "https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655"
},
{
"url": "https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc"
},
{
"url": "https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624"
},
{
"url": "https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3"
},
{
"url": "https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7"
}
],
"title": "octeontx2-pf: fix \"UBSAN: shift-out-of-bounds error\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71137",
"datePublished": "2026-01-14T15:07:51.264Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-05-11T21:55:41.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23180 (GCVE-0-2026-23180)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:01
VLAI?
EPSS
Title
dpaa2-switch: add bounds check for if_id in IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: add bounds check for if_id in IRQ handler
The IRQ handler extracts if_id from the upper 16 bits of the hardware
status register and uses it to index into ethsw->ports[] without
validation. Since if_id can be any 16-bit value (0-65535) but the ports
array is only allocated with sw_attr.num_ifs elements, this can lead to
an out-of-bounds read potentially.
Add a bounds check before accessing the array, consistent with the
existing validation in dpaa2_switch_rx().
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 77611cab5bdfff7a070ae574bbfba20a1de99d1b
(git)
Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 34b56c16efd61325d80bf1d780d0e176be662f59 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < f89e33c9c37f0001b730e23b3b05ab7b1ecface2 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 2447edc367800ba914acf7ddd5d250416b45fb31 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 1b381a638e1851d8cfdfe08ed9cdbec5295b18c9 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 31a7a0bbeb006bac2d9c81a2874825025214b6d8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77611cab5bdfff7a070ae574bbfba20a1de99d1b",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "34b56c16efd61325d80bf1d780d0e176be662f59",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "f89e33c9c37f0001b730e23b3b05ab7b1ecface2",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "2447edc367800ba914acf7ddd5d250416b45fb31",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "1b381a638e1851d8cfdfe08ed9cdbec5295b18c9",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "31a7a0bbeb006bac2d9c81a2874825025214b6d8",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: add bounds check for if_id in IRQ handler\n\nThe IRQ handler extracts if_id from the upper 16 bits of the hardware\nstatus register and uses it to index into ethsw-\u003eports[] without\nvalidation. Since if_id can be any 16-bit value (0-65535) but the ports\narray is only allocated with sw_attr.num_ifs elements, this can lead to\nan out-of-bounds read potentially.\n\nAdd a bounds check before accessing the array, consistent with the\nexisting validation in dpaa2_switch_rx()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:52.245Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77611cab5bdfff7a070ae574bbfba20a1de99d1b"
},
{
"url": "https://git.kernel.org/stable/c/34b56c16efd61325d80bf1d780d0e176be662f59"
},
{
"url": "https://git.kernel.org/stable/c/f89e33c9c37f0001b730e23b3b05ab7b1ecface2"
},
{
"url": "https://git.kernel.org/stable/c/2447edc367800ba914acf7ddd5d250416b45fb31"
},
{
"url": "https://git.kernel.org/stable/c/1b381a638e1851d8cfdfe08ed9cdbec5295b18c9"
},
{
"url": "https://git.kernel.org/stable/c/31a7a0bbeb006bac2d9c81a2874825025214b6d8"
}
],
"title": "dpaa2-switch: add bounds check for if_id in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23180",
"datePublished": "2026-02-14T16:27:11.463Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-05-11T22:01:52.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68344 (GCVE-0-2025-68344)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
ALSA: wavefront: Fix integer overflow in sample size validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: wavefront: Fix integer overflow in sample size validation
The wavefront_send_sample() function has an integer overflow issue
when validating sample size. The header->size field is u32 but gets
cast to int for comparison with dev->freemem
Fix by using unsigned comparison to avoid integer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 488bf86d60077f52810c60dbdf7468c277880167
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f811071e702fbb74933526e2fbadf8c4ed0c0c4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 02b63f3bc29265bd9e83191792d200ed563acacf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5588b7c86effffa9bb55383a38800649d7b40778 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bca11de0a277b8baeb7d006f93b543c907b6e782 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1823e08f76c68b9e1d26f6d5ef831b96f61a62a0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c4a13ba88594fd4a27292853e736c6b4349823d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "488bf86d60077f52810c60dbdf7468c277880167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f811071e702fbb74933526e2fbadf8c4ed0c0c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02b63f3bc29265bd9e83191792d200ed563acacf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5588b7c86effffa9bb55383a38800649d7b40778",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bca11de0a277b8baeb7d006f93b543c907b6e782",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1823e08f76c68b9e1d26f6d5ef831b96f61a62a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c4a13ba88594fd4a27292853e736c6b4349823d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: wavefront: Fix integer overflow in sample size validation\n\nThe wavefront_send_sample() function has an integer overflow issue\nwhen validating sample size. The header-\u003esize field is u32 but gets\ncast to int for comparison with dev-\u003efreemem\n\nFix by using unsigned comparison to avoid integer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:22.916Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/488bf86d60077f52810c60dbdf7468c277880167"
},
{
"url": "https://git.kernel.org/stable/c/d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937"
},
{
"url": "https://git.kernel.org/stable/c/4f811071e702fbb74933526e2fbadf8c4ed0c0c4"
},
{
"url": "https://git.kernel.org/stable/c/02b63f3bc29265bd9e83191792d200ed563acacf"
},
{
"url": "https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778"
},
{
"url": "https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782"
},
{
"url": "https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0"
},
{
"url": "https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d"
}
],
"title": "ALSA: wavefront: Fix integer overflow in sample size validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68344",
"datePublished": "2025-12-24T10:32:37.615Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-05-11T21:51:22.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71140 (GCVE-0-2025-71140)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-05-27 09:28
VLAI?
EPSS
Title
media: mediatek: vcodec: Use spinlock for context list protection lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Use spinlock for context list protection lock
Previously a mutex was added to protect the encoder and decoder context
lists from unexpected changes originating from the SCP IP block, causing
the context pointer to go invalid, resulting in a NULL pointer
dereference in the IPI handler.
Turns out on the MT8173, the VPU IPI handler is called from hard IRQ
context. This causes a big warning from the scheduler. This was first
reported downstream on the ChromeOS kernels, but is also reproducible
on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though
the actual capture format is not supported, the affected code paths
are triggered.
Since this lock just protects the context list and operations on it are
very fast, it should be OK to switch to a spinlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0a2dc707aa42214f9c4827bd57e344e29a0841d6 , < 2c1ea6214827041f548279c9eda341eda0cc8351
(git)
Affected: 6467cda18c9f9b5f2f9a0aa1e2861c653e41f382 , < b92c19675f632a41af1222027a231bc2b7efa7ed (git) Affected: 6467cda18c9f9b5f2f9a0aa1e2861c653e41f382 , < 3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1 (git) Affected: 6467cda18c9f9b5f2f9a0aa1e2861c653e41f382 , < a5844227e0f030d2af2d85d4aed10c5eca6ca176 (git) Affected: 23aaf824121055ba81b55f75444355bd83c8eb38 (git) Affected: 41671f0c0182b2bae74ca7e3b0f155559e3e2fc5 (git) Affected: 51c84a8aac6e3b59af2b0e92ba63cabe2e641a2d (git) Affected: 6.6.27 , < 6.6.120 (semver) Affected: 6.8.6 , < 6.9 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h",
"drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h",
"drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c1ea6214827041f548279c9eda341eda0cc8351",
"status": "affected",
"version": "0a2dc707aa42214f9c4827bd57e344e29a0841d6",
"versionType": "git"
},
{
"lessThan": "b92c19675f632a41af1222027a231bc2b7efa7ed",
"status": "affected",
"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382",
"versionType": "git"
},
{
"lessThan": "3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1",
"status": "affected",
"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382",
"versionType": "git"
},
{
"lessThan": "a5844227e0f030d2af2d85d4aed10c5eca6ca176",
"status": "affected",
"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382",
"versionType": "git"
},
{
"status": "affected",
"version": "23aaf824121055ba81b55f75444355bd83c8eb38",
"versionType": "git"
},
{
"status": "affected",
"version": "41671f0c0182b2bae74ca7e3b0f155559e3e2fc5",
"versionType": "git"
},
{
"status": "affected",
"version": "51c84a8aac6e3b59af2b0e92ba63cabe2e641a2d",
"versionType": "git"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.27",
"versionType": "semver"
},
{
"lessThan": "6.9",
"status": "affected",
"version": "6.8.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h",
"drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h",
"drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Use spinlock for context list protection lock\n\nPreviously a mutex was added to protect the encoder and decoder context\nlists from unexpected changes originating from the SCP IP block, causing\nthe context pointer to go invalid, resulting in a NULL pointer\ndereference in the IPI handler.\n\nTurns out on the MT8173, the VPU IPI handler is called from hard IRQ\ncontext. This causes a big warning from the scheduler. This was first\nreported downstream on the ChromeOS kernels, but is also reproducible\non mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though\nthe actual capture format is not supported, the affected code paths\nare triggered.\n\nSince this lock just protects the context list and operations on it are\nvery fast, it should be OK to switch to a spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T09:28:15.646Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351"
},
{
"url": "https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed"
},
{
"url": "https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1"
},
{
"url": "https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176"
}
],
"title": "media: mediatek: vcodec: Use spinlock for context list protection lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71140",
"datePublished": "2026-01-14T15:07:53.581Z",
"dateReserved": "2026-01-13T15:30:19.660Z",
"dateUpdated": "2026-05-27T09:28:15.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23033 (GCVE-0-2026-23033)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-02 13:00
VLAI?
