Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0807
Vulnerability from certfr_avis - Published: 2026-06-26 - Updated: 2026-06-26
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.3 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 15 SP5 | ||
| SUSE | N/A | Public Cloud Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.3 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Workstation Extension 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | N/A | Legacy Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.4 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Desktop 15 SP7 | ||
| SUSE | N/A | openSUSE Leap 15.4 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | N/A | openSUSE Leap 15.5 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP6 LTSS | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | N/A | openSUSE Leap 15.6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP4 | ||
| SUSE | N/A | Development Tools Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.4 | ||
| SUSE | N/A | Basesystem Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | N/A | SUSE Real Time Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.5 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Public Cloud Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Desktop 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-43198",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43198"
},
{
"name": "CVE-2026-45842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45842"
},
{
"name": "CVE-2025-68324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68324"
},
{
"name": "CVE-2026-43366",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43366"
},
{
"name": "CVE-2026-43068",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43068"
},
{
"name": "CVE-2026-43414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43414"
},
{
"name": "CVE-2026-31493",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31493"
},
{
"name": "CVE-2026-43413",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43413"
},
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2026-45852",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45852"
},
{
"name": "CVE-2026-43483",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43483"
},
{
"name": "CVE-2026-31758",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31758"
},
{
"name": "CVE-2026-45856",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45856"
},
{
"name": "CVE-2026-43470",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43470"
},
{
"name": "CVE-2026-46227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46227"
},
{
"name": "CVE-2026-43455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43455"
},
{
"name": "CVE-2026-23438",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23438"
},
{
"name": "CVE-2026-45910",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45910"
},
{
"name": "CVE-2026-31405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31405"
},
{
"name": "CVE-2026-43054",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43054"
},
{
"name": "CVE-2026-31698",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31698"
},
{
"name": "CVE-2026-31473",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31473"
},
{
"name": "CVE-2026-31448",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31448"
},
{
"name": "CVE-2026-23303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23303"
},
{
"name": "CVE-2026-31396",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31396"
},
{
"name": "CVE-2026-31613",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31613"
},
{
"name": "CVE-2026-46114",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46114"
},
{
"name": "CVE-2026-43411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43411"
},
{
"name": "CVE-2026-43284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43284"
},
{
"name": "CVE-2026-43362",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43362"
},
{
"name": "CVE-2026-43052",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43052"
},
{
"name": "CVE-2026-31655",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31655"
},
{
"name": "CVE-2026-31614",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31614"
},
{
"name": "CVE-2026-46113",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46113"
},
{
"name": "CVE-2026-3150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3150"
},
{
"name": "CVE-2026-46159",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46159"
},
{
"name": "CVE-2026-31546",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31546"
},
{
"name": "CVE-2026-46209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46209"
},
{
"name": "CVE-2026-31516",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31516"
},
{
"name": "CVE-2026-43023",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43023"
},
{
"name": "CVE-2026-43503",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43503"
},
{
"name": "CVE-2026-46024",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46024"
},
{
"name": "CVE-2026-43009",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43009"
},
{
"name": "CVE-2026-31591",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31591"
},
{
"name": "CVE-2026-46037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46037"
},
{
"name": "CVE-2026-46116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46116"
},
{
"name": "CVE-2026-46083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46083"
},
{
"name": "CVE-2026-43030",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43030"
},
{
"name": "CVE-2026-43074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43074"
},
{
"name": "CVE-2026-31703",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31703"
},
{
"name": "CVE-2026-46176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46176"
},
{
"name": "CVE-2026-45846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45846"
},
{
"name": "CVE-2026-43499",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43499"
},
{
"name": "CVE-2026-43150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43150"
},
{
"name": "CVE-2026-31697",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31697"
},
{
"name": "CVE-2026-23359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23359"
},
{
"name": "CVE-2026-46323",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46323"
},
{
"name": "CVE-2026-46181",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46181"
},
{
"name": "CVE-2026-46043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46043"
},
{
"name": "CVE-2026-46120",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46120"
},
{
"name": "CVE-2026-46197",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46197"
},
{
"name": "CVE-2026-43249",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43249"
},
{
"name": "CVE-2026-43252",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43252"
},
{
"name": "CVE-2026-46243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46243"
},
{
"name": "CVE-2026-31759",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31759"
},
{
"name": "CVE-2026-43360",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43360"
},
{
"name": "CVE-2026-45878",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45878"
},
{
"name": "CVE-2026-45932",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45932"
},
{
"name": "CVE-2025-10263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-10263"
},
{
"name": "CVE-2026-31671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31671"
},
{
"name": "CVE-2026-31694",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31694"
},
{
"name": "CVE-2026-31699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31699"
},
{
"name": "CVE-2026-43077",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43077"
},
{
"name": "CVE-2026-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43407"
},
{
"name": "CVE-2026-43026",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43026"
},
{
"name": "CVE-2026-31480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31480"
},
{
"name": "CVE-2026-46150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46150"
},
{
"name": "CVE-2026-46090",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46090"
},
{
"name": "CVE-2026-43361",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43361"
},
{
"name": "CVE-2026-43261",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43261"
},
{
"name": "CVE-2026-23444",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23444"
},
{
"name": "CVE-2026-45886",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45886"
},
{
"name": "CVE-2026-46110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46110"
},
{
"name": "CVE-2026-43501",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43501"
},
{
"name": "CVE-2026-43059",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43059"
},
{
"name": "CVE-2026-46111",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46111"
},
{
"name": "CVE-2026-45984",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45984"
},
{
"name": "CVE-2026-31518",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31518"
},
{
"name": "CVE-2026-43296",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43296"
},
{
"name": "CVE-2026-23392",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23392"
},
{
"name": "CVE-2026-31771",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31771"
},
{
"name": "CVE-2026-31504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31504"
},
{
"name": "CVE-2026-43066",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43066"
},
{
"name": "CVE-2026-45970",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45970"
},
{
"name": "CVE-2026-31590",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31590"
},
{
"name": "CVE-2026-31767",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31767"
},
{
"name": "CVE-2025-38549",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38549"
},
{
"name": "CVE-2026-43040",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43040"
},
{
"name": "CVE-2026-23278",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23278"
},
{
"name": "CVE-2026-43206",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43206"
},
{
"name": "CVE-2026-43065",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43065"
},
{
"name": "CVE-2026-45843",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45843"
},
{
"name": "CVE-2026-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43406"
},
{
"name": "CVE-2026-46004",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46004"
},
{
"name": "CVE-2026-46094",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46094"
},
{
"name": "CVE-2026-43341",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43341"
},
{
"name": "CVE-2026-46079",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46079"
},
{
"name": "CVE-2026-45898",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45898"
},
{
"name": "CVE-2026-46021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46021"
},
{
"name": "CVE-2026-31596",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31596"
},
{
"name": "CVE-2026-46273",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46273"
},
{
"name": "CVE-2026-43109",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43109"
},
{
"name": "CVE-2026-31678",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31678"
},
{
"name": "CVE-2026-43338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43338"
},
{
"name": "CVE-2026-43234",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43234"
},
{
"name": "CVE-2026-43359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43359"
},
{
"name": "CVE-2026-31455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31455"
},
{
"name": "CVE-2026-31774",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31774"
},
{
"name": "CVE-2026-23327",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23327"
},
{
"name": "CVE-2026-31446",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31446"
},
{
"name": "CVE-2026-31464",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31464"
},
{
"name": "CVE-2026-31500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31500"
},
{
"name": "CVE-2026-43333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43333"
},
{
"name": "CVE-2026-45983",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45983"
},
{
"name": "CVE-2026-46123",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46123"
},
{
"name": "CVE-2026-46157",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46157"
},
{
"name": "CVE-2026-43325",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43325"
},
{
"name": "CVE-2026-43013",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43013"
},
{
"name": "CVE-2026-31454",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31454"
},
{
"name": "CVE-2026-31629",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31629"
},
{
"name": "CVE-2026-31673",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31673"
}
],
"initial_release_date": "2026-06-26T00:00:00",
"last_revision_date": "2026-06-26T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0807",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-06-24",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2607-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262607-1"
},
{
"published_at": "2026-06-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2482-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262482-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2567-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262567-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2549-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262549-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2594-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262594-1"
},
{
"published_at": "2026-06-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2494-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262494-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2520-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262520-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2588-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262588-1"
},
{
"published_at": "2026-06-24",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2610-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262610-1"
},
{
"published_at": "2026-06-24",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2608-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262608-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2603-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262603-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2592-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262592-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2511-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262511-1"
},
{
"published_at": "2026-06-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2503-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262503-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2591-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262591-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2571-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262571-1"
},
{
"published_at": "2026-06-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2496-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262496-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2559-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262559-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2553-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262553-1"
},
{
"published_at": "2026-06-25",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2632-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262632-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2518-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262518-1"
},
{
"published_at": "2026-06-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2500-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262500-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2532-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262532-1"
},
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2601-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262601-1"
},
{
"published_at": "2026-06-25",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2630-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262630-1"
},
{
"published_at": "2026-06-25",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2631-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262631-1"
}
]
}
CVE-2026-46083 (GCVE-0-2026-46083)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:58 – Updated: 2026-06-19 11:59
VLAI?
EPSS
Title
spi: fix resource leaks on device setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: fix resource leaks on device setup failure
Make sure to call controller cleanup() if spi_setup() fails while
registering a device to avoid leaking any resources allocated by
setup().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c7299fea67696db5bd09d924d1f1080d894f92ef , < e0401de43dac00f3e4841ca2aeb98bc10a4c5f13
(git)
Affected: c7299fea67696db5bd09d924d1f1080d894f92ef , < a2c817c629430fbbd54273525b472dac96e2c8fd (git) Affected: c7299fea67696db5bd09d924d1f1080d894f92ef , < 1e774294b2f944f59e03a04eb438768a4b93c3ce (git) Affected: c7299fea67696db5bd09d924d1f1080d894f92ef , < 11baa8b24bcb07ae2048f2566a220021d766abe0 (git) Affected: c7299fea67696db5bd09d924d1f1080d894f92ef , < dbcead54b12468d9aa54c0e1f0042d838ec3b0ae (git) Affected: c7299fea67696db5bd09d924d1f1080d894f92ef , < db357034f7e0cf23f233f414a8508312dfe8fbbe (git) Affected: 3e7c190475d98099231ee8ae486d31b1e2e7535a (git) Affected: 4b8b7bc3a726268e5c15d9bafe27863a85fdfc8e (git) Affected: e92ac9263b06c39f05526ad15c90d228cdab60fd (git) Affected: 5.4.126 , < 5.5 (semver) Affected: 5.10.44 , < 5.11 (semver) Affected: 5.12.11 , < 5.13 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e0401de43dac00f3e4841ca2aeb98bc10a4c5f13",
"status": "affected",
"version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
"versionType": "git"
},
{
"lessThan": "a2c817c629430fbbd54273525b472dac96e2c8fd",
"status": "affected",
"version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
"versionType": "git"
},
{
"lessThan": "1e774294b2f944f59e03a04eb438768a4b93c3ce",
"status": "affected",
"version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
"versionType": "git"
},
{
"lessThan": "11baa8b24bcb07ae2048f2566a220021d766abe0",
"status": "affected",
"version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
"versionType": "git"
},
{
"lessThan": "dbcead54b12468d9aa54c0e1f0042d838ec3b0ae",
"status": "affected",
"version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
"versionType": "git"
},
{
"lessThan": "db357034f7e0cf23f233f414a8508312dfe8fbbe",
"status": "affected",
"version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
"versionType": "git"
},
{
"status": "affected",
"version": "3e7c190475d98099231ee8ae486d31b1e2e7535a",
"versionType": "git"
},
{
"status": "affected",
"version": "4b8b7bc3a726268e5c15d9bafe27863a85fdfc8e",
"versionType": "git"
},
{
"status": "affected",
"version": "e92ac9263b06c39f05526ad15c90d228cdab60fd",
"versionType": "git"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.126",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.44",
"versionType": "semver"
},
{
"lessThan": "5.13",
"status": "affected",
"version": "5.12.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix resource leaks on device setup failure\n\nMake sure to call controller cleanup() if spi_setup() fails while\nregistering a device to avoid leaking any resources allocated by\nsetup()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:21.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e0401de43dac00f3e4841ca2aeb98bc10a4c5f13"
},
{
"url": "https://git.kernel.org/stable/c/a2c817c629430fbbd54273525b472dac96e2c8fd"
},
{
"url": "https://git.kernel.org/stable/c/1e774294b2f944f59e03a04eb438768a4b93c3ce"
},
{
"url": "https://git.kernel.org/stable/c/11baa8b24bcb07ae2048f2566a220021d766abe0"
},
{
"url": "https://git.kernel.org/stable/c/dbcead54b12468d9aa54c0e1f0042d838ec3b0ae"
},
{
"url": "https://git.kernel.org/stable/c/db357034f7e0cf23f233f414a8508312dfe8fbbe"
}
],
"title": "spi: fix resource leaks on device setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46083",
"datePublished": "2026-05-27T12:58:23.376Z",
"dateReserved": "2026-05-13T15:03:33.096Z",
"dateUpdated": "2026-06-19T11:59:21.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46094 (GCVE-0-2026-46094)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:58 – Updated: 2026-06-14 17:53
VLAI?
EPSS
Title
ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
The bounds check for the next xattr entry in check_xattrs() uses
(void *)next >= end, which allows next to point within sizeof(u32)
bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4
bytes via *(__u32 *)(entry), which can overrun the valid xattr region.
For example, if next lands at end - 1, the check passes since
next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1,
accessing 3 bytes beyond the valid region.
Fix this by changing the check to (void *)next + sizeof(u32) > end,
ensuring there is always enough space for the IS_LAST_ENTRY() read
on the subsequent iteration.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3478c83cf26bbffd026ae6a56bcb1fe544f0834e , < ab6da97bc310db35d4e4ef5354bc3ff626b0698c
(git)
Affected: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e , < 5a5314d2387633a272a04d1bd8727f99058e4e68 (git) Affected: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e , < 537e065977022aa22f2c2503e8accaf16622e0fd (git) Affected: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e , < 520986722dbf869c122252123fc161c7302eab7d (git) Affected: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e , < eceafc31ea7b42c984ece10d79d505c0bb6615d5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab6da97bc310db35d4e4ef5354bc3ff626b0698c",
"status": "affected",
"version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
"versionType": "git"
},
{
"lessThan": "5a5314d2387633a272a04d1bd8727f99058e4e68",
"status": "affected",
"version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
"versionType": "git"
},
{
"lessThan": "537e065977022aa22f2c2503e8accaf16622e0fd",
"status": "affected",
"version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
"versionType": "git"
},
{
"lessThan": "520986722dbf869c122252123fc161c7302eab7d",
"status": "affected",
"version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
"versionType": "git"
},
{
"lessThan": "eceafc31ea7b42c984ece10d79d505c0bb6615d5",
"status": "affected",
"version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bounds check in check_xattrs() to prevent out-of-bounds access\n\nThe bounds check for the next xattr entry in check_xattrs() uses\n(void *)next \u003e= end, which allows next to point within sizeof(u32)\nbytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4\nbytes via *(__u32 *)(entry), which can overrun the valid xattr region.\n\nFor example, if next lands at end - 1, the check passes since\nnext \u003c end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1,\naccessing 3 bytes beyond the valid region.\n\nFix this by changing the check to (void *)next + sizeof(u32) \u003e end,\nensuring there is always enough space for the IS_LAST_ENTRY() read\non the subsequent iteration."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:53:57.266Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab6da97bc310db35d4e4ef5354bc3ff626b0698c"
},
{
"url": "https://git.kernel.org/stable/c/5a5314d2387633a272a04d1bd8727f99058e4e68"
},
{
"url": "https://git.kernel.org/stable/c/537e065977022aa22f2c2503e8accaf16622e0fd"
},
{
"url": "https://git.kernel.org/stable/c/520986722dbf869c122252123fc161c7302eab7d"
},
{
"url": "https://git.kernel.org/stable/c/eceafc31ea7b42c984ece10d79d505c0bb6615d5"
}
],
"title": "ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46094",
"datePublished": "2026-05-27T12:58:45.304Z",
"dateReserved": "2026-05-13T15:03:33.097Z",
"dateUpdated": "2026-06-14T17:53:57.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31402 (GCVE-0-2026-31402)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-06-30 12:07
VLAI?
EPSS
Title
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.
We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.
Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
Severity ?
9.8 (Critical)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9fcb4441f6c02bb20c2eb340101e27dfe23607c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2665887a69437a8a4f552f69509eecfb73d4aa19 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9452c0797c95cf2378170df96cf4f4b3bca7eff (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8afb437ea1f70cacb4bbdf11771fb5c4d720b965 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f0e2a54a31a7f9ad2915db99156114872317388 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8498337dfdfda71bdd0b807c9a23a126011d76 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5133b61aaf437e5f25b1b396b14242a6bb0508e2 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_extras_rt_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s NFSv4.0 server (nfsd). A remote, unauthenticated attacker can exploit this heap overflow vulnerability in the NFSv4.0 LOCK replay cache. By using two cooperating NFSv4.0 clients, where one sets a lock with a large owner string and another requests a conflicting lock, the attacker can trigger a slab-out-of-bounds write. This corruption of adjacent heap memory could lead to arbitrary code execution or a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:51.037Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-31402"
},
{
"name": "RHBZ#2454844",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454844"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31402.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14823"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14925"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14869"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:15883"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13566"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13936"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13734"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10108"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11313"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13565"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13577"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14165"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13664"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13681"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13578"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14137"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14301"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:14823: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION), Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)"
},
{
"lang": "en",
"value": "RHSA-2026:14925: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:14869: Red Hat Enterprise Linux for Real Time (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:15883: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13566: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:13936: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13734: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:10108: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:11313: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:13565: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:13577: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14165: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:13664: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:13681: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:13578: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14137: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:14301: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9fcb4441f6c02bb20c2eb340101e27dfe23607c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2665887a69437a8a4f552f69509eecfb73d4aa19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9452c0797c95cf2378170df96cf4f4b3bca7eff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8afb437ea1f70cacb4bbdf11771fb5c4d720b965",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f0e2a54a31a7f9ad2915db99156114872317388",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8498337dfdfda71bdd0b807c9a23a126011d76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5133b61aaf437e5f25b1b396b14242a6bb0508e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:38.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9fcb4441f6c02bb20c2eb340101e27dfe23607c"
},
{
"url": "https://git.kernel.org/stable/c/2665887a69437a8a4f552f69509eecfb73d4aa19"
},
{
"url": "https://git.kernel.org/stable/c/c9452c0797c95cf2378170df96cf4f4b3bca7eff"
},
{
"url": "https://git.kernel.org/stable/c/8afb437ea1f70cacb4bbdf11771fb5c4d720b965"
},
{
"url": "https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0"
},
{
"url": "https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad2915db99156114872317388"
},
{
"url": "https://git.kernel.org/stable/c/ae8498337dfdfda71bdd0b807c9a23a126011d76"
},
{
"url": "https://git.kernel.org/stable/c/5133b61aaf437e5f25b1b396b14242a6bb0508e2"
}
],
"title": "nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31402",
"datePublished": "2026-04-03T15:16:05.724Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-06-30T12:07:51.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43206 (GCVE-0-2026-43206)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:20
VLAI?
EPSS
Title
drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8
bytes via memset without checking the buffer size parameter. This allows
unprivileged userspace to trigger an out-of bounds kernel memory write
by passing a small buffer, leading to potential privilege
escalation.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0fc8011f89feb8b2c3008583b777d097e1974660 , < 3e04bc310d80b46eaf481f1fefcbcb37a187412d
(git)
Affected: 0fc8011f89feb8b2c3008583b777d097e1974660 , < de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f (git) Affected: 0fc8011f89feb8b2c3008583b777d097e1974660 , < b4034442cb090e4a980bdcc1540948606cbc951b (git) Affected: 0fc8011f89feb8b2c3008583b777d097e1974660 , < 4857c37c7ba9aa38b9a4c694e8bd8d0091c87940 (git) Affected: 0fc8011f89feb8b2c3008583b777d097e1974660 , < 75fb57efdd7863fffbc39db23e9cad7aafda26ed (git) Affected: 0fc8011f89feb8b2c3008583b777d097e1974660 , < bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b (git) Affected: 0fc8011f89feb8b2c3008583b777d097e1974660 , < 4e72f419e4ed44cb3b60506752d8688c20a60a9b (git) Affected: 0fc8011f89feb8b2c3008583b777d097e1974660 , < 8a70a26c9f34baea6c3199a9862ddaff4554a96d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e04bc310d80b46eaf481f1fefcbcb37a187412d",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
},
{
"lessThan": "de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
},
{
"lessThan": "b4034442cb090e4a980bdcc1540948606cbc951b",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
},
{
"lessThan": "4857c37c7ba9aa38b9a4c694e8bd8d0091c87940",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
},
{
"lessThan": "75fb57efdd7863fffbc39db23e9cad7aafda26ed",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
},
{
"lessThan": "bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
},
{
"lessThan": "4e72f419e4ed44cb3b60506752d8688c20a60a9b",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
},
{
"lessThan": "8a70a26c9f34baea6c3199a9862ddaff4554a96d",
"status": "affected",
"version": "0fc8011f89feb8b2c3008583b777d097e1974660",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()\n\nThe kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8\nbytes via memset without checking the buffer size parameter. This allows\nunprivileged userspace to trigger an out-of bounds kernel memory write\nby passing a small buffer, leading to potential privilege\nescalation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:20:02.710Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e04bc310d80b46eaf481f1fefcbcb37a187412d"
},
{
"url": "https://git.kernel.org/stable/c/de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f"
},
{
"url": "https://git.kernel.org/stable/c/b4034442cb090e4a980bdcc1540948606cbc951b"
},
{
"url": "https://git.kernel.org/stable/c/4857c37c7ba9aa38b9a4c694e8bd8d0091c87940"
},
{
"url": "https://git.kernel.org/stable/c/75fb57efdd7863fffbc39db23e9cad7aafda26ed"
},
{
"url": "https://git.kernel.org/stable/c/bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b"
},
{
"url": "https://git.kernel.org/stable/c/4e72f419e4ed44cb3b60506752d8688c20a60a9b"
},
{
"url": "https://git.kernel.org/stable/c/8a70a26c9f34baea6c3199a9862ddaff4554a96d"
}
],
"title": "drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43206",
"datePublished": "2026-05-06T11:28:10.937Z",
"dateReserved": "2026-05-01T14:12:55.993Z",
"dateUpdated": "2026-05-11T22:20:02.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68324 (GCVE-0-2025-68324)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2026-05-11 21:50
VLAI?
EPSS
Title
scsi: imm: Fix use-after-free bug caused by unfinished delayed work
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: imm: Fix use-after-free bug caused by unfinished delayed work
The delayed work item 'imm_tq' is initialized in imm_attach() and
scheduled via imm_queuecommand() for processing SCSI commands. When the
IMM parallel port SCSI host adapter is detached through imm_detach(),
the imm_struct device instance is deallocated.
However, the delayed work might still be pending or executing
when imm_detach() is called, leading to use-after-free bugs
when the work function imm_interrupt() accesses the already
freed imm_struct memory.
The race condition can occur as follows:
CPU 0(detach thread) | CPU 1
| imm_queuecommand()
| imm_queuecommand_lck()
imm_detach() | schedule_delayed_work()
kfree(dev) //FREE | imm_interrupt()
| dev = container_of(...) //USE
dev-> //USE
Add disable_delayed_work_sync() in imm_detach() to guarantee proper
cancellation of the delayed work item before imm_struct is deallocated.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 31ab2aad7a7b7501e904a09bf361e44671f66092
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 48dd41fa2d6c6a0c50e714deeba06ffe7f91961b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9e434426cc23ad5e2aad649327b59aea00294b13 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31ab2aad7a7b7501e904a09bf361e44671f66092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48dd41fa2d6c6a0c50e714deeba06ffe7f91961b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e434426cc23ad5e2aad649327b59aea00294b13",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: imm: Fix use-after-free bug caused by unfinished delayed work\n\nThe delayed work item \u0027imm_tq\u0027 is initialized in imm_attach() and\nscheduled via imm_queuecommand() for processing SCSI commands. When the\nIMM parallel port SCSI host adapter is detached through imm_detach(),\nthe imm_struct device instance is deallocated.\n\nHowever, the delayed work might still be pending or executing\nwhen imm_detach() is called, leading to use-after-free bugs\nwhen the work function imm_interrupt() accesses the already\nfreed imm_struct memory.\n\nThe race condition can occur as follows:\n\nCPU 0(detach thread) | CPU 1\n | imm_queuecommand()\n | imm_queuecommand_lck()\nimm_detach() | schedule_delayed_work()\n kfree(dev) //FREE | imm_interrupt()\n | dev = container_of(...) //USE\n dev-\u003e //USE\n\nAdd disable_delayed_work_sync() in imm_detach() to guarantee proper\ncancellation of the delayed work item before imm_struct is deallocated."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:50:58.312Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31ab2aad7a7b7501e904a09bf361e44671f66092"
},
{
"url": "https://git.kernel.org/stable/c/48dd41fa2d6c6a0c50e714deeba06ffe7f91961b"
},
{
"url": "https://git.kernel.org/stable/c/9e434426cc23ad5e2aad649327b59aea00294b13"
},
{
"url": "https://git.kernel.org/stable/c/ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c"
}
],
"title": "scsi: imm: Fix use-after-free bug caused by unfinished delayed work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68324",
"datePublished": "2025-12-18T15:02:49.230Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-05-11T21:50:58.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31590 (GCVE-0-2026-31590)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-14 17:42
VLAI?
EPSS
Title
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
Drop the WARN in sev_pin_memory() on npages overflowing an int, as the
WARN is comically trivially to trigger from userspace, e.g. by doing:
struct kvm_enc_region range = {
.addr = 0,
.size = -1ul,
};
__vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
Note, the checks in sev_mem_enc_register_region() that presumably exist to
verify the incoming address+size are completely worthless, as both "addr"
and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater
than ULONG_MAX. That wart will be cleaned up in the near future.
if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
return -EINVAL;
Opportunistically add a comment to explain why the code calculates the
number of pages the "hard" way, e.g. instead of just shifting @ulen.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < 6a8e3c82122737529b25ef2a048fbcc569d8c055
(git)
Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < a703933bcfa5cc76ca10e2048464600e74136099 (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < abcd43ff579abd0a654bb4636086e78819dd5f4c (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < b670833749ffd8681361db2bb047c6f2e3075f3a (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < ab423e5892826202a660b5ac85d1125b0e8301a5 (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < 28cc13ca20431b127d42d84ba10898d03e2c8267 (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < c29ff288a2d97a6f4640a498a367cf0eb91312eb (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < 1cba4dcd795daf6d257122779fb6a349edf03914 (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < 8acffeef5ef720c35e513e322ab08e32683f32f2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a8e3c82122737529b25ef2a048fbcc569d8c055",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "a703933bcfa5cc76ca10e2048464600e74136099",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "abcd43ff579abd0a654bb4636086e78819dd5f4c",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "b670833749ffd8681361db2bb047c6f2e3075f3a",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "ab423e5892826202a660b5ac85d1125b0e8301a5",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "28cc13ca20431b127d42d84ba10898d03e2c8267",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "c29ff288a2d97a6f4640a498a367cf0eb91312eb",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "1cba4dcd795daf6d257122779fb6a349edf03914",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "8acffeef5ef720c35e513e322ab08e32683f32f2",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n struct kvm_enc_region range = {\n .addr = 0,\n .size = -1ul,\n };\n\n __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, \u0026range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can\u0027t_ be greater\nthan ULONG_MAX. That wart will be cleaned up in the near future.\n\n\tif (range-\u003eaddr \u003e ULONG_MAX || range-\u003esize \u003e ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:42:30.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a8e3c82122737529b25ef2a048fbcc569d8c055"
},
{
"url": "https://git.kernel.org/stable/c/a703933bcfa5cc76ca10e2048464600e74136099"
},
{
"url": "https://git.kernel.org/stable/c/abcd43ff579abd0a654bb4636086e78819dd5f4c"
},
{
"url": "https://git.kernel.org/stable/c/b670833749ffd8681361db2bb047c6f2e3075f3a"
},
{
"url": "https://git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5"
},
{
"url": "https://git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267"
},
{
"url": "https://git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312eb"
},
{
"url": "https://git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914"
},
{
"url": "https://git.kernel.org/stable/c/8acffeef5ef720c35e513e322ab08e32683f32f2"
}
],
"title": "KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31590",
"datePublished": "2026-04-24T14:42:17.629Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-06-14T17:42:30.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45984 (GCVE-0-2026-45984)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:18 – Updated: 2026-07-01 12:05
VLAI?
EPSS
Title
gfs2: Fix use-after-free in iomap inline data write path
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix use-after-free in iomap inline data write path
The inline data buffer head (dibh) is being released prematurely in
gfs2_iomap_begin() via release_metapath() while iomap->inline_data
still points to dibh->b_data. This causes a use-after-free when
iomap_write_end_inline() later attempts to write to the inline data
area.
The bug sequence:
1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode
metadata into dibh
2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)
3. Calls release_metapath() which calls brelse(dibh), dropping refcount
to 0
4. kswapd reclaims the page (~39ms later in the syzbot report)
5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data
6. KASAN detects use-after-free write to freed memory
Fix by storing dibh in iomap->private and incrementing its refcount
with get_bh() in gfs2_iomap_begin(). The buffer is then properly
released in gfs2_iomap_end() after the inline write completes,
ensuring the page stays alive for the entire iomap operation.
Note: A C reproducer is not available for this issue. The fix is based
on analysis of the KASAN report and code review showing the buffer head
is freed before use.
[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid
leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Severity ?
7.8 (High)
CWE
- CWE-826 - Premature Release of Resource During Expected Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d0a22a4b03b8475b7aa3fa41243c26c291407844 , < 1403989d1b502f4a2c0d0b42ccf1c25748442eff
(git)
Affected: d0a22a4b03b8475b7aa3fa41243c26c291407844 , < 1cae1bafdf9caa9b462b19af06b1a06902e4e142 (git) Affected: d0a22a4b03b8475b7aa3fa41243c26c291407844 , < 764c3c84b5683e608f43735c803a5f415046686c (git) Affected: d0a22a4b03b8475b7aa3fa41243c26c291407844 , < d87268326b277af3665237ac76a73dd9fa8e21b4 (git) Affected: d0a22a4b03b8475b7aa3fa41243c26c291407844 , < 87d4954b5c59735a99ea98cb208d47130f6dce7d (git) Affected: d0a22a4b03b8475b7aa3fa41243c26c291407844 , < 6d76febba07c40bcf358f63216d36ea68cf1c215 (git) Affected: d0a22a4b03b8475b7aa3fa41243c26c291407844 , < 815ddd27c0c7171a99fe802fdb19098ddef8b19d (git) Affected: d0a22a4b03b8475b7aa3fa41243c26c291407844 , < faddeb848305e79db89ee0479bb0e33380656321 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux for NVIDIA 26",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unknown",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s GFS2 filesystem. This memory corruption vulnerability, a use-after-free, occurs in the iomap inline data write path. The issue arises because a data buffer is released prematurely while still being referenced, leading to a write to freed memory. This could allow a local attacker to cause system instability or a denial of service (DoS)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-826",
"description": "Premature Release of Resource During Expected Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:05:00.233Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-45984"
},
{
"name": "RHBZ#2481922",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481922"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45984.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33743"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33743: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: gfs2: Fix use-after-free in iomap inline data write path",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1403989d1b502f4a2c0d0b42ccf1c25748442eff",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
},
{
"lessThan": "1cae1bafdf9caa9b462b19af06b1a06902e4e142",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
},
{
"lessThan": "764c3c84b5683e608f43735c803a5f415046686c",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
},
{
"lessThan": "d87268326b277af3665237ac76a73dd9fa8e21b4",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
},
{
"lessThan": "87d4954b5c59735a99ea98cb208d47130f6dce7d",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
},
{
"lessThan": "6d76febba07c40bcf358f63216d36ea68cf1c215",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
},
{
"lessThan": "815ddd27c0c7171a99fe802fdb19098ddef8b19d",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
},
{
"lessThan": "faddeb848305e79db89ee0479bb0e33380656321",
"status": "affected",
"version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in iomap inline data write path\n\nThe inline data buffer head (dibh) is being released prematurely in\ngfs2_iomap_begin() via release_metapath() while iomap-\u003einline_data\nstill points to dibh-\u003eb_data. This causes a use-after-free when\niomap_write_end_inline() later attempts to write to the inline data\narea.\n\nThe bug sequence:\n1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode\n metadata into dibh\n2. Sets iomap-\u003einline_data = dibh-\u003eb_data + sizeof(struct gfs2_dinode)\n3. Calls release_metapath() which calls brelse(dibh), dropping refcount\n to 0\n4. kswapd reclaims the page (~39ms later in the syzbot report)\n5. iomap_write_end_inline() tries to memcpy() to iomap-\u003einline_data\n6. KASAN detects use-after-free write to freed memory\n\nFix by storing dibh in iomap-\u003eprivate and incrementing its refcount\nwith get_bh() in gfs2_iomap_begin(). The buffer is then properly\nreleased in gfs2_iomap_end() after the inline write completes,\nensuring the page stays alive for the entire iomap operation.\n\nNote: A C reproducer is not available for this issue. The fix is based\non analysis of the KASAN report and code review showing the buffer head\nis freed before use.\n\n[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid\nleaks in gfs2_iomap_get() and gfs2_iomap_alloc().]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T10:46:25.407Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff"
},
{
"url": "https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142"
},
{
"url": "https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c"
},
{
"url": "https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4"
},
{
"url": "https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d"
},
{
"url": "https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215"
},
{
"url": "https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d"
},
{
"url": "https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321"
}
],
"title": "gfs2: Fix use-after-free in iomap inline data write path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45984",
"datePublished": "2026-05-27T12:18:42.964Z",
"dateReserved": "2026-05-13T15:03:33.090Z",
"dateUpdated": "2026-07-01T12:05:00.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43333 (GCVE-0-2026-43333)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
bpf: reject direct access to nullable PTR_TO_BUF pointers
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: reject direct access to nullable PTR_TO_BUF pointers
check_mem_access() matches PTR_TO_BUF via base_type() which strips
PTR_MAYBE_NULL, allowing direct dereference without a null check.
Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.
On stop callbacks these are NULL, causing a kernel NULL dereference.
Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the
existing PTR_TO_BTF_ID pattern.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b453361384c2db1c703dacb806d5fd36aec4ceca , < 10bc4a4dcded509c5d5c67d497900c3922c604cd
(git)
Affected: 20b2aff4bc15bda809f994761d5719827d66c0b4 , < 21a10c06ffae24cb01fd174a7ab7736001d2ea56 (git) Affected: 20b2aff4bc15bda809f994761d5719827d66c0b4 , < 8755066f7bd0f4ac46a29d1708c7b20894539252 (git) Affected: 20b2aff4bc15bda809f994761d5719827d66c0b4 , < 70abd9d118da2f56beb4ec22e3a29becae373535 (git) Affected: 20b2aff4bc15bda809f994761d5719827d66c0b4 , < 63276547debc4d8a73eefb2c5273b2a905c961b0 (git) Affected: 20b2aff4bc15bda809f994761d5719827d66c0b4 , < 4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09 (git) Affected: 20b2aff4bc15bda809f994761d5719827d66c0b4 , < b0db1accbc7395657c2b79db59fa9fae0d6656f3 (git) Affected: e982070f8970bb62e69ed7c9cafff886ed200349 (git) Affected: 5.15.37 , < 5.15.203 (semver) Affected: 5.16.11 , < 5.17 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10bc4a4dcded509c5d5c67d497900c3922c604cd",
"status": "affected",
"version": "b453361384c2db1c703dacb806d5fd36aec4ceca",
"versionType": "git"
},
{
"lessThan": "21a10c06ffae24cb01fd174a7ab7736001d2ea56",
"status": "affected",
"version": "20b2aff4bc15bda809f994761d5719827d66c0b4",
"versionType": "git"
},
{
"lessThan": "8755066f7bd0f4ac46a29d1708c7b20894539252",
"status": "affected",
"version": "20b2aff4bc15bda809f994761d5719827d66c0b4",
"versionType": "git"
},
{
"lessThan": "70abd9d118da2f56beb4ec22e3a29becae373535",
"status": "affected",
"version": "20b2aff4bc15bda809f994761d5719827d66c0b4",
"versionType": "git"
},
{
"lessThan": "63276547debc4d8a73eefb2c5273b2a905c961b0",
"status": "affected",
"version": "20b2aff4bc15bda809f994761d5719827d66c0b4",
"versionType": "git"
},
{
"lessThan": "4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09",
"status": "affected",
"version": "20b2aff4bc15bda809f994761d5719827d66c0b4",
"versionType": "git"
},
{
"lessThan": "b0db1accbc7395657c2b79db59fa9fae0d6656f3",
"status": "affected",
"version": "20b2aff4bc15bda809f994761d5719827d66c0b4",
"versionType": "git"
},
{
"status": "affected",
"version": "e982070f8970bb62e69ed7c9cafff886ed200349",
"versionType": "git"
},
{
"lessThan": "5.15.203",
"status": "affected",
"version": "5.15.37",
"versionType": "semver"
},
{
"lessThan": "5.17",
"status": "affected",
"version": "5.16.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject direct access to nullable PTR_TO_BUF pointers\n\ncheck_mem_access() matches PTR_TO_BUF via base_type() which strips\nPTR_MAYBE_NULL, allowing direct dereference without a null check.\n\nMap iterator ctx-\u003ekey and ctx-\u003evalue are PTR_TO_BUF | PTR_MAYBE_NULL.\nOn stop callbacks these are NULL, causing a kernel NULL dereference.\n\nAdd a type_may_be_null() guard to the PTR_TO_BUF branch, matching the\nexisting PTR_TO_BTF_ID pattern."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:46.060Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10bc4a4dcded509c5d5c67d497900c3922c604cd"
},
{
"url": "https://git.kernel.org/stable/c/21a10c06ffae24cb01fd174a7ab7736001d2ea56"
},
{
"url": "https://git.kernel.org/stable/c/8755066f7bd0f4ac46a29d1708c7b20894539252"
},
{
"url": "https://git.kernel.org/stable/c/70abd9d118da2f56beb4ec22e3a29becae373535"
},
{
"url": "https://git.kernel.org/stable/c/63276547debc4d8a73eefb2c5273b2a905c961b0"
},
{
"url": "https://git.kernel.org/stable/c/4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09"
},
{
"url": "https://git.kernel.org/stable/c/b0db1accbc7395657c2b79db59fa9fae0d6656f3"
}
],
"title": "bpf: reject direct access to nullable PTR_TO_BUF pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43333",
"datePublished": "2026-05-08T13:31:20.107Z",
"dateReserved": "2026-05-01T14:12:56.002Z",
"dateUpdated": "2026-05-23T16:06:46.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31767 (GCVE-0-2026-31767)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-11 22:15
VLAI?
EPSS
Title
drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode
Stop adjusting the horizontal timing values based on the
compression ratio in command mode. Bspec seems to be telling
us to do this only in video mode, and this is also how the
Windows driver does things.
This should also fix a div-by-zero on some machines because
the adjusted htotal ends up being so small that we end up with
line_time_us==0 when trying to determine the vtotal value in
command mode.
Note that this doesn't actually make the display on the
Huawei Matebook E work, but at least the kernel no longer
explodes when the driver loads.
(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
53693f02d80e0a909e76c2a25f8aac8515f959db , < 55efe8402f46af8399c8b634a18b130a05fd7820
(git)
Affected: 53693f02d80e0a909e76c2a25f8aac8515f959db , < 86e926b108880c0109b8635e459450447156aeb7 (git) Affected: 53693f02d80e0a909e76c2a25f8aac8515f959db , < 33b5336e4fd8ba0e40a12989cadb3f5534a0f9e4 (git) Affected: 53693f02d80e0a909e76c2a25f8aac8515f959db , < 4dfce79e098915d8e5fc2b9e1d980bc3251dd32c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/icl_dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "55efe8402f46af8399c8b634a18b130a05fd7820",
"status": "affected",
"version": "53693f02d80e0a909e76c2a25f8aac8515f959db",
"versionType": "git"
},
{
"lessThan": "86e926b108880c0109b8635e459450447156aeb7",
"status": "affected",
"version": "53693f02d80e0a909e76c2a25f8aac8515f959db",
"versionType": "git"
},
{
"lessThan": "33b5336e4fd8ba0e40a12989cadb3f5534a0f9e4",
"status": "affected",
"version": "53693f02d80e0a909e76c2a25f8aac8515f959db",
"versionType": "git"
},
{
"lessThan": "4dfce79e098915d8e5fc2b9e1d980bc3251dd32c",
"status": "affected",
"version": "53693f02d80e0a909e76c2a25f8aac8515f959db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/icl_dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dsi: Don\u0027t do DSC horizontal timing adjustments in command mode\n\nStop adjusting the horizontal timing values based on the\ncompression ratio in command mode. Bspec seems to be telling\nus to do this only in video mode, and this is also how the\nWindows driver does things.\n\nThis should also fix a div-by-zero on some machines because\nthe adjusted htotal ends up being so small that we end up with\nline_time_us==0 when trying to determine the vtotal value in\ncommand mode.\n\nNote that this doesn\u0027t actually make the display on the\nHuawei Matebook E work, but at least the kernel no longer\nexplodes when the driver loads.\n\n(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:15:25.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/55efe8402f46af8399c8b634a18b130a05fd7820"
},
{
"url": "https://git.kernel.org/stable/c/86e926b108880c0109b8635e459450447156aeb7"
},
{
"url": "https://git.kernel.org/stable/c/33b5336e4fd8ba0e40a12989cadb3f5534a0f9e4"
},
{
"url": "https://git.kernel.org/stable/c/4dfce79e098915d8e5fc2b9e1d980bc3251dd32c"
}
],
"title": "drm/i915/dsi: Don\u0027t do DSC horizontal timing adjustments in command mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31767",
"datePublished": "2026-05-01T14:14:57.287Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-11T22:15:25.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43026 (GCVE-0-2026-43026)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16
VLAI?
EPSS
Title
netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
ctnetlink_alloc_expect() allocates expectations from a non-zeroing
slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not
present in the netlink message, saved_addr and saved_proto are
never initialized. Stale data from a previous slab occupant can
then be dumped to userspace by ctnetlink_exp_dump_expect(), which
checks these fields to decide whether to emit CTA_EXPECT_NAT.
The safe sibling nf_ct_expect_init(), used by the packet path,
explicitly zeroes these fields.
Zero saved_addr, saved_proto and dir in the else branch, guarded
by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when
NAT is enabled.
Confirmed by priming the expect slab with NAT-bearing expectations,
freeing them, creating a new expectation without CTA_EXPECT_NAT,
and observing that the ctnetlink dump emits a spurious
CTA_EXPECT_NAT containing stale data from the prior allocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
076a0ca02644657b13e4af363f487ced2942e9cb , < a5a89db6981a1ddf2314bf50cb49db5a3146185f
(git)
Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 1c2ebdeff8d088a2e47ae25d7b38447249adace2 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < a64b7bf84b4d5ea54218c5d374ec87fff9000f43 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 2898080c054ea4d6ddfaaf21bbedbc229a9a8376 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < fd002ff2ea030cbfb0188a11b3c60ce7f84485f4 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 929f7a9a7aad9404a5867216c3f8738232355b38 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 35177c6877134a21315f37d57a5577846225623e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5a89db6981a1ddf2314bf50cb49db5a3146185f",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "1c2ebdeff8d088a2e47ae25d7b38447249adace2",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "a64b7bf84b4d5ea54218c5d374ec87fff9000f43",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "2898080c054ea4d6ddfaaf21bbedbc229a9a8376",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "fd002ff2ea030cbfb0188a11b3c60ce7f84485f4",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "929f7a9a7aad9404a5867216c3f8738232355b38",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "35177c6877134a21315f37d57a5577846225623e",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent\n\nctnetlink_alloc_expect() allocates expectations from a non-zeroing\nslab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not\npresent in the netlink message, saved_addr and saved_proto are\nnever initialized. Stale data from a previous slab occupant can\nthen be dumped to userspace by ctnetlink_exp_dump_expect(), which\nchecks these fields to decide whether to emit CTA_EXPECT_NAT.\n\nThe safe sibling nf_ct_expect_init(), used by the packet path,\nexplicitly zeroes these fields.\n\nZero saved_addr, saved_proto and dir in the else branch, guarded\nby IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when\nNAT is enabled.\n\nConfirmed by priming the expect slab with NAT-bearing expectations,\nfreeing them, creating a new expectation without CTA_EXPECT_NAT,\nand observing that the ctnetlink dump emits a spurious\nCTA_EXPECT_NAT containing stale data from the prior allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:16.846Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5a89db6981a1ddf2314bf50cb49db5a3146185f"
},
{
"url": "https://git.kernel.org/stable/c/1c2ebdeff8d088a2e47ae25d7b38447249adace2"
},
{
"url": "https://git.kernel.org/stable/c/a64b7bf84b4d5ea54218c5d374ec87fff9000f43"
},
{
"url": "https://git.kernel.org/stable/c/2898080c054ea4d6ddfaaf21bbedbc229a9a8376"
},
{
"url": "https://git.kernel.org/stable/c/fd002ff2ea030cbfb0188a11b3c60ce7f84485f4"
},
{
"url": "https://git.kernel.org/stable/c/929f7a9a7aad9404a5867216c3f8738232355b38"
},
{
"url": "https://git.kernel.org/stable/c/bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36"
},
{
"url": "https://git.kernel.org/stable/c/35177c6877134a21315f37d57a5577846225623e"
}
],
"title": "netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43026",
"datePublished": "2026-05-01T14:15:27.854Z",
"dateReserved": "2026-05-01T14:12:55.976Z",
"dateUpdated": "2026-05-11T22:16:16.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38549 (GCVE-0-2025-38549)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:34 – Updated: 2026-05-11 21:30
VLAI?
EPSS
Title
efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths
When processing mount options, efivarfs allocates efivarfs_fs_info (sfi)
early in fs_context initialization. However, sfi is associated with the
superblock and typically freed when the superblock is destroyed. If the
fs_context is released (final put) before fill_super is called—such as
on error paths or during reconfiguration—the sfi structure would leak,
as ownership never transfers to the superblock.
Implement the .free callback in efivarfs_context_ops to ensure any
allocated sfi is properly freed if the fs_context is torn down before
fill_super, preventing this memory leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5329aa5101f73c451bcd48deaf3f296685849d9c , < 816d36973467d1c9c08a48bdffe4675e219a2e84
(git)
Affected: 5329aa5101f73c451bcd48deaf3f296685849d9c , < e9fabe7036bb8be6071f39dc38605508f5f57b20 (git) Affected: 5329aa5101f73c451bcd48deaf3f296685849d9c , < 64e135f1eaba0bbb0cdee859af3328c68d5b9789 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "816d36973467d1c9c08a48bdffe4675e219a2e84",
"status": "affected",
"version": "5329aa5101f73c451bcd48deaf3f296685849d9c",
"versionType": "git"
},
{
"lessThan": "e9fabe7036bb8be6071f39dc38605508f5f57b20",
"status": "affected",
"version": "5329aa5101f73c451bcd48deaf3f296685849d9c",
"versionType": "git"
},
{
"lessThan": "64e135f1eaba0bbb0cdee859af3328c68d5b9789",
"status": "affected",
"version": "5329aa5101f73c451bcd48deaf3f296685849d9c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths\n\nWhen processing mount options, efivarfs allocates efivarfs_fs_info (sfi)\nearly in fs_context initialization. However, sfi is associated with the\nsuperblock and typically freed when the superblock is destroyed. If the\nfs_context is released (final put) before fill_super is called\u2014such as\non error paths or during reconfiguration\u2014the sfi structure would leak,\nas ownership never transfers to the superblock.\n\nImplement the .free callback in efivarfs_context_ops to ensure any\nallocated sfi is properly freed if the fs_context is torn down before\nfill_super, preventing this memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:30:14.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/816d36973467d1c9c08a48bdffe4675e219a2e84"
},
{
"url": "https://git.kernel.org/stable/c/e9fabe7036bb8be6071f39dc38605508f5f57b20"
},
{
"url": "https://git.kernel.org/stable/c/64e135f1eaba0bbb0cdee859af3328c68d5b9789"
}
],
"title": "efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38549",
"datePublished": "2025-08-16T11:34:17.699Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2026-05-11T21:30:14.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43150 (GCVE-0-2026-43150)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
perf/arm-cmn: Reject unsupported hardware configurations
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/arm-cmn: Reject unsupported hardware configurations
So far we've been fairly lax about accepting both unknown CMN models
(at least with a warning), and unknown revisions of those which we
do know, as although things do frequently change between releases,
typically enough remains the same to be somewhat useful for at least
some basic bringup checks. However, we also make assumptions of the
maximum supported sizes and numbers of things in various places, and
there's no guarantee that something new might not be bigger and lead
to nasty array overflows. Make sure we only try to run on things that
actually match our assumptions and so will not risk memory corruption.