EPSS
Title
dmaengine: omap-dma: fix dma_pool resource leak in error paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: omap-dma: fix dma_pool resource leak in error paths
The dma_pool created by dma_pool_create() is not destroyed when
dma_async_device_register() or of_dma_controller_register() fails,
causing a resource leak in the probe error paths.
Add dma_pool_destroy() in both error paths to properly release the
allocated dma_pool resource.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 8d66cb05b8b76396387a7b3a91f9284225c87f04
(git)
Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 2b29f38f4f9660595e8272b8e8b82ffcca7ce592 (git) Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 6b867a98699657c2a698bbc9e60656349b39b905 (git) Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 88a9483f093bbb9263dcf21bc7fdb5132e5de88d (git) Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 4b93712e96be17029bd22787f2e39feb0e73272c (git) Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 829b00481734dd54e72f755fd6584bce6fbffbb0 (git) Affected: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed , < 2e1136acf8a8887c29f52e35a77b537309af321f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:54.479Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/omap-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d66cb05b8b76396387a7b3a91f9284225c87f04",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "2b29f38f4f9660595e8272b8e8b82ffcca7ce592",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "6b867a98699657c2a698bbc9e60656349b39b905",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "88a9483f093bbb9263dcf21bc7fdb5132e5de88d",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "4b93712e96be17029bd22787f2e39feb0e73272c",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "829b00481734dd54e72f755fd6584bce6fbffbb0",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "2e1136acf8a8887c29f52e35a77b537309af321f",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/omap-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: omap-dma: fix dma_pool resource leak in error paths\n\nThe dma_pool created by dma_pool_create() is not destroyed when\ndma_async_device_register() or of_dma_controller_register() fails,\ncausing a resource leak in the probe error paths.\n\nAdd dma_pool_destroy() in both error paths to properly release the\nallocated dma_pool resource."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:42.294Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d66cb05b8b76396387a7b3a91f9284225c87f04"
},
{
"url": "https://git.kernel.org/stable/c/2b29f38f4f9660595e8272b8e8b82ffcca7ce592"
},
{
"url": "https://git.kernel.org/stable/c/6b867a98699657c2a698bbc9e60656349b39b905"
},
{
"url": "https://git.kernel.org/stable/c/88a9483f093bbb9263dcf21bc7fdb5132e5de88d"
},
{
"url": "https://git.kernel.org/stable/c/4b93712e96be17029bd22787f2e39feb0e73272c"
},
{
"url": "https://git.kernel.org/stable/c/829b00481734dd54e72f755fd6584bce6fbffbb0"
},
{
"url": "https://git.kernel.org/stable/c/2e1136acf8a8887c29f52e35a77b537309af321f"
}
],
"title": "dmaengine: omap-dma: fix dma_pool resource leak in error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23033",
"datePublished": "2026-01-31T11:42:28.352Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-06-02T13:00:54.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23075 (GCVE-0-2026-23075)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In esd_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
esd_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in esd_usb_close().
Fix the memory leak by anchoring the URB in the
esd_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
96d8e90382dc336b5de401164597edfdc2e8d9f1 , < 93b34d4ba7266030801a509c088ac77c0d7a12e9
(git)
Affected: 96d8e90382dc336b5de401164597edfdc2e8d9f1 , < dc934d96673992af8568664c1b58e13eb164010d (git) Affected: 96d8e90382dc336b5de401164597edfdc2e8d9f1 , < 92d26ce07ac3b7a850dc68c8d73d487b39c39b33 (git) Affected: 96d8e90382dc336b5de401164597edfdc2e8d9f1 , < adec5e1f9c99fe079ec4c92cca3f1109a3e257c3 (git) Affected: 96d8e90382dc336b5de401164597edfdc2e8d9f1 , < 9d1807b442fc3286b204f8e59981b10e743533ce (git) Affected: 96d8e90382dc336b5de401164597edfdc2e8d9f1 , < a9503ae43256e80db5cba9d449b238607164c51d (git) Affected: 96d8e90382dc336b5de401164597edfdc2e8d9f1 , < 5a4391bdc6c8357242f62f22069c865b792406b3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/esd_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93b34d4ba7266030801a509c088ac77c0d7a12e9",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "dc934d96673992af8568664c1b58e13eb164010d",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "92d26ce07ac3b7a850dc68c8d73d487b39c39b33",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "adec5e1f9c99fe079ec4c92cca3f1109a3e257c3",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "9d1807b442fc3286b204f8e59981b10e743533ce",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "a9503ae43256e80db5cba9d449b238607164c51d",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "5a4391bdc6c8357242f62f22069c865b792406b3",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/esd_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn esd_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev-\u003erx_submitted anchor and submitted. In the complete callback\nesd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nesd_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(\u0026dev-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in esd_usb_close().\n\nFix the memory leak by anchoring the URB in the\nesd_usb_read_bulk_callback() to the dev-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:31.107Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9"
},
{
"url": "https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d"
},
{
"url": "https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33"
},
{
"url": "https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3"
},
{
"url": "https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce"
},
{
"url": "https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d"
},
{
"url": "https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3"
}
],
"title": "can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23075",
"datePublished": "2026-02-04T16:08:00.169Z",
"dateReserved": "2026-01-13T15:37:45.958Z",
"dateUpdated": "2026-05-11T21:59:31.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50060 (GCVE-0-2024-50060)
Vulnerability from cvelistv5 – Published: 2024-10-21 19:39 – Updated: 2026-05-11 20:44
VLAI?
EPSS
Title
io_uring: check if we need to reschedule during overflow flush
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: check if we need to reschedule during overflow flush
In terms of normal application usage, this list will always be empty.
And if an application does overflow a bit, it'll have a few entries.
However, nothing obviously prevents syzbot from running a test case
that generates a ton of overflow entries, and then flushing them can
take quite a while.