We have at least always failed on completely unknown node types, so
update that error message for clarity and consistency too.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
28fa550a49e818d6445e787f584759b1bf21d9d4 , < 7e2c200010aa93fa78201da959b4ac6b9f8fed0b
(git)
Affected: 7819e05a0dceac20c5ff78ec9b252faf3b76b824 , < d3e837e11ee9ed08df229272319199003ba00379 (git) Affected: 7819e05a0dceac20c5ff78ec9b252faf3b76b824 , < 00d69f21ef2ab00e6156c764d89e2b3539eb2f33 (git) Affected: 7819e05a0dceac20c5ff78ec9b252faf3b76b824 , < 08c7eadd8a934a1968e1aeeee8b61b853b99fb3a (git) Affected: 7819e05a0dceac20c5ff78ec9b252faf3b76b824 , < a251d866f50b6a4c95901fa722025065679c2eca (git) Affected: 7819e05a0dceac20c5ff78ec9b252faf3b76b824 , < 36c0de02575ce59dfd879eb4ef63d53a68bbf9ce (git) Affected: 6.1.63 , < 6.1.165 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm-cmn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e2c200010aa93fa78201da959b4ac6b9f8fed0b",
"status": "affected",
"version": "28fa550a49e818d6445e787f584759b1bf21d9d4",
"versionType": "git"
},
{
"lessThan": "d3e837e11ee9ed08df229272319199003ba00379",
"status": "affected",
"version": "7819e05a0dceac20c5ff78ec9b252faf3b76b824",
"versionType": "git"
},
{
"lessThan": "00d69f21ef2ab00e6156c764d89e2b3539eb2f33",
"status": "affected",
"version": "7819e05a0dceac20c5ff78ec9b252faf3b76b824",
"versionType": "git"
},
{
"lessThan": "08c7eadd8a934a1968e1aeeee8b61b853b99fb3a",
"status": "affected",
"version": "7819e05a0dceac20c5ff78ec9b252faf3b76b824",
"versionType": "git"
},
{
"lessThan": "a251d866f50b6a4c95901fa722025065679c2eca",
"status": "affected",
"version": "7819e05a0dceac20c5ff78ec9b252faf3b76b824",
"versionType": "git"
},
{
"lessThan": "36c0de02575ce59dfd879eb4ef63d53a68bbf9ce",
"status": "affected",
"version": "7819e05a0dceac20c5ff78ec9b252faf3b76b824",
"versionType": "git"
},
{
"lessThan": "6.1.165",
"status": "affected",
"version": "6.1.63",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm-cmn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/arm-cmn: Reject unsupported hardware configurations\n\nSo far we\u0027ve been fairly lax about accepting both unknown CMN models\n(at least with a warning), and unknown revisions of those which we\ndo know, as although things do frequently change between releases,\ntypically enough remains the same to be somewhat useful for at least\nsome basic bringup checks. However, we also make assumptions of the\nmaximum supported sizes and numbers of things in various places, and\nthere\u0027s no guarantee that something new might not be bigger and lead\nto nasty array overflows. Make sure we only try to run on things that\nactually match our assumptions and so will not risk memory corruption.\n\nWe have at least always failed on completely unknown node types, so\nupdate that error message for clarity and consistency too."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:25.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e2c200010aa93fa78201da959b4ac6b9f8fed0b"
},
{
"url": "https://git.kernel.org/stable/c/d3e837e11ee9ed08df229272319199003ba00379"
},
{
"url": "https://git.kernel.org/stable/c/00d69f21ef2ab00e6156c764d89e2b3539eb2f33"
},
{
"url": "https://git.kernel.org/stable/c/08c7eadd8a934a1968e1aeeee8b61b853b99fb3a"
},
{
"url": "https://git.kernel.org/stable/c/a251d866f50b6a4c95901fa722025065679c2eca"
},
{
"url": "https://git.kernel.org/stable/c/36c0de02575ce59dfd879eb4ef63d53a68bbf9ce"
}
],
"title": "perf/arm-cmn: Reject unsupported hardware configurations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43150",
"datePublished": "2026-05-06T11:27:32.359Z",
"dateReserved": "2026-05-01T14:12:55.989Z",
"dateUpdated": "2026-05-23T16:06:25.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31697 (GCVE-0-2026-31697)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:55 – Updated: 2026-06-14 17:43
VLAI?
EPSS
Title
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
When retrieving the ID for the CPU, don't attempt to copy the ID blob to
userspace if the firmware command failed. If the failure was due to an
invalid length, i.e. the userspace buffer+length was too small, copying
the number of bytes _firmware_ requires will overflow the kernel-allocated
buffer and leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388
CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222
sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 99bae2e3c3f9ba8f854c938ed2c811b6a63b28e4
(git)
Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < a21ae9f8769e5f75433bb0a85ac3868b2100ef5b (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 0f1f2f9894893dc8a28af1b9e9dbc0abf453eb52 (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 09427bcb1715fb20a80b6acd5156dbf15ab5c363 (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 1fbac0429a42adec830491757a2b53956dd797ea (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 06f06d88c05ce176c61fff8c72c372847b0dd2b5 (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 4f685dbfa87c546e51d9dc6cab379d20f275e114 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99bae2e3c3f9ba8f854c938ed2c811b6a63b28e4",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "a21ae9f8769e5f75433bb0a85ac3868b2100ef5b",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "0f1f2f9894893dc8a28af1b9e9dbc0abf453eb52",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "09427bcb1715fb20a80b6acd5156dbf15ab5c363",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "1fbac0429a42adec830491757a2b53956dd797ea",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "06f06d88c05ce176c61fff8c72c372847b0dd2b5",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "4f685dbfa87c546e51d9dc6cab379d20f275e114",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don\u0027t attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don\u0027t attempt to copy the ID blob to\nuserspace if the firmware command failed. If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:43:30.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99bae2e3c3f9ba8f854c938ed2c811b6a63b28e4"
},
{
"url": "https://git.kernel.org/stable/c/a21ae9f8769e5f75433bb0a85ac3868b2100ef5b"
},
{
"url": "https://git.kernel.org/stable/c/0f1f2f9894893dc8a28af1b9e9dbc0abf453eb52"
},
{
"url": "https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363"
},
{
"url": "https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea"
},
{
"url": "https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e"
},
{
"url": "https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5"
},
{
"url": "https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114"
}
],
"title": "crypto: ccp: Don\u0027t attempt to copy ID to userspace if PSP command failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31697",
"datePublished": "2026-05-01T13:55:58.184Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-06-14T17:43:30.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43077 (GCVE-0-2026-43077)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-05-11 22:17
VLAI?
EPSS
Title
crypto: algif_aead - Fix minimum RX size check for decryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Fix minimum RX size check for decryption
The check for the minimum receive buffer size did not take the
tag size into account during decryption. Fix this by adding the
required extra length.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 74a66fdb5282d89e348b00c42cfca3a936946d94
(git)
Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < fd427dd84f224309afbcc2cb67c7bb770a01265c (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 1c76b5675119f694458293a2a81f40731c69bd32 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < e86ab1e5661386a874fbb8551f0c04b8e9f8ad22 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < af2fa2fbbced26129813274b8b3f7705f280e174 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 78cea133daf721698876e56135049a96d39d610a (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 3afdc15d6173614d7d834517d9b65e7aa5a08548 (git) Affected: d887c52d6ae43aeebd249b5f2f1333e60236aa60 , < 3d14bd48e3a77091cbce637a12c2ae31b4a1687c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/algif_aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74a66fdb5282d89e348b00c42cfca3a936946d94",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "fd427dd84f224309afbcc2cb67c7bb770a01265c",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "1c76b5675119f694458293a2a81f40731c69bd32",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "e86ab1e5661386a874fbb8551f0c04b8e9f8ad22",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "af2fa2fbbced26129813274b8b3f7705f280e174",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "78cea133daf721698876e56135049a96d39d610a",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "3afdc15d6173614d7d834517d9b65e7aa5a08548",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
},
{
"lessThan": "3d14bd48e3a77091cbce637a12c2ae31b4a1687c",
"status": "affected",
"version": "d887c52d6ae43aeebd249b5f2f1333e60236aa60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/algif_aead.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Fix minimum RX size check for decryption\n\nThe check for the minimum receive buffer size did not take the\ntag size into account during decryption. Fix this by adding the\nrequired extra length."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:17:16.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74a66fdb5282d89e348b00c42cfca3a936946d94"
},
{
"url": "https://git.kernel.org/stable/c/fd427dd84f224309afbcc2cb67c7bb770a01265c"
},
{
"url": "https://git.kernel.org/stable/c/1c76b5675119f694458293a2a81f40731c69bd32"
},
{
"url": "https://git.kernel.org/stable/c/e86ab1e5661386a874fbb8551f0c04b8e9f8ad22"
},
{
"url": "https://git.kernel.org/stable/c/af2fa2fbbced26129813274b8b3f7705f280e174"
},
{
"url": "https://git.kernel.org/stable/c/78cea133daf721698876e56135049a96d39d610a"
},
{
"url": "https://git.kernel.org/stable/c/3afdc15d6173614d7d834517d9b65e7aa5a08548"
},
{
"url": "https://git.kernel.org/stable/c/3d14bd48e3a77091cbce637a12c2ae31b4a1687c"
}
],
"title": "crypto: algif_aead - Fix minimum RX size check for decryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43077",
"datePublished": "2026-05-06T07:40:14.409Z",
"dateReserved": "2026-05-01T14:12:55.983Z",
"dateUpdated": "2026-05-11T22:17:16.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45846 (GCVE-0-2026-45846)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 31e010a106ff6cd8ccac4bfee547fd3fa1015574
(git)
Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 55193df8d6d33318435f19572bf5ea47a22eee28 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 51eef9c072aa3405a6823a96ae666d38a3b48750 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < a0f4e4e8e0f5e24ddd83e3d1221732621cf34636 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 35a115a204be08f97450b0389413e218268ef4a2 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 74a02921c48fcd35a7881956c9e5c52b86595f5d (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 638905520fc4fae6a80991563f264131545ba3df (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < aa6c6d9ee064aabfede4402fd1283424e649ca19 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bareudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31e010a106ff6cd8ccac4bfee547fd3fa1015574",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "55193df8d6d33318435f19572bf5ea47a22eee28",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "51eef9c072aa3405a6823a96ae666d38a3b48750",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "a0f4e4e8e0f5e24ddd83e3d1221732621cf34636",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "35a115a204be08f97450b0389413e218268ef4a2",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "74a02921c48fcd35a7881956c9e5c52b86595f5d",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "638905520fc4fae6a80991563f264131545ba3df",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "aa6c6d9ee064aabfede4402fd1283424e649ca19",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bareudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()\n\nbareudp_fill_metadata_dst() passes bareudp-\u003esock to\nudp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.\nThe socket is only created in bareudp_open() and NULLed in\nbareudp_stop(), so calling this function while the device is down\ntriggers a NULL dereference via sock-\u003esk.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)\n Call Trace:\n \u003cTASK\u003e\n bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)\n do_execute_actions (net/openvswitch/actions.c:901)\n ovs_execute_actions (net/openvswitch/actions.c:1589)\n ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)\n genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1209)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n \u003c/TASK\u003e\n\nAdd a NULL check returning -ESHUTDOWN, consistent with the xmit paths\nin the same driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:30.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574"
},
{
"url": "https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28"
},
{
"url": "https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750"
},
{
"url": "https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636"
},
{
"url": "https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2"
},
{
"url": "https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d"
},
{
"url": "https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df"
},
{
"url": "https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19"
}
],
"title": "bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45846",
"datePublished": "2026-05-27T09:24:52.122Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:30.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43109 (GCVE-0-2026-43109)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-05-17 15:21
VLAI?
EPSS
Title
x86: shadow stacks: proper error handling for mmap lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86: shadow stacks: proper error handling for mmap lock
김영민 reports that shstk_pop_sigframe() doesn't check for errors from
mmap_read_lock_killable(), which is a silly oversight, and also shows
that we haven't marked those functions with "__must_check", which would
have immediately caught it.
So let's fix both issues.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7fad2a432cd35bbf104d2d9d426e74902f22aa95 , < c79cf42321600e931933e11f94aba8b245d4cd66
(git)
Affected: 7fad2a432cd35bbf104d2d9d426e74902f22aa95 , < 1a30468eff661937d978495644d2e5ebfeef5ce6 (git) Affected: 7fad2a432cd35bbf104d2d9d426e74902f22aa95 , < c64cebcc5c4f223dbcbe7dcdf74908fc092a0aa4 (git) Affected: 7fad2a432cd35bbf104d2d9d426e74902f22aa95 , < 262b6d38a81d51b135db81e1f30c13d30e38feee (git) Affected: 7fad2a432cd35bbf104d2d9d426e74902f22aa95 , < 52f657e34d7b21b47434d9d8b26fa7f6778b63a0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/shstk.c",
"include/linux/mmap_lock.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c79cf42321600e931933e11f94aba8b245d4cd66",
"status": "affected",
"version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
"versionType": "git"
},
{
"lessThan": "1a30468eff661937d978495644d2e5ebfeef5ce6",
"status": "affected",
"version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
"versionType": "git"
},
{
"lessThan": "c64cebcc5c4f223dbcbe7dcdf74908fc092a0aa4",
"status": "affected",
"version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
"versionType": "git"
},
{
"lessThan": "262b6d38a81d51b135db81e1f30c13d30e38feee",
"status": "affected",
"version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
"versionType": "git"
},
{
"lessThan": "52f657e34d7b21b47434d9d8b26fa7f6778b63a0",
"status": "affected",
"version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/shstk.c",
"include/linux/mmap_lock.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: shadow stacks: proper error handling for mmap lock\n\n\uae40\uc601\ubbfc reports that shstk_pop_sigframe() doesn\u0027t check for errors from\nmmap_read_lock_killable(), which is a silly oversight, and also shows\nthat we haven\u0027t marked those functions with \"__must_check\", which would\nhave immediately caught it.\n\nSo let\u0027s fix both issues."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T15:21:37.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c79cf42321600e931933e11f94aba8b245d4cd66"
},
{
"url": "https://git.kernel.org/stable/c/1a30468eff661937d978495644d2e5ebfeef5ce6"
},
{
"url": "https://git.kernel.org/stable/c/c64cebcc5c4f223dbcbe7dcdf74908fc092a0aa4"
},
{
"url": "https://git.kernel.org/stable/c/262b6d38a81d51b135db81e1f30c13d30e38feee"
},
{
"url": "https://git.kernel.org/stable/c/52f657e34d7b21b47434d9d8b26fa7f6778b63a0"
}
],
"title": "x86: shadow stacks: proper error handling for mmap lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43109",
"datePublished": "2026-05-06T07:40:36.532Z",
"dateReserved": "2026-05-01T14:12:55.986Z",
"dateUpdated": "2026-05-17T15:21:37.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31673 (GCVE-0-2026-31673)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-06-01 16:13
VLAI?
EPSS
Title
af_unix: read UNIX_DIAG_VFS data under unix_state_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: read UNIX_DIAG_VFS data under unix_state_lock
Exact UNIX diag lookups hold a reference to the socket, but not to
u->path. Meanwhile, unix_release_sock() clears u->path under
unix_state_lock() and drops the path reference after unlocking.
Read the inode and device numbers for UNIX_DIAG_VFS while holding
unix_state_lock(), then emit the netlink attribute after dropping the
lock.
This keeps the VFS data stable while the reply is being built.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5f7b0569460b7d8d01ca776430a00505a68b7584 , < e7339db13b9ddb63417b12da55fd6191e59f7442
(git)
Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < 4f6a8f10182c3a9d22e8eb183957ae7ade9e4bf7 (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < c3ec44ab4526bbc4b6c9fc845af86488244f4c9b (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < b9232421a77a649c9376c99fdfc8cb7f79cad34c (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < 0c739f3785f84af695952c2bac8be2f45082c9b8 (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < 900a4e0910e98b8caef117d5df00471fa438dcf9 (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < bdf206e740bf2919d818f132c8c9cc7ed91d11c0 (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < 39897df386376912d561d4946499379effa1e7ef (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7339db13b9ddb63417b12da55fd6191e59f7442",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "4f6a8f10182c3a9d22e8eb183957ae7ade9e4bf7",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "c3ec44ab4526bbc4b6c9fc845af86488244f4c9b",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "b9232421a77a649c9376c99fdfc8cb7f79cad34c",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "0c739f3785f84af695952c2bac8be2f45082c9b8",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "900a4e0910e98b8caef117d5df00471fa438dcf9",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "bdf206e740bf2919d818f132c8c9cc7ed91d11c0",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "39897df386376912d561d4946499379effa1e7ef",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu-\u003epath. Meanwhile, unix_release_sock() clears u-\u003epath under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:13:17.234Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7339db13b9ddb63417b12da55fd6191e59f7442"
},
{
"url": "https://git.kernel.org/stable/c/4f6a8f10182c3a9d22e8eb183957ae7ade9e4bf7"
},
{
"url": "https://git.kernel.org/stable/c/c3ec44ab4526bbc4b6c9fc845af86488244f4c9b"
},
{
"url": "https://git.kernel.org/stable/c/b9232421a77a649c9376c99fdfc8cb7f79cad34c"
},
{
"url": "https://git.kernel.org/stable/c/0c739f3785f84af695952c2bac8be2f45082c9b8"
},
{
"url": "https://git.kernel.org/stable/c/900a4e0910e98b8caef117d5df00471fa438dcf9"
},
{
"url": "https://git.kernel.org/stable/c/bdf206e740bf2919d818f132c8c9cc7ed91d11c0"
},
{
"url": "https://git.kernel.org/stable/c/39897df386376912d561d4946499379effa1e7ef"
}
],
"title": "af_unix: read UNIX_DIAG_VFS data under unix_state_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31673",
"datePublished": "2026-04-25T08:46:49.246Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-06-01T16:13:17.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46116 (GCVE-0-2026-46116)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
(reproduced on 6.12.47, also reachable via the same code path on
torvalds/master and on the ipsec tree). Nine unique signatures cluster
in the xfrm_state lifecycle, the load-bearing one being:
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]
BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]
BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c
Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435
Workqueue: netns cleanup_net
Call Trace:
__hlist_del / hlist_del_rcu
__xfrm_state_delete
xfrm_state_delete
xfrm_state_flush
xfrm_state_fini
ops_exit_list
cleanup_net
The other observed signatures hit the same slab object from
__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB
write variant of __xfrm_state_delete, all on the byseq/byspi
hash chains.
__xfrm_state_delete() guards its byseq and byspi unhashes with
value-based predicates:
if (x->km.seq)
hlist_del_rcu(&x->byseq);
if (x->id.spi)
hlist_del_rcu(&x->byspi);
while everywhere else in the file (e.g. state_cache, state_cache_input)
the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets
x->id.spi = newspi inside xfrm_state_lock and then immediately inserts
into byspi, but a path that observes x->id.spi != 0 outside of
xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently
with whether x is actually on the list. The same holds for x->km.seq
versus byseq, and the bydst/bysrc unhashes have no predicate at all,
so a second __xfrm_state_delete() on the same object writes through
LIST_POISON pprev.
The defensive change here:
- Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,
bysrc, byseq and byspi so a second deletion is a no-op rather
than a write through LIST_POISON pprev. The byseq/byspi nodes
are already initialised in xfrm_state_alloc().
- Test hlist_unhashed() rather than the value predicate for
byseq/byspi, so the unhash decision tracks list state rather than
mutable scalar fields.
Empirical verification: applied this patch on top of v6.12.47, rebuilt,
and re-ran the same syzkaller harness for 1h16m on a previously-crashy
configuration that produced ~100 hits each of slab-use-after-free
Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at
~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo
confirms the xfrm_state slab is actively allocated and freed during
the run (~143 KiB resident), so the fuzzer is still exercising those
code paths -- they just no longer crash.
Reproduction:
- Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
- syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
- 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
- 9 unique signatures collected in ~9h, all within xfrm_state
lifecycle
Severity ?
7.8 (High)
CWE
- CWE-763 - Release of Invalid Pointer or Reference
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7b4dc3600e4877178ba94c7fbf7e520421378aa6 , < 3943fcad7694a7d0b15aeabe7d3cc2a2eb8e92e8
(git)
Affected: 7b4dc3600e4877178ba94c7fbf7e520421378aa6 , < 2c617848ae6e4f07a3e397f604208c293bbecacc (git) Affected: 7b4dc3600e4877178ba94c7fbf7e520421378aa6 , < b4a53add2fa8f1b5aa17d4c5686c320785fab182 (git) Affected: 7b4dc3600e4877178ba94c7fbf7e520421378aa6 , < 26edb0a3c99f9d958c212be68b21f1221614dcf0 (git) Affected: 7b4dc3600e4877178ba94c7fbf7e520421378aa6 , < 4980162de555cb838f1a189ce7d2cbf5d2e7b050 (git) Affected: 7b4dc3600e4877178ba94c7fbf7e520421378aa6 , < a2e2d08fb070fab4947447171f1c4e3ca5a188e5 (git) Affected: 7b4dc3600e4877178ba94c7fbf7e520421378aa6 , < 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s `xfrm` (IPSec framework) subsystem. This vulnerability, a use-after-free, occurs when the system incorrectly manages memory related to security policies, specifically during the deletion of `xfrm_state` lists. An attacker with local access could exploit this flaw by triggering specific operations, leading to memory corruption. This could cause the system to become unstable, resulting in crashes or a Denial of Service (DoS), and potentially allow for unauthorized access to sensitive information or increased privileges."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-763",
"description": "Release of Invalid Pointer or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:12.746Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46116"
},
{
"name": "RHBZ#2482523",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482523"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46116.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3943fcad7694a7d0b15aeabe7d3cc2a2eb8e92e8",
"status": "affected",
"version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
"versionType": "git"
},
{
"lessThan": "2c617848ae6e4f07a3e397f604208c293bbecacc",
"status": "affected",
"version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
"versionType": "git"
},
{
"lessThan": "b4a53add2fa8f1b5aa17d4c5686c320785fab182",
"status": "affected",
"version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
"versionType": "git"
},
{
"lessThan": "26edb0a3c99f9d958c212be68b21f1221614dcf0",
"status": "affected",
"version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
"versionType": "git"
},
{
"lessThan": "4980162de555cb838f1a189ce7d2cbf5d2e7b050",
"status": "affected",
"version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
"versionType": "git"
},
{
"lessThan": "a2e2d08fb070fab4947447171f1c4e3ca5a188e5",
"status": "affected",
"version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
"versionType": "git"
},
{
"lessThan": "14acf9652e5690de3c7486c6db5fb8dafd0a32a3",
"status": "affected",
"version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: defensively unhash xfrm_state lists in __xfrm_state_delete\n\nKASAN reproduces a slab-use-after-free in __xfrm_state_delete()\u0027s\nhlist_del_rcu calls under syzkaller load on linux-6.12.y stable\n(reproduced on 6.12.47, also reachable via the same code path on\ntorvalds/master and on the ipsec tree). Nine unique signatures cluster\nin the xfrm_state lifecycle, the load-bearing one being:\n\n BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]\n BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]\n BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c\n Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435\n\n Workqueue: netns cleanup_net\n Call Trace:\n __hlist_del / hlist_del_rcu\n __xfrm_state_delete\n xfrm_state_delete\n xfrm_state_flush\n xfrm_state_fini\n ops_exit_list\n cleanup_net\n\nThe other observed signatures hit the same slab object from\n__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB\nwrite variant of __xfrm_state_delete, all on the byseq/byspi\nhash chains.\n\n__xfrm_state_delete() guards its byseq and byspi unhashes with\nvalue-based predicates:\n\n\tif (x-\u003ekm.seq)\n\t\thlist_del_rcu(\u0026x-\u003ebyseq);\n\tif (x-\u003eid.spi)\n\t\thlist_del_rcu(\u0026x-\u003ebyspi);\n\nwhile everywhere else in the file (e.g. state_cache, state_cache_input)\nthe safer hlist_unhashed() check is used. xfrm_alloc_spi() sets\nx-\u003eid.spi = newspi inside xfrm_state_lock and then immediately inserts\ninto byspi, but a path that observes x-\u003eid.spi != 0 outside of\nxfrm_state_lock can still skip-or-hit the byspi unhash inconsistently\nwith whether x is actually on the list. The same holds for x-\u003ekm.seq\nversus byseq, and the bydst/bysrc unhashes have no predicate at all,\nso a second __xfrm_state_delete() on the same object writes through\nLIST_POISON pprev.\n\nThe defensive change here:\n\n - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,\n bysrc, byseq and byspi so a second deletion is a no-op rather\n than a write through LIST_POISON pprev. The byseq/byspi nodes\n are already initialised in xfrm_state_alloc().\n - Test hlist_unhashed() rather than the value predicate for\n byseq/byspi, so the unhash decision tracks list state rather than\n mutable scalar fields.\n\nEmpirical verification: applied this patch on top of v6.12.47, rebuilt,\nand re-ran the same syzkaller harness for 1h16m on a previously-crashy\nconfiguration that produced ~100 hits each of slab-use-after-free\nRead in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in\n__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at\n~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo\nconfirms the xfrm_state slab is actively allocated and freed during\nthe run (~143 KiB resident), so the fuzzer is still exercising those\ncode paths -- they just no longer crash.\n\nReproduction:\n\n - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV\n - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db\n - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal\n - 9 unique signatures collected in ~9h, all within xfrm_state\n lifecycle"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:35.759Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3943fcad7694a7d0b15aeabe7d3cc2a2eb8e92e8"
},
{
"url": "https://git.kernel.org/stable/c/2c617848ae6e4f07a3e397f604208c293bbecacc"
},
{
"url": "https://git.kernel.org/stable/c/b4a53add2fa8f1b5aa17d4c5686c320785fab182"
},
{
"url": "https://git.kernel.org/stable/c/26edb0a3c99f9d958c212be68b21f1221614dcf0"
},
{
"url": "https://git.kernel.org/stable/c/4980162de555cb838f1a189ce7d2cbf5d2e7b050"
},
{
"url": "https://git.kernel.org/stable/c/a2e2d08fb070fab4947447171f1c4e3ca5a188e5"
},
{
"url": "https://git.kernel.org/stable/c/14acf9652e5690de3c7486c6db5fb8dafd0a32a3"
}
],
"title": "xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46116",
"datePublished": "2026-05-28T09:35:30.689Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-30T12:10:12.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31699 (GCVE-0-2026-31699)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:55 – Updated: 2026-06-14 17:43
VLAI?
EPSS
Title
crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
When retrieving the PEK CSR, don't attempt to copy the blob to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405
CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872
sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e799035609e1526761aa2f896a974b233d04d36d , < 502d10a1d9d477e6c7fc7021a2dac7018f4ab8b5
(git)
Affected: e799035609e1526761aa2f896a974b233d04d36d , < 0fb87e44b81385f940b482cba5b3f0bd18fb8185 (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < 372116eece159adff631b1508344c8b85ebf9559 (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < 607ba280f2adb5092cf5386c3935afac2ca0031a (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < 59e9ae81f8670ccc780bc75f45a355736f640ec9 (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < 111dcc6d0f016076745824a787d25609d0022f4c (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < 3b4fd8f15765d9a3105b834dba8a05d025e5e16e (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < abe4a6d6f606113251868c2c4a06ba904bb41eed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "502d10a1d9d477e6c7fc7021a2dac7018f4ab8b5",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "0fb87e44b81385f940b482cba5b3f0bd18fb8185",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "372116eece159adff631b1508344c8b85ebf9559",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "607ba280f2adb5092cf5386c3935afac2ca0031a",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "59e9ae81f8670ccc780bc75f45a355736f640ec9",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "111dcc6d0f016076745824a787d25609d0022f4c",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "3b4fd8f15765d9a3105b834dba8a05d025e5e16e",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "abe4a6d6f606113251868c2c4a06ba904bb41eed",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don\u0027t attempt to copy CSR to userspace if PSP command failed\n\nWhen retrieving the PEK CSR, don\u0027t attempt to copy the blob to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405\n\n CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872\n sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:43:35.314Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/502d10a1d9d477e6c7fc7021a2dac7018f4ab8b5"
},
{
"url": "https://git.kernel.org/stable/c/0fb87e44b81385f940b482cba5b3f0bd18fb8185"
},
{
"url": "https://git.kernel.org/stable/c/372116eece159adff631b1508344c8b85ebf9559"
},
{
"url": "https://git.kernel.org/stable/c/607ba280f2adb5092cf5386c3935afac2ca0031a"
},
{
"url": "https://git.kernel.org/stable/c/59e9ae81f8670ccc780bc75f45a355736f640ec9"
},
{
"url": "https://git.kernel.org/stable/c/111dcc6d0f016076745824a787d25609d0022f4c"
},
{
"url": "https://git.kernel.org/stable/c/3b4fd8f15765d9a3105b834dba8a05d025e5e16e"
},
{
"url": "https://git.kernel.org/stable/c/abe4a6d6f606113251868c2c4a06ba904bb41eed"
}
],
"title": "crypto: ccp: Don\u0027t attempt to copy CSR to userspace if PSP command failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31699",
"datePublished": "2026-05-01T13:55:59.520Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-06-14T17:43:35.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43414 (GCVE-0-2026-43414)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
scsi: qla2xxx: Completely fix fcport double free
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Completely fix fcport double free
In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.
qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4895009c4bb72f71f2e682f1e7d2c2d96e482087 , < d48ea85463f5b34f7b92ea0a13eddf1ab993da7b
(git)
Affected: 4895009c4bb72f71f2e682f1e7d2c2d96e482087 , < c0b7da13a04bd70ef6070bfb9ea85f582294560a (git) Affected: 7861213201838480dc222634c56fb6db113d010d (git) Affected: 3b9d72442adfbc9ddb0f76dd1b03977b3a578b16 (git) Affected: ef23850940d9a52c39936d27254824ccf5e9b6bd (git) Affected: 6c6bf6cacf9461f8d301cfac4f9c175d80cbcc63 (git) Affected: cd10dee1f07a782f5aa05703c55299ca86a85ee4 (git) Affected: b03e626bd6d3f0684f56ee1890d70fc9ca991c04 (git) Affected: 282877633b25d67021a34169c5b5519b1d4ef65e (git) Affected: f85af9f1aa5e2f53694a6cbe72010f754b5ff862 (git) Affected: 9b43d2884b54d415caab48878b526dfe2ae9921b (git) Affected: 846fb9f112f618ec6ae181d8dae7961652574774 (git) Affected: 5.15.154 , < 5.16 (semver) Affected: 6.1.84 , < 6.2 (semver) Affected: 6.6.24 , < 6.7 (semver) Affected: 6.7.12 , < 6.8 (semver) Affected: 6.8.3 , < 6.9 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_iocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d48ea85463f5b34f7b92ea0a13eddf1ab993da7b",
"status": "affected",
"version": "4895009c4bb72f71f2e682f1e7d2c2d96e482087",
"versionType": "git"
},
{
"lessThan": "c0b7da13a04bd70ef6070bfb9ea85f582294560a",
"status": "affected",
"version": "4895009c4bb72f71f2e682f1e7d2c2d96e482087",
"versionType": "git"
},
{
"status": "affected",
"version": "7861213201838480dc222634c56fb6db113d010d",
"versionType": "git"
},
{
"status": "affected",
"version": "3b9d72442adfbc9ddb0f76dd1b03977b3a578b16",
"versionType": "git"
},
{
"status": "affected",
"version": "ef23850940d9a52c39936d27254824ccf5e9b6bd",
"versionType": "git"
},
{
"status": "affected",
"version": "6c6bf6cacf9461f8d301cfac4f9c175d80cbcc63",
"versionType": "git"
},
{
"status": "affected",
"version": "cd10dee1f07a782f5aa05703c55299ca86a85ee4",
"versionType": "git"
},
{
"status": "affected",
"version": "b03e626bd6d3f0684f56ee1890d70fc9ca991c04",
"versionType": "git"
},
{
"status": "affected",
"version": "282877633b25d67021a34169c5b5519b1d4ef65e",
"versionType": "git"
},
{
"status": "affected",
"version": "f85af9f1aa5e2f53694a6cbe72010f754b5ff862",
"versionType": "git"
},
{
"status": "affected",
"version": "9b43d2884b54d415caab48878b526dfe2ae9921b",
"versionType": "git"
},
{
"status": "affected",
"version": "846fb9f112f618ec6ae181d8dae7961652574774",
"versionType": "git"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThan": "6.7",
"status": "affected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThan": "6.9",
"status": "affected",
"version": "6.8.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_iocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Completely fix fcport double free\n\nIn qla24xx_els_dcmd_iocb() sp-\u003efree is set to qla2x00_els_dcmd_sp_free().\nWhen an error happens, this function is called by qla2x00_sp_release(),\nwhen kref_put() releases the first and the last reference.\n\nqla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().\nDoing it one more time after kref_put() is a bad idea."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:56.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b"
},
{
"url": "https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a"
}
],
"title": "scsi: qla2xxx: Completely fix fcport double free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43414",
"datePublished": "2026-05-08T14:21:51.604Z",
"dateReserved": "2026-05-01T14:12:56.008Z",
"dateUpdated": "2026-05-23T16:06:56.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46111 (GCVE-0-2026-46111)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-14 17:55
VLAI?
EPSS
Title
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Add hci_conn_valid() check in create_big_sync() to detect stale
connections before proceeding with BIG creation. Handle the
resulting -ECANCELED in create_big_complete() and re-validate the
connection under hci_dev_lock() before dereferencing, matching the
pattern used by create_le_conn_complete() and create_pa_complete().
Keep the hci_conn object alive across the async boundary by taking
a reference via hci_conn_get() when queueing create_big_sync(), and
dropping it in the completion callback. The refcount and the lock
are complementary: the refcount keeps the object allocated, while
hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on
hdev->conn_hash, as required by hci_conn_del().
hci_conn_put() is called outside hci_dev_unlock() so the final put
(which resolves to kfree() via bt_link_release) does not run under
hdev->lock, though the release path would be safe either way.
Without this, create_big_complete() would unconditionally
dereference the conn pointer on error, causing a use-after-free
via hci_connect_cfm() and hci_conn_del().