Check for needing to reschedule while flushing, and drop our locks and
do so if necessary. There's no state to maintain here as overflows
always prune from head-of-list, hence it's fine to drop and reacquire
the locks at the end of the loop.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2b188cc1bb857a9d4701ae59aa7768b5124e262e , < a2493904e95ce94bbec819d8f7f03b99976eb25c
(git)
Affected: 2b188cc1bb857a9d4701ae59aa7768b5124e262e , < f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e (git) Affected: 2b188cc1bb857a9d4701ae59aa7768b5124e262e , < c2eadeafce2d385b3f6d26a7f31fee5aba2bbbb0 (git) Affected: 2b188cc1bb857a9d4701ae59aa7768b5124e262e , < eac2ca2d682f94f46b1973bdf5e77d85d77b8e53 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:22:59.693890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:28:42.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:25:00.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2493904e95ce94bbec819d8f7f03b99976eb25c",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "c2eadeafce2d385b3f6d26a7f31fee5aba2bbbb0",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "eac2ca2d682f94f46b1973bdf5e77d85d77b8e53",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.57",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.4",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check if we need to reschedule during overflow flush\n\nIn terms of normal application usage, this list will always be empty.\nAnd if an application does overflow a bit, it\u0027ll have a few entries.\nHowever, nothing obviously prevents syzbot from running a test case\nthat generates a ton of overflow entries, and then flushing them can\ntake quite a while.\n\nCheck for needing to reschedule while flushing, and drop our locks and\ndo so if necessary. There\u0027s no state to maintain here as overflows\nalways prune from head-of-list, hence it\u0027s fine to drop and reacquire\nthe locks at the end of the loop."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:44:38.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2493904e95ce94bbec819d8f7f03b99976eb25c"
},
{
"url": "https://git.kernel.org/stable/c/f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e"
},
{
"url": "https://git.kernel.org/stable/c/c2eadeafce2d385b3f6d26a7f31fee5aba2bbbb0"
},
{
"url": "https://git.kernel.org/stable/c/eac2ca2d682f94f46b1973bdf5e77d85d77b8e53"
}
],
"title": "io_uring: check if we need to reschedule during overflow flush",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50060",
"datePublished": "2024-10-21T19:39:49.737Z",
"dateReserved": "2024-10-21T19:36:19.939Z",
"dateUpdated": "2026-05-11T20:44:38.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68782 (GCVE-0-2025-68782)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-06-16 19:10
VLAI?
EPSS
Title
scsi: target: Reset t_task_cdb pointer in error case
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Reset t_task_cdb pointer in error case
If allocation of cmd->t_task_cdb fails, it remains NULL but is later
dereferenced in the 'err' path.
In case of error, reset NULL t_task_cdb value to point at the default
fixed-size buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 6cac97b12bdab04832e0416d049efcd0d48d303b
(git)
Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 45fd86b444105c8bd07a763f58635c87e5dc7aea (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 8727663ded659aad55eef21e3864ebf5a4796a96 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 0260ad551b0815eb788d47f32899fbcd65d6f128 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 0d36db68fdb8a3325386fd9523b67735f944e1f3 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 8edbb9e371af186b4cf40819dab65fafe109df4d (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 5053eab38a4c4543522d0c320c639c56a8b59908 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:10:49.122593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:10:58.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cac97b12bdab04832e0416d049efcd0d48d303b",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "45fd86b444105c8bd07a763f58635c87e5dc7aea",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8727663ded659aad55eef21e3864ebf5a4796a96",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0260ad551b0815eb788d47f32899fbcd65d6f128",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0d36db68fdb8a3325386fd9523b67735f944e1f3",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8edbb9e371af186b4cf40819dab65fafe109df4d",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "5053eab38a4c4543522d0c320c639c56a8b59908",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Reset t_task_cdb pointer in error case\n\nIf allocation of cmd-\u003et_task_cdb fails, it remains NULL but is later\ndereferenced in the \u0027err\u0027 path.\n\nIn case of error, reset NULL t_task_cdb value to point at the default\nfixed-size buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:14.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b"
},
{
"url": "https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea"
},
{
"url": "https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96"
},
{
"url": "https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128"
},
{
"url": "https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3"
},
{
"url": "https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d"
},
{
"url": "https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908"
}
],
"title": "scsi: target: Reset t_task_cdb pointer in error case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68782",
"datePublished": "2026-01-13T15:28:56.929Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-06-16T19:10:58.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68767 (GCVE-0-2025-68767)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-05-11 21:52
VLAI?
EPSS
Title
hfsplus: Verify inode mode when loading from disk
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: Verify inode mode when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.
According to [1], the permissions field was treated as reserved in Mac OS
8 and 9. According to [2], the reserved field was explicitly initialized
with 0, and that field must remain 0 as long as reserved. Therefore, when
the "mode" field is not 0 (i.e. no longer reserved), the file must be
S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/
S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6f768724aabd5b321c5b8f15acdca11e4781cf32
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d92333c7a35856e419500e7eed72dac1afa404a5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 001f44982587ad462b3002ee40c75e8df67d597d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 05ec9af3cc430683c97f76027e1c55ac6fd25c59 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < edfb2e602b5ba5ca6bf31cbac20b366efb72b156 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 91f114bffa36ce56d0e1f60a0a44fc09baaefc79 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 005d4b0d33f6b4a23d382b7930f7a96b95b01f39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f768724aabd5b321c5b8f15acdca11e4781cf32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d92333c7a35856e419500e7eed72dac1afa404a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "001f44982587ad462b3002ee40c75e8df67d597d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "05ec9af3cc430683c97f76027e1c55ac6fd25c59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edfb2e602b5ba5ca6bf31cbac20b366efb72b156",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91f114bffa36ce56d0e1f60a0a44fc09baaefc79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "005d4b0d33f6b4a23d382b7930f7a96b95b01f39",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: Verify inode mode when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 16bits \"mode\" field loaded from disk are corrupted.\n\nAccording to [1], the permissions field was treated as reserved in Mac OS\n8 and 9. According to [2], the reserved field was explicitly initialized\nwith 0, and that field must remain 0 as long as reserved. Therefore, when\nthe \"mode\" field is not 0 (i.e. no longer reserved), the file must be\nS_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/\nS_IFBLK/S_IFIFO/S_IFSOCK if dir == 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:57.433Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32"
},
{
"url": "https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5"
},
{
"url": "https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d"
},
{
"url": "https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59"
},
{
"url": "https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156"
},
{
"url": "https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79"
},
{
"url": "https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39"
}
],
"title": "hfsplus: Verify inode mode when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68767",
"datePublished": "2026-01-13T15:28:46.382Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-05-11T21:52:57.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22998 (GCVE-0-2026-22998)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-16 20:38
VLAI?
EPSS
Title
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.
The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.
Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT → both pointers NULL
2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f775f2621c2ac5cc3a0b3a64665dad4fb146e510 , < baabe43a0edefac8cd7b981ff87f967f6034dafe
(git)
Affected: 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d , < 76abc83a9d25593c2b7613c549413079c14a4686 (git) Affected: 2871aa407007f6f531fae181ad252486e022df42 , < 7d75570002929d20e40110d6b03e46202c9d1bc7 (git) Affected: 24e05760186dc070d3db190ca61efdbce23afc88 , < fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4 (git) Affected: efa56305908ba20de2104f1b8508c6a7401833be , < 3def5243150716be86599c2a1767c29c68838b6d (git) Affected: efa56305908ba20de2104f1b8508c6a7401833be , < 374b095e265fa27465f34780e0eb162ff1bef913 (git) Affected: efa56305908ba20de2104f1b8508c6a7401833be , < 32b63acd78f577b332d976aa06b56e70d054cbba (git) Affected: ee5e7632e981673f42a50ade25e71e612e543d9d (git) Affected: 70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68 (git) Affected: 5.10.209 , < 5.10.249 (semver) Affected: 5.15.148 , < 5.15.199 (semver) Affected: 6.1.75 , < 6.1.162 (semver) Affected: 6.6.14 , < 6.6.122 (semver) Affected: 5.4.268 , < 5.5 (semver) Affected: 6.7.2 , < 6.8 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:38:02.086283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:38:12.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "baabe43a0edefac8cd7b981ff87f967f6034dafe",
"status": "affected",
"version": "f775f2621c2ac5cc3a0b3a64665dad4fb146e510",
"versionType": "git"
},
{
"lessThan": "76abc83a9d25593c2b7613c549413079c14a4686",
"status": "affected",
"version": "4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d",
"versionType": "git"
},
{
"lessThan": "7d75570002929d20e40110d6b03e46202c9d1bc7",
"status": "affected",
"version": "2871aa407007f6f531fae181ad252486e022df42",
"versionType": "git"
},
{
"lessThan": "fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4",
"status": "affected",
"version": "24e05760186dc070d3db190ca61efdbce23afc88",
"versionType": "git"
},
{
"lessThan": "3def5243150716be86599c2a1767c29c68838b6d",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"lessThan": "374b095e265fa27465f34780e0eb162ff1bef913",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"lessThan": "32b63acd78f577b332d976aa06b56e70d054cbba",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"status": "affected",
"version": "ee5e7632e981673f42a50ade25e71e612e543d9d",
"versionType": "git"
},
{
"status": "affected",
"version": "70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68",
"versionType": "git"
},
{
"lessThan": "5.10.249",
"status": "affected",
"version": "5.10.209",
"versionType": "semver"
},
{
"lessThan": "5.15.199",
"status": "affected",
"version": "5.15.148",
"versionType": "semver"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.75",
"versionType": "semver"
},
{
"lessThan": "6.6.122",
"status": "affected",
"version": "6.6.14",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.268",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.268",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command\u0027s data structures (cmd-\u003ereq.sg and cmd-\u003eiov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd-\u003ereq.sg and cmd-\u003eiov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n- WRITE commands: both allocated"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:38.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"
},
{
"url": "https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"
},
{
"url": "https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"
},
{
"url": "https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"
},
{
"url": "https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"
},
{
"url": "https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"
},
{
"url": "https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"
}
],
"title": "nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22998",
"datePublished": "2026-01-25T14:36:12.935Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-06-16T20:38:12.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23088 (GCVE-0-2026-23088)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-23 16:03
VLAI?