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
eca0ae4aea66914515e5e3098ea051b518ee5316 , < 6823f730bf195fc296d9edd09e2ca94bc1ff5584
(git)
Affected: eca0ae4aea66914515e5e3098ea051b518ee5316 , < 1750a2df0eab61dc421a7afae74abdd239a44b85 (git) Affected: eca0ae4aea66914515e5e3098ea051b518ee5316 , < dc34f8d8240f25dd137dc2758ebbcc75e3779142 (git) Affected: eca0ae4aea66914515e5e3098ea051b518ee5316 , < f8eaf92c57ad99358dd372580d5ff87623343a72 (git) Affected: eca0ae4aea66914515e5e3098ea051b518ee5316 , < 0beddb0c380bed5f5b8e61ddbe14635bb73d0b41 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6823f730bf195fc296d9edd09e2ca94bc1ff5584",
"status": "affected",
"version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
"versionType": "git"
},
{
"lessThan": "1750a2df0eab61dc421a7afae74abdd239a44b85",
"status": "affected",
"version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
"versionType": "git"
},
{
"lessThan": "dc34f8d8240f25dd137dc2758ebbcc75e3779142",
"status": "affected",
"version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
"versionType": "git"
},
{
"lessThan": "f8eaf92c57ad99358dd372580d5ff87623343a72",
"status": "affected",
"version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
"versionType": "git"
},
{
"lessThan": "0beddb0c380bed5f5b8e61ddbe14635bb73d0b41",
"status": "affected",
"version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in create_big_sync\n\nAdd hci_conn_valid() check in create_big_sync() to detect stale\nconnections before proceeding with BIG creation. Handle the\nresulting -ECANCELED in create_big_complete() and re-validate the\nconnection under hci_dev_lock() before dereferencing, matching the\npattern used by create_le_conn_complete() and create_pa_complete().\n\nKeep the hci_conn object alive across the async boundary by taking\na reference via hci_conn_get() when queueing create_big_sync(), and\ndropping it in the completion callback. The refcount and the lock\nare complementary: the refcount keeps the object allocated, while\nhci_dev_lock() serializes hci_conn_hash_del()\u0027s list_del_rcu() on\nhdev-\u003econn_hash, as required by hci_conn_del().\n\nhci_conn_put() is called outside hci_dev_unlock() so the final put\n(which resolves to kfree() via bt_link_release) does not run under\nhdev-\u003elock, though the release path would be safe either way.\n\nWithout this, create_big_complete() would unconditionally\ndereference the conn pointer on error, causing a use-after-free\nvia hci_connect_cfm() and hci_conn_del()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:55:15.599Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6823f730bf195fc296d9edd09e2ca94bc1ff5584"
},
{
"url": "https://git.kernel.org/stable/c/1750a2df0eab61dc421a7afae74abdd239a44b85"
},
{
"url": "https://git.kernel.org/stable/c/dc34f8d8240f25dd137dc2758ebbcc75e3779142"
},
{
"url": "https://git.kernel.org/stable/c/f8eaf92c57ad99358dd372580d5ff87623343a72"
},
{
"url": "https://git.kernel.org/stable/c/0beddb0c380bed5f5b8e61ddbe14635bb73d0b41"
}
],
"title": "Bluetooth: hci_conn: fix potential UAF in create_big_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46111",
"datePublished": "2026-05-28T09:35:19.970Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-14T17:55:15.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31500 (GCVE-0-2026-31500)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-06-01 16:11
VLAI?
EPSS
Title
Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
and Intel exception-info retrieval) without holding
hci_req_sync_lock(). This lets it race against
hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
__hci_cmd_sync() under the same lock. When both paths manipulate
hdev->req_status/req_rsp concurrently, the close path may free the
response skb first, and the still-running hw_error path hits a
slab-use-after-free in kfree_skb().
Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it
is serialized with every other synchronous HCI command issuer.
Below is the data race report and the kasan report:
BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined
read of hdev->req_rsp at net/bluetooth/hci_sync.c:199
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254
hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030
write/free by task ioctl/22580:
btintel_shutdown_combined+0xd0/0x360
drivers/bluetooth/btintel.c:3648
hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
BUG: KASAN: slab-use-after-free in
sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202
Read of size 4 at addr ffff888144a738dc
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
973bb97e5aee56edddaae3d5c96877101ad509c0 , < 7e041d0aad1d4d43d921ace052e04f4e2cacaed3
(git)
Affected: 973bb97e5aee56edddaae3d5c96877101ad509c0 , < 5f84e845648dfa86e42de5487f1a774b42f0444d (git) Affected: 973bb97e5aee56edddaae3d5c96877101ad509c0 , < e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5 (git) Affected: 973bb97e5aee56edddaae3d5c96877101ad509c0 , < 66696648af477dc87859e5e4b607112f5f29d010 (git) Affected: 973bb97e5aee56edddaae3d5c96877101ad509c0 , < f7d84737663ad4a120d2d8ef1561a4df91282c2e (git) Affected: 973bb97e5aee56edddaae3d5c96877101ad509c0 , < 94d8e6fe5d0818e9300e514e095a200bd5ff93ae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btintel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e041d0aad1d4d43d921ace052e04f4e2cacaed3",
"status": "affected",
"version": "973bb97e5aee56edddaae3d5c96877101ad509c0",
"versionType": "git"
},
{
"lessThan": "5f84e845648dfa86e42de5487f1a774b42f0444d",
"status": "affected",
"version": "973bb97e5aee56edddaae3d5c96877101ad509c0",
"versionType": "git"
},
{
"lessThan": "e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5",
"status": "affected",
"version": "973bb97e5aee56edddaae3d5c96877101ad509c0",
"versionType": "git"
},
{
"lessThan": "66696648af477dc87859e5e4b607112f5f29d010",
"status": "affected",
"version": "973bb97e5aee56edddaae3d5c96877101ad509c0",
"versionType": "git"
},
{
"lessThan": "f7d84737663ad4a120d2d8ef1561a4df91282c2e",
"status": "affected",
"version": "973bb97e5aee56edddaae3d5c96877101ad509c0",
"versionType": "git"
},
{
"lessThan": "94d8e6fe5d0818e9300e514e095a200bd5ff93ae",
"status": "affected",
"version": "973bb97e5aee56edddaae3d5c96877101ad509c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btintel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock(). This lets it race against\nhci_dev_do_close() -\u003e btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock. When both paths manipulate\nhdev-\u003ereq_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n read of hdev-\u003ereq_rsp at net/bluetooth/hci_sync.c:199\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n write/free by task ioctl/22580:\n btintel_shutdown_combined+0xd0/0x360\n drivers/bluetooth/btintel.c:3648\n hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n BUG: KASAN: slab-use-after-free in\n sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n Read of size 4 at addr ffff888144a738dc\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:37.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e041d0aad1d4d43d921ace052e04f4e2cacaed3"
},
{
"url": "https://git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d"
},
{
"url": "https://git.kernel.org/stable/c/e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5"
},
{
"url": "https://git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010"
},
{
"url": "https://git.kernel.org/stable/c/f7d84737663ad4a120d2d8ef1561a4df91282c2e"
},
{
"url": "https://git.kernel.org/stable/c/94d8e6fe5d0818e9300e514e095a200bd5ff93ae"
}
],
"title": "Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31500",
"datePublished": "2026-04-22T13:54:21.071Z",
"dateReserved": "2026-03-09T15:48:24.104Z",
"dateUpdated": "2026-06-01T16:11:37.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46243 (GCVE-0-2026-46243)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:22 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
smb: client: reject userspace cifs.spnego descriptions
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: reject userspace cifs.spnego descriptions
cifs.spnego key descriptions contain authority-bearing fields such as
pid, uid, creduid, and upcall_target that cifs.upcall treats as
kernel-originating inputs. However, userspace can also create keys of
this type through request_key(2) or add_key(2), allowing those fields to
be supplied without CIFS origin.
Only accept cifs.spnego descriptions while CIFS is using its private
spnego_cred to request the key.
Severity ?
7.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 7713bd320ed4fc3d08a227cd8e41242219a16981
(git)
Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 9544559e59438a4b609b2fdfa0763d8360572824 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < cf20038657d6d4974349556a34e08fe0490bebbc (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 2035acfb17221729b1b8ac335e941868a04ca079 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < a3bbda6502a9398b816fa2e71c9a3f955f58013d (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 91f89c1d83e80417629791fcef6af8140d7d01c8 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 0aece6685fc80a8de492688ca2315fb86ec379c7 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 3da1fdf4efbc490041eb4f836bf596201203f8f2 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46243",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T03:56:00.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/manizada/CIFSwitch"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-01T18:55:00.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was found in the Linux kernel\u0027s CIFS client implementation. This could allow a local attacker to impersonate other users, bypass authentication in SMB mount operations, and potentially gain unauthorized access to network file shares or escalate privileges."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:08.721Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46243"
},
{
"name": "RHBZ#2481486",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481486"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46243.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23395"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27719"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27729"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25908"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23329"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24381"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23258"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33220"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26570"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33219"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33221"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33222"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33223"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33224"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23259"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:23395: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:27719: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION), Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)"
},
{
"lang": "en",
"value": "RHSA-2026:27729: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:25908: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:23329: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:26515: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:24381: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33225: Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:23258: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33220: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26535: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:26570: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26563: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33219: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33221: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:33222: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:33223: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:33224: Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:23259: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26462: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T15:07:49.955Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Linux kernel: smb: client: reject userspace cifs.spnego descriptions",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_spnego.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7713bd320ed4fc3d08a227cd8e41242219a16981",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "9544559e59438a4b609b2fdfa0763d8360572824",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "cf20038657d6d4974349556a34e08fe0490bebbc",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "2035acfb17221729b1b8ac335e941868a04ca079",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "a3bbda6502a9398b816fa2e71c9a3f955f58013d",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "91f89c1d83e80417629791fcef6af8140d7d01c8",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "0aece6685fc80a8de492688ca2315fb86ec379c7",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "3da1fdf4efbc490041eb4f836bf596201203f8f2",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_spnego.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: reject userspace cifs.spnego descriptions\n\ncifs.spnego key descriptions contain authority-bearing fields such as\npid, uid, creduid, and upcall_target that cifs.upcall treats as\nkernel-originating inputs. However, userspace can also create keys of\nthis type through request_key(2) or add_key(2), allowing those fields to\nbe supplied without CIFS origin.\n\nOnly accept cifs.spnego descriptions while CIFS is using its private\nspnego_cred to request the key."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:05:20.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7713bd320ed4fc3d08a227cd8e41242219a16981"
},
{
"url": "https://git.kernel.org/stable/c/9544559e59438a4b609b2fdfa0763d8360572824"
},
{
"url": "https://git.kernel.org/stable/c/cf20038657d6d4974349556a34e08fe0490bebbc"
},
{
"url": "https://git.kernel.org/stable/c/2035acfb17221729b1b8ac335e941868a04ca079"
},
{
"url": "https://git.kernel.org/stable/c/a3bbda6502a9398b816fa2e71c9a3f955f58013d"
},
{
"url": "https://git.kernel.org/stable/c/91f89c1d83e80417629791fcef6af8140d7d01c8"
},
{
"url": "https://git.kernel.org/stable/c/0aece6685fc80a8de492688ca2315fb86ec379c7"
},
{
"url": "https://git.kernel.org/stable/c/3da1fdf4efbc490041eb4f836bf596201203f8f2"
}
],
"title": "smb: client: reject userspace cifs.spnego descriptions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46243",
"datePublished": "2026-06-01T16:22:29.211Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-07-02T12:05:08.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45970 (GCVE-0-2026-45970)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:18 – Updated: 2026-05-30 10:46
VLAI?
EPSS
Title
bonding: alb: fix UAF in rlb_arp_recv during bond up/down
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: alb: fix UAF in rlb_arp_recv during bond up/down
The ALB RX path may access rx_hashtbl concurrently with bond
teardown. During rapid bond up/down cycles, rlb_deinitialize()
frees rx_hashtbl while RX handlers are still running, leading
to a null pointer dereference detected by KASAN.
However, the root cause is that rlb_arp_recv() can still be accessed
after setting recv_probe to NULL, which is actually a use-after-free
(UAF) issue. That is the reason for using the referenced commit in the
Fixes tag.
[ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI
[ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
[ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary)
[ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022
[ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding]
[ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <0f> b6
04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00
[ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206
[ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e
[ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8
[ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8
[ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119
[ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810
[ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000
[ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0
[ 214.310347] Call Trace:
[ 214.313070] <IRQ>
[ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding]
[ 214.320975] bond_handle_frame+0x166/0xb60 [bonding]
[ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding]
[ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710
[ 214.339199] ? __pfx_arp_process+0x10/0x10
[ 214.343775] ? sched_balance_find_src_group+0x98/0x630
[ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10
[ 214.356513] ? arp_rcv+0x307/0x690
[ 214.360311] ? __pfx_arp_rcv+0x10/0x10
[ 214.364499] ? __lock_acquire+0x58c/0xbd0
[ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0
[ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10
[ 214.380743] ? lock_acquire+0x10b/0x140
[ 214.385026] process_backlog+0x3f1/0x13a0
[ 214.389502] ? process_backlog+0x3aa/0x13a0
[ 214.394174] __napi_poll.constprop.0+0x9f/0x370
[ 214.399233] net_rx_action+0x8c1/0xe60
[ 214.403423] ? __pfx_net_rx_action+0x10/0x10
[ 214.408193] ? lock_acquire.part.0+0xbd/0x260
[ 214.413058] ? sched_clock_cpu+0x6c/0x540
[ 214.417540] ? mark_held_locks+0x40/0x70
[ 214.421920] handle_softirqs+0x1fd/0x860
[ 214.426302] ? __pfx_handle_softirqs+0x10/0x10
[ 214.431264] ? __neigh_event_send+0x2d6/0xf50
[ 214.436131] do_softirq+0xb1/0xf0
[ 214.439830] </IRQ>
The issue is reproducible by repeatedly running
ip link set bond0 up/down while receiving ARP messages, where
rlb_arp_recv() can race with rlb_deinitialize() and dereference
a freed rx_hashtbl entry.
Fix this by setting recv_probe to NULL and then calling
synchronize_net() to wait for any concurrent RX processing to finish.
This ensures that no RX handler can access rx_hashtbl after it is freed
in bond_alb_deinitialize().
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3aba891dde3842d89ad022237b99c1ed308040b0 , < fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c
(git)
Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < de7c097800f07f3c108185c7a38b53a530ba30ff (git) Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < db5435b5342e3aaa4521d0f3ccfe94316b253ca1 (git) Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < f94a0de7b9f32745a14a1621c63087a092823587 (git) Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < c65cdf46ce340c9c00fbbaf84599d2daff43626e (git) Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < fef13c403be3fb685cb06419e6b3623106aab5ba (git) Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < d31065526f160ee0244a719230aa069daca2bf4d (git) Affected: 3aba891dde3842d89ad022237b99c1ed308040b0 , < e6834a4c474697df23ab9948fd3577b26bf48656 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
},
{
"lessThan": "de7c097800f07f3c108185c7a38b53a530ba30ff",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
},
{
"lessThan": "db5435b5342e3aaa4521d0f3ccfe94316b253ca1",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
},
{
"lessThan": "f94a0de7b9f32745a14a1621c63087a092823587",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
},
{
"lessThan": "c65cdf46ce340c9c00fbbaf84599d2daff43626e",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
},
{
"lessThan": "fef13c403be3fb685cb06419e6b3623106aab5ba",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
},
{
"lessThan": "d31065526f160ee0244a719230aa069daca2bf4d",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
},
{
"lessThan": "e6834a4c474697df23ab9948fd3577b26bf48656",
"status": "affected",
"version": "3aba891dde3842d89ad022237b99c1ed308040b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: alb: fix UAF in rlb_arp_recv during bond up/down\n\nThe ALB RX path may access rx_hashtbl concurrently with bond\nteardown. During rapid bond up/down cycles, rlb_deinitialize()\nfrees rx_hashtbl while RX handlers are still running, leading\nto a null pointer dereference detected by KASAN.\n\nHowever, the root cause is that rlb_arp_recv() can still be accessed\nafter setting recv_probe to NULL, which is actually a use-after-free\n(UAF) issue. That is the reason for using the referenced commit in the\nFixes tag.\n\n[ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI\n[ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]\n[ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary)\n[ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022\n[ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding]\n[ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6\n 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00\n[ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206\n[ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e\n[ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8\n[ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8\n[ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119\n[ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810\n[ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000\n[ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0\n[ 214.310347] Call Trace:\n[ 214.313070] \u003cIRQ\u003e\n[ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding]\n[ 214.320975] bond_handle_frame+0x166/0xb60 [bonding]\n[ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding]\n[ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710\n[ 214.339199] ? __pfx_arp_process+0x10/0x10\n[ 214.343775] ? sched_balance_find_src_group+0x98/0x630\n[ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10\n[ 214.356513] ? arp_rcv+0x307/0x690\n[ 214.360311] ? __pfx_arp_rcv+0x10/0x10\n[ 214.364499] ? __lock_acquire+0x58c/0xbd0\n[ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0\n[ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10\n[ 214.380743] ? lock_acquire+0x10b/0x140\n[ 214.385026] process_backlog+0x3f1/0x13a0\n[ 214.389502] ? process_backlog+0x3aa/0x13a0\n[ 214.394174] __napi_poll.constprop.0+0x9f/0x370\n[ 214.399233] net_rx_action+0x8c1/0xe60\n[ 214.403423] ? __pfx_net_rx_action+0x10/0x10\n[ 214.408193] ? lock_acquire.part.0+0xbd/0x260\n[ 214.413058] ? sched_clock_cpu+0x6c/0x540\n[ 214.417540] ? mark_held_locks+0x40/0x70\n[ 214.421920] handle_softirqs+0x1fd/0x860\n[ 214.426302] ? __pfx_handle_softirqs+0x10/0x10\n[ 214.431264] ? __neigh_event_send+0x2d6/0xf50\n[ 214.436131] do_softirq+0xb1/0xf0\n[ 214.439830] \u003c/IRQ\u003e\n\nThe issue is reproducible by repeatedly running\nip link set bond0 up/down while receiving ARP messages, where\nrlb_arp_recv() can race with rlb_deinitialize() and dereference\na freed rx_hashtbl entry.\n\nFix this by setting recv_probe to NULL and then calling\nsynchronize_net() to wait for any concurrent RX processing to finish.\nThis ensures that no RX handler can access rx_hashtbl after it is freed\nin bond_alb_deinitialize()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T10:46:19.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd54ddc929be1d6c3b3b7b35d6d4642a5d9e803c"
},
{
"url": "https://git.kernel.org/stable/c/de7c097800f07f3c108185c7a38b53a530ba30ff"
},
{
"url": "https://git.kernel.org/stable/c/db5435b5342e3aaa4521d0f3ccfe94316b253ca1"
},
{
"url": "https://git.kernel.org/stable/c/f94a0de7b9f32745a14a1621c63087a092823587"
},
{
"url": "https://git.kernel.org/stable/c/c65cdf46ce340c9c00fbbaf84599d2daff43626e"
},
{
"url": "https://git.kernel.org/stable/c/fef13c403be3fb685cb06419e6b3623106aab5ba"
},
{
"url": "https://git.kernel.org/stable/c/d31065526f160ee0244a719230aa069daca2bf4d"
},
{
"url": "https://git.kernel.org/stable/c/e6834a4c474697df23ab9948fd3577b26bf48656"
}
],
"title": "bonding: alb: fix UAF in rlb_arp_recv during bond up/down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45970",
"datePublished": "2026-05-27T12:18:29.878Z",
"dateReserved": "2026-05-13T15:03:33.089Z",
"dateUpdated": "2026-05-30T10:46:19.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45856 (GCVE-0-2026-45856)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:15 – Updated: 2026-05-30 10:45
VLAI?
EPSS
Title
RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
validation before passing it to kmalloc() and using the allocated
buffer as struct ib_uverbs_send_wr.
If a user provides a small wqe_size value (e.g., 1), kmalloc() will
succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
and other fields will read beyond the allocated buffer, resulting in
an out-of-bounds read from kernel heap memory. This could potentially
leak sensitive kernel information to userspace.
Additionally, providing an excessively large wqe_size can trigger a
WARNING in the memory allocation path, as reported by syzkaller.
This is inconsistent with ib_uverbs_unmarshall_recv() which properly
validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
proceeding.
Add the same validation for ib_uverbs_post_send() to ensure wqe_size
is at least sizeof(struct ib_uverbs_send_wr).
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c3bea3d2dc5358e05541527283279102383b0231 , < 9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7
(git)
Affected: c3bea3d2dc5358e05541527283279102383b0231 , < 9b5ac1c15334d46c0dbd49d64a2257b929500163 (git) Affected: c3bea3d2dc5358e05541527283279102383b0231 , < 01c9b152647dc70dc06a4a2eff86ebb3b3c76075 (git) Affected: c3bea3d2dc5358e05541527283279102383b0231 , < bf1feed1a7886af945f92890493aefd2b5c9928a (git) Affected: c3bea3d2dc5358e05541527283279102383b0231 , < d533425ac1f2925b4fc3e4ed9b9d72362cb23475 (git) Affected: c3bea3d2dc5358e05541527283279102383b0231 , < bf4454da8b1e712714628c0a0d6e7845bb40790a (git) Affected: c3bea3d2dc5358e05541527283279102383b0231 , < bef70ff9841990658610512b4a18e4a88c9b4df6 (git) Affected: c3bea3d2dc5358e05541527283279102383b0231 , < 1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/uverbs_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
},
{
"lessThan": "9b5ac1c15334d46c0dbd49d64a2257b929500163",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
},
{
"lessThan": "01c9b152647dc70dc06a4a2eff86ebb3b3c76075",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
},
{
"lessThan": "bf1feed1a7886af945f92890493aefd2b5c9928a",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
},
{
"lessThan": "d533425ac1f2925b4fc3e4ed9b9d72362cb23475",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
},
{
"lessThan": "bf4454da8b1e712714628c0a0d6e7845bb40790a",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
},
{
"lessThan": "bef70ff9841990658610512b4a18e4a88c9b4df6",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
},
{
"lessThan": "1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0",
"status": "affected",
"version": "c3bea3d2dc5358e05541527283279102383b0231",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/uverbs_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send\n\nib_uverbs_post_send() uses cmd.wqe_size from userspace without any\nvalidation before passing it to kmalloc() and using the allocated\nbuffer as struct ib_uverbs_send_wr.\n\nIf a user provides a small wqe_size value (e.g., 1), kmalloc() will\nsucceed, but subsequent accesses to user_wr-\u003eopcode, user_wr-\u003enum_sge,\nand other fields will read beyond the allocated buffer, resulting in\nan out-of-bounds read from kernel heap memory. This could potentially\nleak sensitive kernel information to userspace.\n\nAdditionally, providing an excessively large wqe_size can trigger a\nWARNING in the memory allocation path, as reported by syzkaller.\n\nThis is inconsistent with ib_uverbs_unmarshall_recv() which properly\nvalidates that wqe_size \u003e= sizeof(struct ib_uverbs_recv_wr) before\nproceeding.\n\nAdd the same validation for ib_uverbs_post_send() to ensure wqe_size\nis at least sizeof(struct ib_uverbs_send_wr)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T10:45:33.505Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7"
},
{
"url": "https://git.kernel.org/stable/c/9b5ac1c15334d46c0dbd49d64a2257b929500163"
},
{
"url": "https://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075"
},
{
"url": "https://git.kernel.org/stable/c/bf1feed1a7886af945f92890493aefd2b5c9928a"
},
{
"url": "https://git.kernel.org/stable/c/d533425ac1f2925b4fc3e4ed9b9d72362cb23475"
},
{
"url": "https://git.kernel.org/stable/c/bf4454da8b1e712714628c0a0d6e7845bb40790a"
},
{
"url": "https://git.kernel.org/stable/c/bef70ff9841990658610512b4a18e4a88c9b4df6"
},
{
"url": "https://git.kernel.org/stable/c/1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0"
}
],
"title": "RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45856",
"datePublished": "2026-05-27T12:15:33.209Z",
"dateReserved": "2026-05-13T15:03:33.079Z",
"dateUpdated": "2026-05-30T10:45:33.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46024 (GCVE-0-2026-46024)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-06-14 17:48
VLAI?
EPSS
Title
libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
protocol and result, this is currently not treated as an error. In case
of ac->negotiating == true and ac->protocol > 0, this leads to setting
ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
ac->protocol != protocol returns false, and init_protocol() is not
called. Subsequently, ac->ops->handle_reply() is called, which leads to
a null pointer dereference, because ac->ops is still NULL.
This patch changes the check for ac->protocol != protocol to
!ac->protocol, as this also includes the case when the protocol was set
to zero in the message. This causes the message to be treated as
containing a bad auth protocol.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 9ded62c302c0342efdb5eda3bf6e75720caad0df
(git)
Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < f101271fcf55d7eacfefd610b51ec65f46ba8118 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 4b2738b93edad661178340239de657d876b73d3d (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 927e4bd5692f2a4901808822981fb2c8d4456548 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 016bc663657366d386993f63eb31072eb45a2b77 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 8f2be7285941a33a9f72579a23b96392f83c758e (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 5199c125d25aeae8615c4fc31652cc0fe624338e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ded62c302c0342efdb5eda3bf6e75720caad0df",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "f101271fcf55d7eacfefd610b51ec65f46ba8118",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "4b2738b93edad661178340239de657d876b73d3d",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "927e4bd5692f2a4901808822981fb2c8d4456548",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "016bc663657366d386993f63eb31072eb45a2b77",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "8f2be7285941a33a9f72579a23b96392f83c758e",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "5199c125d25aeae8615c4fc31652cc0fe624338e",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()\n\nIf a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both\nprotocol and result, this is currently not treated as an error. In case\nof ac-\u003enegotiating == true and ac-\u003eprotocol \u003e 0, this leads to setting\nac-\u003eprotocol = 0 and ac-\u003eops = NULL. Thereafter, the check for\nac-\u003eprotocol != protocol returns false, and init_protocol() is not\ncalled. Subsequently, ac-\u003eops-\u003ehandle_reply() is called, which leads to\na null pointer dereference, because ac-\u003eops is still NULL.\n\nThis patch changes the check for ac-\u003eprotocol != protocol to\n!ac-\u003eprotocol, as this also includes the case when the protocol was set\nto zero in the message. This causes the message to be treated as\ncontaining a bad auth protocol."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:48:45.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ded62c302c0342efdb5eda3bf6e75720caad0df"
},
{
"url": "https://git.kernel.org/stable/c/f101271fcf55d7eacfefd610b51ec65f46ba8118"
},
{
"url": "https://git.kernel.org/stable/c/4b2738b93edad661178340239de657d876b73d3d"
},
{
"url": "https://git.kernel.org/stable/c/927e4bd5692f2a4901808822981fb2c8d4456548"
},
{
"url": "https://git.kernel.org/stable/c/016bc663657366d386993f63eb31072eb45a2b77"
},
{
"url": "https://git.kernel.org/stable/c/8f2be7285941a33a9f72579a23b96392f83c758e"
},
{
"url": "https://git.kernel.org/stable/c/5199c125d25aeae8615c4fc31652cc0fe624338e"
}
],
"title": "libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46024",
"datePublished": "2026-05-27T12:56:29.932Z",
"dateReserved": "2026-05-13T15:03:33.093Z",
"dateUpdated": "2026-06-14T17:48:45.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23327 (GCVE-0-2026-23327)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-06-01 16:10
VLAI?
EPSS
Title
cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
cxl_payload_from_user_allowed() casts and dereferences the input
payload without first verifying its size. When a raw mailbox command
is sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,
which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,
triggering a KASAN splat:
BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683
Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258
CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x650 mm/kasan/report.c:482
kasan_report+0xce/0x100 mm/kasan/report.c:595
memcmp+0x176/0x1d0 lib/string.c:683
uuid_equal include/linux/uuid.h:73 [inline]
cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]
cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]
cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]
cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643
__cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]
cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdaf331ba79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79
RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003
RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768
</TASK>
Add 'in_size' parameter to cxl_payload_from_user_allowed() and validate
the payload is large enough.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6179045ccc0c6229dc449afc1701dc7fbd40571f , < dc184ac2f0ba77ae19725ee06ad3ab36bb9d1f61
(git)
Affected: 6179045ccc0c6229dc449afc1701dc7fbd40571f , < 7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1 (git) Affected: 6179045ccc0c6229dc449afc1701dc7fbd40571f , < 60b5d1f68338aff2c5af0113f04aefa7169c50c2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cxl/core/mbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc184ac2f0ba77ae19725ee06ad3ab36bb9d1f61",
"status": "affected",
"version": "6179045ccc0c6229dc449afc1701dc7fbd40571f",
"versionType": "git"
},
{
"lessThan": "7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1",
"status": "affected",
"version": "6179045ccc0c6229dc449afc1701dc7fbd40571f",
"versionType": "git"
},
{
"lessThan": "60b5d1f68338aff2c5af0113f04aefa7169c50c2",
"status": "affected",
"version": "6179045ccc0c6229dc449afc1701dc7fbd40571f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cxl/core/mbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() casts and dereferences the input\npayload without first verifying its size. When a raw mailbox command\nis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,\nwhich expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,\ntriggering a KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683\nRead of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n \u003c/TASK\u003e\n\nAdd \u0027in_size\u0027 parameter to cxl_payload_from_user_allowed() and validate\nthe payload is large enough."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:10:59.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc184ac2f0ba77ae19725ee06ad3ab36bb9d1f61"
},
{
"url": "https://git.kernel.org/stable/c/7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1"
},
{
"url": "https://git.kernel.org/stable/c/60b5d1f68338aff2c5af0113f04aefa7169c50c2"
}
],
"title": "cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23327",
"datePublished": "2026-03-25T10:27:19.815Z",
"dateReserved": "2026-01-13T15:37:45.996Z",
"dateUpdated": "2026-06-01T16:10:59.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43198 (GCVE-0-2026-43198)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
tcp: fix potential race in tcp_v6_syn_recv_sock()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix potential race in tcp_v6_syn_recv_sock()
Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()
is done too late.
After tcp_v4_syn_recv_sock(), the child socket is already visible
from TCP ehash table and other cpus might use it.
Since newinet->pinet6 is still pointing to the listener ipv6_pinfo
bad things can happen as syzbot found.
Move the problematic code in tcp_v6_mapped_child_init()
and call this new helper from tcp_v4_syn_recv_sock() before
the ehash insertion.
This allows the removal of one tcp_sync_mss(), since
tcp_v4_syn_recv_sock() will call it with the correct
context.
Severity ?
9.8 (Critical)
CWE
- CWE-821 - Incorrect Synchronization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fe89b2f05b854847784f91127319172945c1fadd
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7178e2a8027423b2af17ab95df73a749a5b72e5b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 858d2a4f67ff69e645a43487ef7ea7f28f06deae (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel. A race condition exists in the TCP (Transmission Control Protocol) IPv6 (Internet Protocol version 6) socket handling, specifically within the tcp_v6_syn_recv_sock() function. This occurs because a child socket becomes visible in the TCP hash table before its IPv6-specific information is fully initialized. A remote attacker could potentially exploit this timing window, leading to an unstable system state or unexpected behavior, which may result in a denial of service (DoS)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-821",
"description": "Incorrect Synchronization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:04.051Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43198"
},
{
"name": "RHBZ#2467228",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467228"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43198.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33215"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34443"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33285"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33215: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:30129: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34443: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:33285: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-06T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: tcp: fix potential race in tcp_v6_syn_recv_sock()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/inet_connection_sock.h",
"include/net/tcp.h",
"net/ipv4/syncookies.c",
"net/ipv4/tcp_fastopen.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv4/tcp_minisocks.c",
"net/ipv6/tcp_ipv6.c",
"net/mptcp/subflow.c",
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe89b2f05b854847784f91127319172945c1fadd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7178e2a8027423b2af17ab95df73a749a5b72e5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "858d2a4f67ff69e645a43487ef7ea7f28f06deae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/inet_connection_sock.h",
"include/net/tcp.h",
"net/ipv4/syncookies.c",
"net/ipv4/tcp_fastopen.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv4/tcp_minisocks.c",
"net/ipv6/tcp_ipv6.c",
"net/mptcp/subflow.c",
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix potential race in tcp_v6_syn_recv_sock()\n\nCode in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()\nis done too late.\n\nAfter tcp_v4_syn_recv_sock(), the child socket is already visible\nfrom TCP ehash table and other cpus might use it.\n\nSince newinet-\u003epinet6 is still pointing to the listener ipv6_pinfo\nbad things can happen as syzbot found.\n\nMove the problematic code in tcp_v6_mapped_child_init()\nand call this new helper from tcp_v4_syn_recv_sock() before\nthe ehash insertion.\n\nThis allows the removal of one tcp_sync_mss(), since\ntcp_v4_syn_recv_sock() will call it with the correct\ncontext."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:44.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe89b2f05b854847784f91127319172945c1fadd"
},
{
"url": "https://git.kernel.org/stable/c/7178e2a8027423b2af17ab95df73a749a5b72e5b"
},
{
"url": "https://git.kernel.org/stable/c/858d2a4f67ff69e645a43487ef7ea7f28f06deae"
}
],
"title": "tcp: fix potential race in tcp_v6_syn_recv_sock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43198",
"datePublished": "2026-05-06T11:28:05.569Z",
"dateReserved": "2026-05-01T14:12:55.992Z",
"dateUpdated": "2026-07-02T12:05:04.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43499 (GCVE-0-2026-43499)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:17 – Updated: 2026-06-14 17:45
VLAI?