EPSS
Title
tracing: Fix crash on synthetic stacktrace field usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix crash on synthetic stacktrace field usage
When creating a synthetic event based on an existing synthetic event that
had a stacktrace field and the new synthetic event used that field a
kernel crash occurred:
~# cd /sys/kernel/tracing
~# echo 's:stack unsigned long stack[];' > dynamic_events
~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger
~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger
The above creates a synthetic event that takes a stacktrace when a task
schedules out in a non-running state and passes that stacktrace to the
sched_switch event when that task schedules back in. It triggers the
"stack" synthetic event that has a stacktrace as its field (called "stack").
~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events
~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger
~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger
The above makes another synthetic event called "syscall_stack" that
attaches the first synthetic event (stack) to the sys_exit trace event and
records the stacktrace from the stack event with the id of the system call
that is exiting.
When enabling this event (or using it in a historgram):
~# echo 1 > events/synthetic/syscall_stack/enable
Produces a kernel crash!
BUG: unable to handle page fault for address: 0000000000400010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:trace_event_raw_event_synth+0x90/0x380
Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f
RSP: 0018:ffffd2670388f958 EFLAGS: 00010202
RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0
RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50
R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010
R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90
FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0
Call Trace:
<TASK>
? __tracing_map_insert+0x208/0x3a0
action_trace+0x67/0x70
event_hist_trigger+0x633/0x6d0
event_triggers_call+0x82/0x130
trace_event_buffer_commit+0x19d/0x250
trace_event_raw_event_sys_exit+0x62/0xb0
syscall_exit_work+0x9d/0x140
do_syscall_64+0x20a/0x2f0
? trace_event_raw_event_sched_switch+0x12b/0x170
? save_fpregs_to_fpstate+0x3e/0x90
? _raw_spin_unlock+0xe/0x30
? finish_task_switch.isra.0+0x97/0x2c0
? __rseq_handle_notify_resume+0xad/0x4c0
? __schedule+0x4b8/0xd00
? restore_fpregs_from_fpstate+0x3c/0x90
? switch_fpu_return+0x5b/0xe0
? do_syscall_64+0x1ef/0x2f0
? do_fault+0x2e9/0x540
? __handle_mm_fault+0x7d1/0xf70
? count_memcg_events+0x167/0x1d0
? handle_mm_fault+0x1d7/0x2e0
? do_user_addr_fault+0x2c3/0x7f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The reason is that the stacktrace field is not labeled as such, and is
treated as a normal field and not as a dynamic event that it is.
In trace_event_raw_event_synth() the event is field is still treated as a
dynamic array, but the retrieval of the data is considered a normal field,
and the reference is just the meta data:
// Meta data is retrieved instead of a dynamic array
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00cf3d672a9dd409418647e9f98784c339c3ff63 , < 98ecbfb2598c9c7ca755a29f402da9d36c057077
(git)
Affected: 00cf3d672a9dd409418647e9f98784c339c3ff63 , < 327af07dff6ab5650b21491eb4f69694999ff3d1 (git) Affected: 00cf3d672a9dd409418647e9f98784c339c3ff63 , < 3b90d099efa2b67239bd3b3dc3521ec584261748 (git) Affected: 00cf3d672a9dd409418647e9f98784c339c3ff63 , < 90f9f5d64cae4e72defd96a2a22760173cb3c9ec (git) Affected: b9453380c1c542fd095a4dbe9251eeba4022bbce (git) Affected: 5f52389bdd9eafb63b3a2f804e02aeb17b6a5f55 (git) Affected: f3baa42afeea0d5f04ad31525e861199d02210cc (git) Affected: 5.10.237 , < 5.11 (semver) Affected: 5.15.124 , < 5.16 (semver) Affected: 6.1.43 , < 6.2 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c",
"kernel/trace/trace_events_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98ecbfb2598c9c7ca755a29f402da9d36c057077",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"lessThan": "327af07dff6ab5650b21491eb4f69694999ff3d1",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"lessThan": "3b90d099efa2b67239bd3b3dc3521ec584261748",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"lessThan": "90f9f5d64cae4e72defd96a2a22760173cb3c9ec",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"status": "affected",
"version": "b9453380c1c542fd095a4dbe9251eeba4022bbce",
"versionType": "git"
},
{
"status": "affected",
"version": "5f52389bdd9eafb63b3a2f804e02aeb17b6a5f55",
"versionType": "git"
},
{
"status": "affected",
"version": "f3baa42afeea0d5f04ad31525e861199d02210cc",
"versionType": "git"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.43",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c",
"kernel/trace/trace_events_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix crash on synthetic stacktrace field usage\n\nWhen creating a synthetic event based on an existing synthetic event that\nhad a stacktrace field and the new synthetic event used that field a\nkernel crash occurred:\n\n ~# cd /sys/kernel/tracing\n ~# echo \u0027s:stack unsigned long stack[];\u0027 \u003e dynamic_events\n ~# echo \u0027hist:keys=prev_pid:s0=common_stacktrace if prev_state \u0026 3\u0027 \u003e\u003e events/sched/sched_switch/trigger\n ~# echo \u0027hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)\u0027 \u003e\u003e events/sched/sched_switch/trigger\n\nThe above creates a synthetic event that takes a stacktrace when a task\nschedules out in a non-running state and passes that stacktrace to the\nsched_switch event when that task schedules back in. It triggers the\n\"stack\" synthetic event that has a stacktrace as its field (called \"stack\").\n\n ~# echo \u0027s:syscall_stack s64 id; unsigned long stack[];\u0027 \u003e\u003e dynamic_events\n ~# echo \u0027hist:keys=common_pid:s2=stack\u0027 \u003e\u003e events/synthetic/stack/trigger\n ~# echo \u0027hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)\u0027 \u003e\u003e events/raw_syscalls/sys_exit/trigger\n\nThe above makes another synthetic event called \"syscall_stack\" that\nattaches the first synthetic event (stack) to the sys_exit trace event and\nrecords the stacktrace from the stack event with the id of the system call\nthat is exiting.\n\nWhen enabling this event (or using it in a historgram):\n\n ~# echo 1 \u003e events/synthetic/syscall_stack/enable\n\nProduces a kernel crash!\n\n BUG: unable to handle page fault for address: 0000000000400010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP PTI\n CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:trace_event_raw_event_synth+0x90/0x380\n Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 \u003c49\u003e 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f\n RSP: 0018:ffffd2670388f958 EFLAGS: 00010202\n RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0\n RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50\n R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010\n R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90\n FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n ? __tracing_map_insert+0x208/0x3a0\n action_trace+0x67/0x70\n event_hist_trigger+0x633/0x6d0\n event_triggers_call+0x82/0x130\n trace_event_buffer_commit+0x19d/0x250\n trace_event_raw_event_sys_exit+0x62/0xb0\n syscall_exit_work+0x9d/0x140\n do_syscall_64+0x20a/0x2f0\n ? trace_event_raw_event_sched_switch+0x12b/0x170\n ? save_fpregs_to_fpstate+0x3e/0x90\n ? _raw_spin_unlock+0xe/0x30\n ? finish_task_switch.isra.0+0x97/0x2c0\n ? __rseq_handle_notify_resume+0xad/0x4c0\n ? __schedule+0x4b8/0xd00\n ? restore_fpregs_from_fpstate+0x3c/0x90\n ? switch_fpu_return+0x5b/0xe0\n ? do_syscall_64+0x1ef/0x2f0\n ? do_fault+0x2e9/0x540\n ? __handle_mm_fault+0x7d1/0xf70\n ? count_memcg_events+0x167/0x1d0\n ? handle_mm_fault+0x1d7/0x2e0\n ? do_user_addr_fault+0x2c3/0x7f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe reason is that the stacktrace field is not labeled as such, and is\ntreated as a normal field and not as a dynamic event that it is.\n\nIn trace_event_raw_event_synth() the event is field is still treated as a\ndynamic array, but the retrieval of the data is considered a normal field,\nand the reference is just the meta data:\n\n// Meta data is retrieved instead of a dynamic array\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:48.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077"
},
{
"url": "https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1"
},
{
"url": "https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748"
},
{
"url": "https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec"
}
],
"title": "tracing: Fix crash on synthetic stacktrace field usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23088",
"datePublished": "2026-02-04T16:08:11.717Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-05-23T16:03:48.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68255 (GCVE-0-2025-68255)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-05-11 21:49
VLAI?
EPSS
Title
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 49b7806851f93fd342838c93f4f765e0cc5029b0
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 4445adedae770037078803d1ce41f9e88a1944b6 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 34620eb602aa432f090b2b784ee5c5070fb16cf9 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 61871c83259a511980ec2664964cecc69005398b (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 25411f5fcf5743131158f337c99c2bbf3f8477f5 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < e841d8ea722315b781c4fc5bf4f7670fbca88875 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49b7806851f93fd342838c93f4f765e0cc5029b0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "4445adedae770037078803d1ce41f9e88a1944b6",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "34620eb602aa432f090b2b784ee5c5070fb16cf9",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "61871c83259a511980ec2664964cecc69005398b",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "25411f5fcf5743131158f337c99c2bbf3f8477f5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "e841d8ea722315b781c4fc5bf4f7670fbca88875",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "6ef0e1c10455927867cac8f0ed6b49f328f8cf95",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing\n\nThe Supported Rates IE length from an incoming Association Request frame\nwas used directly as the memcpy() length when copying into a fixed-size\n16-byte stack buffer (supportRate). A malicious station can advertise an\nIE length larger than 16 bytes, causing a stack buffer overflow.\n\nClamp ie_len to the buffer size before copying the Supported Rates IE,\nand correct the bounds check when merging Extended Supported Rates to\nprevent a second potential overflow.\n\nThis prevents kernel stack corruption triggered by malformed association\nrequests."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:50.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49b7806851f93fd342838c93f4f765e0cc5029b0"
},
{
"url": "https://git.kernel.org/stable/c/4445adedae770037078803d1ce41f9e88a1944b6"
},
{
"url": "https://git.kernel.org/stable/c/d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0"
},
{
"url": "https://git.kernel.org/stable/c/34620eb602aa432f090b2b784ee5c5070fb16cf9"
},
{
"url": "https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b"
},
{
"url": "https://git.kernel.org/stable/c/25411f5fcf5743131158f337c99c2bbf3f8477f5"
},
{
"url": "https://git.kernel.org/stable/c/e841d8ea722315b781c4fc5bf4f7670fbca88875"
},
{
"url": "https://git.kernel.org/stable/c/6ef0e1c10455927867cac8f0ed6b49f328f8cf95"
}
],
"title": "staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68255",
"datePublished": "2025-12-16T14:44:58.031Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-05-11T21:49:50.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47332 (GCVE-0-2026-47332)
Vulnerability from cvelistv5 – Published: 2026-05-28 18:28 – Updated: 2026-05-28 19:24
VLAI?
EPSS
Title
Out-of-bounds read in Ubuntu Linux AppArmor notification handling
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.
Severity ?
5.5 (Medium)
CWE
- CWE-125 - Out-of-bounds read
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0 , < 6.8.0-124.124
(dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg) Affected: 7.0.0 , < 7.0.0-22.22 (dpkg) |
Credits
Tristan Madani (@TristanInSec), Talence Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:17:25.504559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:24:19.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AppArmor"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-124.124",
"status": "affected",
"version": "6.8.0",
"versionType": "dpkg"
},
{
"lessThan": "6.17.0-35.35",
"status": "affected",
"version": "6.17.0",
"versionType": "dpkg"
},
{
"lessThan": "7.0.0-22.22",
"status": "affected",
"version": "7.0.0",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec), Talence Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:28:18.728Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=0418e5f61b55465f19245705bce6590c807fc9f2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Out-of-bounds read in Ubuntu Linux AppArmor notification handling"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-47332",
"datePublished": "2026-05-28T18:28:18.728Z",
"dateReserved": "2026-05-19T10:37:36.433Z",
"dateUpdated": "2026-05-28T19:24:19.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71065 (GCVE-0-2025-71065)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-05-11 21:54
VLAI?
EPSS
Title
f2fs: fix to avoid potential deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid potential deadlock
As Jiaming Zhang and syzbot reported, there is potential deadlock in
f2fs as below:
Chain exists of:
&sbi->cp_rwsem --> fs_reclaim --> sb_internal#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(sb_internal#2);
lock(fs_reclaim);
lock(sb_internal#2);
rlock(&sbi->cp_rwsem);
*** DEADLOCK ***
3 locks held by kswapd0/73:
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197
#2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890
stack backtrace:
CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537
f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]
f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]
f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791
f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867
f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925
f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897
evict+0x504/0x9c0 fs/inode.c:810
f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853
evict+0x504/0x9c0 fs/inode.c:810
dispose_list fs/inode.c:852 [inline]
prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000
super_cache_scan+0x39b/0x4b0 fs/super.c:224
do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437
shrink_slab_memcg mm/shrinker.c:550 [inline]
shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628
shrink_one+0x28a/0x7c0 mm/vmscan.c:4955
shrink_many mm/vmscan.c:5016 [inline]
lru_gen_shrink_node mm/vmscan.c:5094 [inline]
shrink_node+0x315d/0x3780 mm/vmscan.c:6081
kswapd_shrink_node mm/vmscan.c:6941 [inline]
balance_pgdat mm/vmscan.c:7124 [inline]
kswapd+0x147c/0x2800 mm/vmscan.c:7389
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The root cause is deadlock among four locks as below:
kswapd
- fs_reclaim --- Lock A
- shrink_one
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- iput
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- f2fs_truncate
- f2fs_truncate_blocks
- f2fs_do_truncate_blocks
- f2fs_lock_op --- Lock C
ioctl
- f2fs_ioc_commit_atomic_write
- f2fs_lock_op --- Lock C
- __f2fs_commit_atomic_write
- __replace_atomic_write_block
- f2fs_get_dnode_of_data
- __get_node_folio
- f2fs_check_nid_range
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
open
- do_open
- do_truncate
- security_inode_need_killpriv
- f2fs_getxattr
- lookup_all_xattrs
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
- f2fs_commit_super
- read_mapping_folio
- filemap_alloc_folio_noprof
- prepare_alloc_pages
- fs_reclaim_acquire --- Lock A
In order to a
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
95fa90c9e5a7f14c2497d5b032544478c9377c3a , < 8bd6dff8b801abaa362272894bda795bf0cf1307
(git)
Affected: 95fa90c9e5a7f14c2497d5b032544478c9377c3a , < 6c3bab5c6261aa22c561ef56b7365959a90e7d91 (git) Affected: 95fa90c9e5a7f14c2497d5b032544478c9377c3a , < 86a85a7b622e6e8dba69810257733ce5eab5ed55 (git) Affected: 95fa90c9e5a7f14c2497d5b032544478c9377c3a , < ca8b201f28547e28343a6f00a6e91fa8c09572fe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bd6dff8b801abaa362272894bda795bf0cf1307",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "6c3bab5c6261aa22c561ef56b7365959a90e7d91",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "86a85a7b622e6e8dba69810257733ce5eab5ed55",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "ca8b201f28547e28343a6f00a6e91fa8c09572fe",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nAs Jiaming Zhang and syzbot reported, there is potential deadlock in\nf2fs as below:\n\nChain exists of:\n \u0026sbi-\u003ecp_rwsem --\u003e fs_reclaim --\u003e sb_internal#2\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n rlock(sb_internal#2);\n lock(fs_reclaim);\n lock(sb_internal#2);\n rlock(\u0026sbi-\u003ecp_rwsem);\n\n *** DEADLOCK ***\n\n3 locks held by kswapd0/73:\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389\n #1: ffff8880118400e0 (\u0026type-\u003es_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]\n #1: ffff8880118400e0 (\u0026type-\u003es_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197\n #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890\n\nstack backtrace:\nCPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043\n check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908\n __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537\n f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]\n f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]\n f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791\n f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867\n f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925\n f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897\n evict+0x504/0x9c0 fs/inode.c:810\n f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853\n evict+0x504/0x9c0 fs/inode.c:810\n dispose_list fs/inode.c:852 [inline]\n prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000\n super_cache_scan+0x39b/0x4b0 fs/super.c:224\n do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437\n shrink_slab_memcg mm/shrinker.c:550 [inline]\n shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628\n shrink_one+0x28a/0x7c0 mm/vmscan.c:4955\n shrink_many mm/vmscan.c:5016 [inline]\n lru_gen_shrink_node mm/vmscan.c:5094 [inline]\n shrink_node+0x315d/0x3780 mm/vmscan.c:6081\n kswapd_shrink_node mm/vmscan.c:6941 [inline]\n balance_pgdat mm/vmscan.c:7124 [inline]\n kswapd+0x147c/0x2800 mm/vmscan.c:7389\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThe root cause is deadlock among four locks as below:\n\nkswapd\n- fs_reclaim\t\t\t\t--- Lock A\n - shrink_one\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n\n- iput\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n - f2fs_truncate\n - f2fs_truncate_blocks\n - f2fs_do_truncate_blocks\n - f2fs_lock_op\t\t\t--- Lock C\n\nioctl\n- f2fs_ioc_commit_atomic_write\n - f2fs_lock_op\t\t\t\t--- Lock C\n - __f2fs_commit_atomic_write\n - __replace_atomic_write_block\n - f2fs_get_dnode_of_data\n - __get_node_folio\n - f2fs_check_nid_range\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n\nopen\n- do_open\n - do_truncate\n - security_inode_need_killpriv\n - f2fs_getxattr\n - lookup_all_xattrs\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n - f2fs_commit_super\n - read_mapping_folio\n - filemap_alloc_folio_noprof\n - prepare_alloc_pages\n - fs_reclaim_acquire\t--- Lock A\n\nIn order to a\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:03.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307"
},
{
"url": "https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91"
},
{
"url": "https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55"
},
{
"url": "https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe"
}
],
"title": "f2fs: fix to avoid potential deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71065",
"datePublished": "2026-01-13T15:31:21.235Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-05-11T21:54:03.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43362 (GCVE-0-2026-43362)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
smb: client: fix in-place encryption corruption in SMB2_write()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix in-place encryption corruption in SMB2_write()
SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.
The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.
This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.
Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 438e77435aee2894d5edf90be5c87004a57f6258
(git)
Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 52327268224fb9ccc7ecfbbdfdfff54b6e93c518 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 92e64f1852f455f57d0850989e57c30d7fac7d95 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < aea5e37388a080361110ab5790f57ae0af383650 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < d78840a6a38d312dc1a51a65317bb67e46f0b929 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "438e77435aee2894d5edf90be5c87004a57f6258",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "52327268224fb9ccc7ecfbbdfdfff54b6e93c518",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "92e64f1852f455f57d0850989e57c30d7fac7d95",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "aea5e37388a080361110ab5790f57ae0af383650",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "d78840a6a38d312dc1a51a65317bb67e46f0b929",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix in-place encryption corruption in SMB2_write()\n\nSMB2_write() places write payload in iov[1..n] as part of rq_iov.\nsmb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()\nencrypts iov[1] in-place, replacing the original plaintext with\nciphertext. On a replayable error, the retry sends the same iov[1]\nwhich now contains ciphertext instead of the original data,\nresulting in corruption.\n\nThe corruption is most likely to be observed when connections are\nunstable, as reconnects trigger write retries that re-send the\nalready-encrypted data.\n\nThis affects SFU mknod, MF symlinks, etc. On kernels before\n6.10 (prior to the netfs conversion), sync writes also used\nthis path and were similarly affected. The async write path\nwasn\u0027t unaffected as it uses rq_iter which gets deep-copied.\n\nFix by moving the write payload into rq_iter via iov_iter_kvec(),\nso smb3_init_transform_rq() deep-copies it before encryption."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:07.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258"
},
{
"url": "https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518"
},
{
"url": "https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95"
},
{
"url": "https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650"
},
{
"url": "https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929"
}
],
"title": "smb: client: fix in-place encryption corruption in SMB2_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43362",
"datePublished": "2026-05-08T14:21:16.358Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:07.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71198 (GCVE-0-2025-71198)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:56
VLAI?
EPSS
Title
iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection
The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL
event_spec field, indicating support for IIO events. However, event
detection is not supported for all sensors, and if userspace tries to
configure accelerometer wakeup events on a sensor device that does not
support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL
pointer when trying to write to the wakeup register.
Define an additional struct iio_chan_spec array whose members have a NULL
event_spec field, and use this array instead of st_lsm6dsx_acc_channels for
sensors without event detection capability.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b5969abfa8b8ed43ebd93479d394f664bd4a5a87 , < 7673167fac9323110973a3300637adba7d45de3a
(git)
Affected: b5969abfa8b8ed43ebd93479d394f664bd4a5a87 , < 4d60ffcdedfe2cdb68a1cde19bb292bc67451629 (git) Affected: b5969abfa8b8ed43ebd93479d394f664bd4a5a87 , < 81ed6e42d6e555dd978c9dd5e3f7c20cb121221b (git) Affected: b5969abfa8b8ed43ebd93479d394f664bd4a5a87 , < c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7673167fac9323110973a3300637adba7d45de3a",
"status": "affected",
"version": "b5969abfa8b8ed43ebd93479d394f664bd4a5a87",
"versionType": "git"
},
{
"lessThan": "4d60ffcdedfe2cdb68a1cde19bb292bc67451629",
"status": "affected",
"version": "b5969abfa8b8ed43ebd93479d394f664bd4a5a87",
"versionType": "git"
},
{
"lessThan": "81ed6e42d6e555dd978c9dd5e3f7c20cb121221b",
"status": "affected",
"version": "b5969abfa8b8ed43ebd93479d394f664bd4a5a87",
"versionType": "git"
},
{
"lessThan": "c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3",
"status": "affected",
"version": "b5969abfa8b8ed43ebd93479d394f664bd4a5a87",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection\n\nThe st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL\nevent_spec field, indicating support for IIO events. However, event\ndetection is not supported for all sensors, and if userspace tries to\nconfigure accelerometer wakeup events on a sensor device that does not\nsupport them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL\npointer when trying to write to the wakeup register.\nDefine an additional struct iio_chan_spec array whose members have a NULL\nevent_spec field, and use this array instead of st_lsm6dsx_acc_channels for\nsensors without event detection capability."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:56:33.537Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7673167fac9323110973a3300637adba7d45de3a"
},
{
"url": "https://git.kernel.org/stable/c/4d60ffcdedfe2cdb68a1cde19bb292bc67451629"
},
{
"url": "https://git.kernel.org/stable/c/81ed6e42d6e555dd978c9dd5e3f7c20cb121221b"
},
{
"url": "https://git.kernel.org/stable/c/c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3"
}
],
"title": "iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71198",
"datePublished": "2026-02-04T16:07:33.154Z",
"dateReserved": "2026-01-31T11:36:51.192Z",
"dateUpdated": "2026-05-11T21:56:33.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23140 (GCVE-0-2026-23140)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-05-11 22:00
VLAI?
EPSS
Title
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
The xdp_frame structure takes up part of the XDP frame headroom,
limiting the size of the metadata. However, in bpf_test_run, we don't
take this into account, which makes it possible for userspace to supply
a metadata size that is too large (taking up the entire headroom).
If userspace supplies such a large metadata size in live packet mode,
the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call
will fail, after which packet transmission proceeds with an
uninitialised frame structure, leading to the usual Bad Stuff.
The commit in the Fixes tag fixed a related bug where the second check
in xdp_update_frame_from_buff() could fail, but did not add any
additional constraints on the metadata size. Complete the fix by adding
an additional check on the metadata size. Reorder the checks slightly to
make the logic clearer and add a comment.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b6f1f780b3932ae497ed85e79bc8a1e513883624 , < e7440935063949d6f2c10f7328d960d0ff4bce90
(git)
Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < 7c81ad5e580bd8441f8a521a8d34824ce6582ae5 (git) Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < 6447e697cfa8a43a8e491cb81bcc390d0f28f8ba (git) Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < 31e37f44b60679d90b9f999c91371b15291be8e0 (git) Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < e558cca217790286e799a8baacd1610bda31b261 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7440935063949d6f2c10f7328d960d0ff4bce90",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "7c81ad5e580bd8441f8a521a8d34824ce6582ae5",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "6447e697cfa8a43a8e491cb81bcc390d0f28f8ba",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "31e37f44b60679d90b9f999c91371b15291be8e0",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "e558cca217790286e799a8baacd1610bda31b261",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Subtract size of xdp_frame from allowed metadata size\n\nThe xdp_frame structure takes up part of the XDP frame headroom,\nlimiting the size of the metadata. However, in bpf_test_run, we don\u0027t\ntake this into account, which makes it possible for userspace to supply\na metadata size that is too large (taking up the entire headroom).\n\nIf userspace supplies such a large metadata size in live packet mode,\nthe xdp_update_frame_from_buff() call in xdp_test_run_init_page() call\nwill fail, after which packet transmission proceeds with an\nuninitialised frame structure, leading to the usual Bad Stuff.\n\nThe commit in the Fixes tag fixed a related bug where the second check\nin xdp_update_frame_from_buff() could fail, but did not add any\nadditional constraints on the metadata size. Complete the fix by adding\nan additional check on the metadata size. Reorder the checks slightly to\nmake the logic clearer and add a comment."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:54.453Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7440935063949d6f2c10f7328d960d0ff4bce90"
},
{
"url": "https://git.kernel.org/stable/c/7c81ad5e580bd8441f8a521a8d34824ce6582ae5"
},
{
"url": "https://git.kernel.org/stable/c/6447e697cfa8a43a8e491cb81bcc390d0f28f8ba"
},
{
"url": "https://git.kernel.org/stable/c/31e37f44b60679d90b9f999c91371b15291be8e0"
},
{
"url": "https://git.kernel.org/stable/c/e558cca217790286e799a8baacd1610bda31b261"
}
],
"title": "bpf, test_run: Subtract size of xdp_frame from allowed metadata size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23140",
"datePublished": "2026-02-14T15:22:24.727Z",
"dateReserved": "2026-01-13T15:37:45.972Z",
"dateUpdated": "2026-05-11T22:00:54.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23054 (GCVE-0-2026-23054)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-05-11 21:59
VLAI?
EPSS
Title
net: hv_netvsc: reject RSS hash key programming without RX indirection table
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hv_netvsc: reject RSS hash key programming without RX indirection table
RSS configuration requires a valid RX indirection table. When the device
reports a single receive queue, rndis_filter_device_add() does not
allocate an indirection table, accepting RSS hash key updates in this
state leads to a hang.
Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return
-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device
capabilities and prevents incorrect behavior.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
962f3fee83a4ef9010ae84dc43ae7aecb572e2a9 , < 8288136f508e78eb3563e7073975999cf225a2f9
(git)
Affected: 962f3fee83a4ef9010ae84dc43ae7aecb572e2a9 , < 82c9039c8ebb715753a40434df714f865a3aec9c (git) Affected: 962f3fee83a4ef9010ae84dc43ae7aecb572e2a9 , < 4cd55c609e85ae2313248ef1a33619a3eef44a16 (git) Affected: 962f3fee83a4ef9010ae84dc43ae7aecb572e2a9 , < 11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3 (git) Affected: 962f3fee83a4ef9010ae84dc43ae7aecb572e2a9 , < d23564955811da493f34412d7de60fa268c8cb50 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/hyperv/netvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8288136f508e78eb3563e7073975999cf225a2f9",
"status": "affected",
"version": "962f3fee83a4ef9010ae84dc43ae7aecb572e2a9",
"versionType": "git"
},
{
"lessThan": "82c9039c8ebb715753a40434df714f865a3aec9c",
"status": "affected",
"version": "962f3fee83a4ef9010ae84dc43ae7aecb572e2a9",
"versionType": "git"
},
{
"lessThan": "4cd55c609e85ae2313248ef1a33619a3eef44a16",
"status": "affected",
"version": "962f3fee83a4ef9010ae84dc43ae7aecb572e2a9",
"versionType": "git"
},
{
"lessThan": "11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3",
"status": "affected",
"version": "962f3fee83a4ef9010ae84dc43ae7aecb572e2a9",
"versionType": "git"
},
{
"lessThan": "d23564955811da493f34412d7de60fa268c8cb50",
"status": "affected",
"version": "962f3fee83a4ef9010ae84dc43ae7aecb572e2a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/hyperv/netvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hv_netvsc: reject RSS hash key programming without RX indirection table\n\nRSS configuration requires a valid RX indirection table. When the device\nreports a single receive queue, rndis_filter_device_add() does not\nallocate an indirection table, accepting RSS hash key updates in this\nstate leads to a hang.\n\nFix this by gating netvsc_set_rxfh() on ndc-\u003erx_table_sz and return\n-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device\ncapabilities and prevents incorrect behavior."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:59:06.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8288136f508e78eb3563e7073975999cf225a2f9"
},
{
"url": "https://git.kernel.org/stable/c/82c9039c8ebb715753a40434df714f865a3aec9c"
},
{
"url": "https://git.kernel.org/stable/c/4cd55c609e85ae2313248ef1a33619a3eef44a16"
},
{
"url": "https://git.kernel.org/stable/c/11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3"
},
{
"url": "https://git.kernel.org/stable/c/d23564955811da493f34412d7de60fa268c8cb50"
}
],
"title": "net: hv_netvsc: reject RSS hash key programming without RX indirection table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23054",
"datePublished": "2026-02-04T16:04:23.396Z",
"dateReserved": "2026-01-13T15:37:45.951Z",
"dateUpdated": "2026-05-11T21:59:06.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23038 (GCVE-0-2026-23038)
Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-06-16 20:32
VLAI?
EPSS
Title
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
the function jumps to the out_scratch label without freeing the already
allocated dsaddrs list, leading to a memory leak.
Fix this by jumping to the out_err_drain_dsaddrs label, which properly
frees the dsaddrs list before cleaning up other resources.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d67ae825a59d639e4d8b82413af84d854617a87e , < e2dde5dafb80f1af4028ed10ad255f42af71c784
(git)
Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < 27c90d8ed81e7a289c9fe41b5e31d8bb609a3385 (git) Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < 34b9dd179818ff7af2b36410985fd8166573c62d (git) Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < 869862056e100973e76ce9f5f1b01837771b7722 (git) Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < 86da7efd12295a7e2b4abde5e5984c821edd938f (git) Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb (git) Affected: d67ae825a59d639e4d8b82413af84d854617a87e , < 0c728083654f0066f5e10a1d2b0bd0907af19a58 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:00:56.799Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:32:12.394629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:32:22.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/flexfilelayout/flexfilelayoutdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2dde5dafb80f1af4028ed10ad255f42af71c784",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "27c90d8ed81e7a289c9fe41b5e31d8bb609a3385",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "34b9dd179818ff7af2b36410985fd8166573c62d",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "869862056e100973e76ce9f5f1b01837771b7722",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "86da7efd12295a7e2b4abde5e5984c821edd938f",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "0c728083654f0066f5e10a1d2b0bd0907af19a58",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/flexfilelayout/flexfilelayoutdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()\n\nIn nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,\nthe function jumps to the out_scratch label without freeing the already\nallocated dsaddrs list, leading to a memory leak.\n\nFix this by jumping to the out_err_drain_dsaddrs label, which properly\nfrees the dsaddrs list before cleaning up other resources."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:48.041Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2dde5dafb80f1af4028ed10ad255f42af71c784"
},
{
"url": "https://git.kernel.org/stable/c/27c90d8ed81e7a289c9fe41b5e31d8bb609a3385"
},
{
"url": "https://git.kernel.org/stable/c/34b9dd179818ff7af2b36410985fd8166573c62d"
},
{
"url": "https://git.kernel.org/stable/c/869862056e100973e76ce9f5f1b01837771b7722"
},
{
"url": "https://git.kernel.org/stable/c/86da7efd12295a7e2b4abde5e5984c821edd938f"
},
{
"url": "https://git.kernel.org/stable/c/ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb"
},
{
"url": "https://git.kernel.org/stable/c/0c728083654f0066f5e10a1d2b0bd0907af19a58"
}
],
"title": "pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23038",
"datePublished": "2026-01-31T11:42:32.599Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-06-16T20:32:22.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32629 (GCVE-0-2023-32629)
Vulnerability from cvelistv5 – Published: 2023-07-26 01:59 – Updated: 2025-02-13 16:54
VLAI?
EPSS
Summary
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
Severity ?
7.8 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Kernel |
Unaffected:
0 , < 6.2.0-26.26
(semver)
Unaffected: 0 , < 6.0.0-1020.20 (semver) Unaffected: 0 , < 5.4.0-155.172 (semver) |
Credits
Shir Tamari
Sagi Tzadik
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-6250-1"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.ubuntu.com/archives/kernel-team/2023-July/140920.html"
},
{
"tags": [
"technical-description",
"x_transferred"
],
"url": "https://wiz.io/blog/ubuntu-overlayfs-vulnerability"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:canonical:ubantu_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ubantu_kernel",
"vendor": "canonical",
"versions": [
{
"lessThan": ".2.0-26.26",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.0.0-1020.20",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.4.0-155.172",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T14:52:16.324371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:55:16.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Linux",
"platforms": [
"Linux"
],
"product": "Ubuntu Kernel",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.2.0-26.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.0.0-1020.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.4.0-155.172",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Shir Tamari"
},
{
"lang": "en",
"type": "finder",
"value": "Sagi Tzadik"
}
],
"datePublic": "2023-06-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-11T18:06:23.968Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6250-1"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.ubuntu.com/archives/kernel-team/2023-July/140920.html"
},
{
"tags": [
"technical-description"
],
"url": "https://wiz.io/blog/ubuntu-overlayfs-vulnerability"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629"
},
{
"url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
}
],
"workarounds": [
{
"lang": "en",
"value": "If not needed, disable the ability for unprivileged users\nto create namespaces. To do this temporarily, do:\n sudo sysctl -w kernel.unprivileged_userns_clone=0\nTo disable across reboots, do:\n echo kernel.unprivileged_userns_clone=0 | \\\n sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2023-32629",
"datePublished": "2023-07-26T01:59:47.061Z",
"dateReserved": "2023-06-29T21:43:35.022Z",
"dateUpdated": "2025-02-13T16:54:52.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68332 (GCVE-0-2025-68332)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-05-11 21:51
VLAI?
EPSS
Title
comedi: c6xdigio: Fix invalid PNP driver unregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: c6xdigio: Fix invalid PNP driver unregistration
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with `pnp_register_driver()`, but ignores the
return value. (The `struct pnp_driver` it uses has only the `name` and
`id_table` members filled in.) The driver's Comedi "detach" handler
`c6xdigio_detach()` unconditionally unregisters the PNP driver with
`pnp_unregister_driver()`.
It is possible for `c6xdigio_attach()` to return an error before it
calls `pnp_register_driver()` and it is possible for the call to
`pnp_register_driver()` to return an error (that is ignored). In both
cases, the driver should not be calling `pnp_unregister_driver()` as it
does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
called by the Comedi core if `c6xdigio_attach()` returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to `pnp_unregister_driver()` without a previous
successful call to `pnp_register_driver()` will cause
`driver_unregister()` to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at
module init and exit time, respectively, not when attaching or detaching
Comedi devices to the driver. (There might be more than one Comedi
device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since `c6xdigio_detach()`
now only calls `comedi_legacy_detach()`, remove the function and change
the Comedi driver "detach" handler to `comedi_legacy_detach`.
-------------------------------------------
[1] Syzbot sample crash report:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Modules linked in:
CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
Call Trace:
<TASK>
comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_sys
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2c89e159cd2f386285e9522d6476dd7e801bee22 , < 407b25bb9284d69c27309e691ab1e02f9e1c46ac
(git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < f7fa1f4670c3c358a451546f0b80b9231952912d (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < e8110402b0c24d822b0b933d87d50870d59667ef (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72b3627b0d3b819de49b29c2c8cb1c64d54536b9 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 698149d797d0178162f394c55d4ed52aa0e0b7f6 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 888f7e2847bcb9df8257e656e1e837828942c53b (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72262330f7b3ad2130e800cecf02adcce3c32c77 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "407b25bb9284d69c27309e691ab1e02f9e1c46ac",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "f7fa1f4670c3c358a451546f0b80b9231952912d",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "e8110402b0c24d822b0b933d87d50870d59667ef",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72b3627b0d3b819de49b29c2c8cb1c64d54536b9",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "698149d797d0178162f394c55d4ed52aa0e0b7f6",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "888f7e2847bcb9df8257e656e1e837828942c53b",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72262330f7b3ad2130e800cecf02adcce3c32c77",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device. When the Comedi core calls the driver\u0027s Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value. (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.) The driver\u0027s Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored). In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\". This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver. (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time. Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:08.512Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/407b25bb9284d69c27309e691ab1e02f9e1c46ac"
},
{
"url": "https://git.kernel.org/stable/c/f7fa1f4670c3c358a451546f0b80b9231952912d"
},
{
"url": "https://git.kernel.org/stable/c/e8110402b0c24d822b0b933d87d50870d59667ef"
},
{
"url": "https://git.kernel.org/stable/c/72b3627b0d3b819de49b29c2c8cb1c64d54536b9"
},
{
"url": "https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072"
},
{
"url": "https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6"
},
{
"url": "https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b"
},
{
"url": "https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77"
}
],
"title": "comedi: c6xdigio: Fix invalid PNP driver unregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68332",
"datePublished": "2025-12-22T16:14:10.146Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-05-11T21:51:08.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71068 (GCVE-0-2025-71068)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
svcrdma: bound check rq_pages index in inline path
Summary
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: bound check rq_pages index in inline path
svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9
(git)
Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < 7ba826aae1d43212f3baa53a2175ad949e21926e (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < 5f140b525180c628db8fa6c897f138194a2de417 (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < da1ccfc4c452541584a4eae89e337cfa21be6d5a (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < d1bea0ce35b6095544ee82bb54156fc62c067e58 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:04.456580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:08.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "7ba826aae1d43212f3baa53a2175ad949e21926e",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "5f140b525180c628db8fa6c897f138194a2de417",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "da1ccfc4c452541584a4eae89e337cfa21be6d5a",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "d1bea0ce35b6095544ee82bb54156fc62c067e58",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: bound check rq_pages index in inline path\n\nsvc_rdma_copy_inline_range indexed rqstp-\u003erq_pages[rc_curpage] without\nverifying rc_curpage stays within the allocated page array. Add guards\nbefore the first use and after advancing to a new page."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:07.064Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9"
},
{
"url": "https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e"
},
{
"url": "https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417"
},
{
"url": "https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a"
},
{
"url": "https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58"
}
],
"title": "svcrdma: bound check rq_pages index in inline path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71068",
"datePublished": "2026-01-13T15:31:23.283Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-06-11T18:44:08.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…