EPSS
Title
rtmutex: Use waiter::task instead of current in remove_waiter()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtmutex: Use waiter::task instead of current in remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < d8cce4773c2b23d819baf5abedc62f7b430e8745
(git)
Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 8a1fc8d698ac5e5916e3082a0f74450d71f9611f (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 6d52dfcb2a5db86e346cf51f8fcf2071b8085166 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 3fb7394a837740770f0d6b4b30567e60786a63f2 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 88614876370aac8ad1050ad785a4c095ba17ac11 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/locking/rtmutex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8cce4773c2b23d819baf5abedc62f7b430e8745",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "8a1fc8d698ac5e5916e3082a0f74450d71f9611f",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "6d52dfcb2a5db86e346cf51f8fcf2071b8085166",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "3fb7394a837740770f0d6b4b30567e60786a63f2",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "88614876370aac8ad1050ad785a4c095ba17ac11",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "3bfdc63936dd4773109b7b8c280c0f3b5ae7d349",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/locking/rtmutex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtmutex: Use waiter::task instead of current in remove_waiter()\n\nremove_waiter() is used by the slowlock paths, but it is also used for\nproxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from\nfutex_requeue().\n\nIn the latter case waiter::task is not current, but remove_waiter()\noperates on current for the dequeue operation. That results in several\nproblems:\n\n 1) the rbtree dequeue happens without waiter::task::pi_lock being held\n\n 2) the waiter task\u0027s pi_blocked_on state is not cleared, which leaves a\n dangling pointer primed for UAF around.\n\n 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter\n task\n\nUse waiter::task instead of current in all related operations in\nremove_waiter() to cure those problems.\n\n[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the\n \tchangelog ]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:45:36.065Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8cce4773c2b23d819baf5abedc62f7b430e8745"
},
{
"url": "https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f"
},
{
"url": "https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166"
},
{
"url": "https://git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2"
},
{
"url": "https://git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11"
},
{
"url": "https://git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349"
}
],
"title": "rtmutex: Use waiter::task instead of current in remove_waiter()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43499",
"datePublished": "2026-05-21T12:17:49.281Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-06-14T17:45:36.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46176 (GCVE-0-2026-46176)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.
This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.
Fix by adding the same `goto unlock` in the s1 failure path.
Severity ?
7.8 (High)
CWE
- CWE-825 - Expired Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b6334d2356fc0922ed01457960f74923058a353a , < a13c2ac4d480b734342c6fbf8249fc48afd675f3
(git)
Affected: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 , < bc2cf5935b4665172235341163315905197ae91d (git) Affected: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 , < b087913ae88256df66620f7ba0a9776716aeef7e (git) Affected: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 , < 6fd93142dd1d09000c3750af08270f5792523fe9 (git) Affected: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 , < c488df06bd552bb8b6e14fa0cfd5ad986c6e9525 (git) Affected: 6.6.64 , < 6.6.140 (semver) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s RDMA/mlx5 component. An error path fall-through in the `mlx5_ib_dev_res_srq_init()` function, specifically when `ib_create_srq()` fails, can lead to the use of freed memory and error pointers. This memory corruption vulnerability could result in system instability, denial of service, or potentially arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:28.864Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46176"
},
{
"name": "RHBZ#2482594",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482594"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46176.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33215"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33685"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30848"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33215: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:33685: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:30848: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a13c2ac4d480b734342c6fbf8249fc48afd675f3",
"status": "affected",
"version": "b6334d2356fc0922ed01457960f74923058a353a",
"versionType": "git"
},
{
"lessThan": "bc2cf5935b4665172235341163315905197ae91d",
"status": "affected",
"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
"versionType": "git"
},
{
"lessThan": "b087913ae88256df66620f7ba0a9776716aeef7e",
"status": "affected",
"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
"versionType": "git"
},
{
"lessThan": "6fd93142dd1d09000c3750af08270f5792523fe9",
"status": "affected",
"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
"versionType": "git"
},
{
"lessThan": "c488df06bd552bb8b6e14fa0cfd5ad986c6e9525",
"status": "affected",
"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
"versionType": "git"
},
{
"lessThan": "6.6.140",
"status": "affected",
"version": "6.6.64",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()\n\nmlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When\nib_create_srq() fails for s1, the error branch destroys s0 but falls\nthrough and unconditionally assigns the freed s0 and the ERR_PTR s1 to\ndevr-\u003es0 and devr-\u003es1.\n\nThis leads to several problems: the lock-free fast path checks\n\"if (devr-\u003es1) return 0;\" and treats the ERR_PTR as already initialised;\nusers in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via\nto_msrq(devr-\u003es0)-\u003emsrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences\nthe ERR_PTR and double-frees s0 on teardown.\n\nFix by adding the same `goto unlock` in the s1 failure path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:00:21.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3"
},
{
"url": "https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d"
},
{
"url": "https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e"
},
{
"url": "https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9"
},
{
"url": "https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525"
}
],
"title": "RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46176",
"datePublished": "2026-05-28T09:36:30.398Z",
"dateReserved": "2026-05-13T15:03:33.103Z",
"dateUpdated": "2026-07-02T12:05:28.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43074 (GCVE-0-2026-43074)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:21 – Updated: 2026-06-01 16:14
VLAI?
EPSS
Title
eventpoll: defer struct eventpoll free to RCU grace period
Summary
In the Linux kernel, the following vulnerability has been resolved:
eventpoll: defer struct eventpoll free to RCU grace period
In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f2451def095c1743adcfcb0cb5dadc86034e162a , < 902120be4f44947df6311002addc7faf69bdbff1
(git)
Affected: a1f93804449d13f97dabd4b996817de4bf1ed67a , < a6d57084372161f86660bc4607784420e00efe2c (git) Affected: 58c9b016e12855286370dfb704c08498edbc857a , < a6566cd33f6f967a7651ebf2ce0dd31572e319cf (git) Affected: 58c9b016e12855286370dfb704c08498edbc857a , < 5b1173b165421561db29f30afc7e97d940a398a9 (git) Affected: 58c9b016e12855286370dfb704c08498edbc857a , < 7e8083f5eeedab0f460063b9c2c14c9a4e71a427 (git) Affected: 58c9b016e12855286370dfb704c08498edbc857a , < ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322 (git) Affected: 58c9b016e12855286370dfb704c08498edbc857a , < 07712db80857d5d09ae08f3df85a708ecfc3b61f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/eventpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "902120be4f44947df6311002addc7faf69bdbff1",
"status": "affected",
"version": "f2451def095c1743adcfcb0cb5dadc86034e162a",
"versionType": "git"
},
{
"lessThan": "a6d57084372161f86660bc4607784420e00efe2c",
"status": "affected",
"version": "a1f93804449d13f97dabd4b996817de4bf1ed67a",
"versionType": "git"
},
{
"lessThan": "a6566cd33f6f967a7651ebf2ce0dd31572e319cf",
"status": "affected",
"version": "58c9b016e12855286370dfb704c08498edbc857a",
"versionType": "git"
},
{
"lessThan": "5b1173b165421561db29f30afc7e97d940a398a9",
"status": "affected",
"version": "58c9b016e12855286370dfb704c08498edbc857a",
"versionType": "git"
},
{
"lessThan": "7e8083f5eeedab0f460063b9c2c14c9a4e71a427",
"status": "affected",
"version": "58c9b016e12855286370dfb704c08498edbc857a",
"versionType": "git"
},
{
"lessThan": "ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322",
"status": "affected",
"version": "58c9b016e12855286370dfb704c08498edbc857a",
"versionType": "git"
},
{
"lessThan": "07712db80857d5d09ae08f3df85a708ecfc3b61f",
"status": "affected",
"version": "58c9b016e12855286370dfb704c08498edbc857a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/eventpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: defer struct eventpoll free to RCU grace period\n\nIn certain situations, ep_free() in eventpoll.c will kfree the epi-\u003eep\neventpoll struct while it still being used by another concurrent thread.\nDefer the kfree() to an RCU callback to prevent UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:14:10.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/902120be4f44947df6311002addc7faf69bdbff1"
},
{
"url": "https://git.kernel.org/stable/c/a6d57084372161f86660bc4607784420e00efe2c"
},
{
"url": "https://git.kernel.org/stable/c/a6566cd33f6f967a7651ebf2ce0dd31572e319cf"
},
{
"url": "https://git.kernel.org/stable/c/5b1173b165421561db29f30afc7e97d940a398a9"
},
{
"url": "https://git.kernel.org/stable/c/7e8083f5eeedab0f460063b9c2c14c9a4e71a427"
},
{
"url": "https://git.kernel.org/stable/c/ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322"
},
{
"url": "https://git.kernel.org/stable/c/07712db80857d5d09ae08f3df85a708ecfc3b61f"
}
],
"title": "eventpoll: defer struct eventpoll free to RCU grace period",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43074",
"datePublished": "2026-05-06T07:21:58.210Z",
"dateReserved": "2026-05-01T14:12:55.982Z",
"dateUpdated": "2026-06-01T16:14:10.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46114 (GCVE-0-2026-46114)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-14 17:55
VLAI?
EPSS
Title
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c
unconditionally dereferences 8 bytes at payload_addr(pkt):
value = *(u64 *)payload_addr(pkt);
check_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==
resid == 0 because the length validation only compared pktlen against
resid. A remote initiator that sets the RETH length to 0 therefore reaches
atomic_write_reply() with a zero-byte logical payload, and the responder
reads sizeof(u64) bytes from past the logical end of the packet into
skb->head tailroom, then writes those 8 bytes into the attacker's MR via
rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel
tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).
IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is
protocol-invalid. Hoist a strict length check into check_rkey() so the
responder never reaches the unchecked dereference, and keep the existing
WRITE-family length logic for the normal RDMA WRITE path.
Reproduced on mainline with an unmodified rxe driver: a sustained
zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer
bytes into the attacker's MR, including recognisable kernel strings and
partial kernel-direct-map pointer words. With this patch applied the
responder rejects the PDU and the MR stays all-zero.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
034e285f8b99062a0cf29112e1232154a6a44aa5 , < 539cabb7b2d8ba70f55bba91db55faef11c2a6d7
(git)
Affected: 034e285f8b99062a0cf29112e1232154a6a44aa5 , < d415fce3fcde6d7aeea6c25362a395b905811452 (git) Affected: 034e285f8b99062a0cf29112e1232154a6a44aa5 , < 105bf79a23b85cf3a761d18a4f3e10ce88526bc1 (git) Affected: 034e285f8b99062a0cf29112e1232154a6a44aa5 , < 7ec1ed4747f5f99f8b797bb438c5efd36079fad5 (git) Affected: 034e285f8b99062a0cf29112e1232154a6a44aa5 , < 1114c87aa6f195cf07da55a27b2122ae26557b26 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_resp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "539cabb7b2d8ba70f55bba91db55faef11c2a6d7",
"status": "affected",
"version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
"versionType": "git"
},
{
"lessThan": "d415fce3fcde6d7aeea6c25362a395b905811452",
"status": "affected",
"version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
"versionType": "git"
},
{
"lessThan": "105bf79a23b85cf3a761d18a4f3e10ce88526bc1",
"status": "affected",
"version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
"versionType": "git"
},
{
"lessThan": "7ec1ed4747f5f99f8b797bb438c5efd36079fad5",
"status": "affected",
"version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
"versionType": "git"
},
{
"lessThan": "1114c87aa6f195cf07da55a27b2122ae26557b26",
"status": "affected",
"version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_resp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads\n\natomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c\nunconditionally dereferences 8 bytes at payload_addr(pkt):\n\n value = *(u64 *)payload_addr(pkt);\n\ncheck_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==\nresid == 0 because the length validation only compared pktlen against\nresid. A remote initiator that sets the RETH length to 0 therefore reaches\natomic_write_reply() with a zero-byte logical payload, and the responder\nreads sizeof(u64) bytes from past the logical end of the packet into\nskb-\u003ehead tailroom, then writes those 8 bytes into the attacker\u0027s MR via\nrxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel\ntailroom per probe (the other 4 bytes are the packet\u0027s own trailing ICRC).\n\nIBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is\nprotocol-invalid. Hoist a strict length check into check_rkey() so the\nresponder never reaches the unchecked dereference, and keep the existing\nWRITE-family length logic for the normal RDMA WRITE path.\n\nReproduced on mainline with an unmodified rxe driver: a sustained\nzero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer\nbytes into the attacker\u0027s MR, including recognisable kernel strings and\npartial kernel-direct-map pointer words. With this patch applied the\nresponder rejects the PDU and the MR stays all-zero."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:55:27.913Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/539cabb7b2d8ba70f55bba91db55faef11c2a6d7"
},
{
"url": "https://git.kernel.org/stable/c/d415fce3fcde6d7aeea6c25362a395b905811452"
},
{
"url": "https://git.kernel.org/stable/c/105bf79a23b85cf3a761d18a4f3e10ce88526bc1"
},
{
"url": "https://git.kernel.org/stable/c/7ec1ed4747f5f99f8b797bb438c5efd36079fad5"
},
{
"url": "https://git.kernel.org/stable/c/1114c87aa6f195cf07da55a27b2122ae26557b26"
}
],
"title": "RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46114",
"datePublished": "2026-05-28T09:35:24.638Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-14T17:55:27.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43234 (GCVE-0-2026-43234)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:20
VLAI?
EPSS
Title
team: avoid NETDEV_CHANGEMTU event when unregistering slave
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: avoid NETDEV_CHANGEMTU event when unregistering slave
syzbot is reporting
unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3
ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at
__netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]
netdev_hold include/linux/netdevice.h:4429 [inline]
inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286
inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]
netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886
netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907
dev_set_mtu+0x126/0x260 net/core/dev_api.c:248
team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333
team_del_slave drivers/net/team/team_core.c:1936 [inline]
team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]
call_netdevice_notifiers net/core/dev.c:2295 [inline]
__dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592
do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060
rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
problem. Ido Schimmel found steps to reproduce
ip link add name team1 type team
ip link add name dummy1 mtu 1499 master team1 type dummy
ip netns add ns1
ip link set dev dummy1 netns ns1
ip -n ns1 link del dev dummy1
and also found that the same issue was fixed in the bond driver in
commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when
unregistering slave").
Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net:
hold netdev instance lock during sysfs operations") and commit 303a8487a657
("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 , < bce42728ac4887060a24a585c5122fbd24939db7
(git)
Affected: 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 , < 5268892de70f0b29bde341db863b234aa9259c08 (git) Affected: 3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 , < bb4c698633c0e19717586a6524a33196cff01a32 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bce42728ac4887060a24a585c5122fbd24939db7",
"status": "affected",
"version": "3d249d4ca7d0ed6629a135ea1ea21c72286c0d80",
"versionType": "git"
},
{
"lessThan": "5268892de70f0b29bde341db863b234aa9259c08",
"status": "affected",
"version": "3d249d4ca7d0ed6629a135ea1ea21c72286c0d80",
"versionType": "git"
},
{
"lessThan": "bb4c698633c0e19717586a6524a33196cff01a32",
"status": "affected",
"version": "3d249d4ca7d0ed6629a135ea1ea21c72286c0d80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: avoid NETDEV_CHANGEMTU event when unregistering slave\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3\n ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n netdev_hold include/linux/netdevice.h:4429 [inline]\n inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286\n inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600\n notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]\n netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886\n netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907\n dev_set_mtu+0x126/0x260 net/core/dev_api.c:248\n team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333\n team_del_slave drivers/net/team/team_core.c:1936 [inline]\n team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929\n notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]\n call_netdevice_notifiers net/core/dev.c:2295 [inline]\n __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592\n do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060\n rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n\nproblem. Ido Schimmel found steps to reproduce\n\n ip link add name team1 type team\n ip link add name dummy1 mtu 1499 master team1 type dummy\n ip netns add ns1\n ip link set dev dummy1 netns ns1\n ip -n ns1 link del dev dummy1\n\nand also found that the same issue was fixed in the bond driver in\ncommit f51048c3e07b (\"bonding: avoid NETDEV_CHANGEMTU event when\nunregistering slave\").\n\nLet\u0027s do similar thing for the team driver, with commit ad7c7b2172c3 (\"net:\nhold netdev instance lock during sysfs operations\") and commit 303a8487a657\n(\"net: s/__dev_set_mtu/__netif_set_mtu/\") also applied."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:20:35.930Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7"
},
{
"url": "https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08"
},
{
"url": "https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32"
}
],
"title": "team: avoid NETDEV_CHANGEMTU event when unregistering slave",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43234",
"datePublished": "2026-05-06T11:28:30.212Z",
"dateReserved": "2026-05-01T14:12:55.995Z",
"dateUpdated": "2026-05-11T22:20:35.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43009 (GCVE-0-2026-43009)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:15
VLAI?
EPSS
Title
bpf: Fix incorrect pruning due to atomic fetch precision tracking
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix incorrect pruning due to atomic fetch precision tracking
When backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC
and BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as
a destination, thus receiving the old value from the memory location.
The current backtracking logic does not account for this. It treats
atomic fetch operations the same as regular stores where the src
register is only an input. This leads the backtrack_insn to fail to
propagate precision to the stack location, which is then not marked
as precise!
Later, the verifier's path pruning can incorrectly consider two states
equivalent when they differ in terms of stack state. Meaning, two
branches can be treated as equivalent and thus get pruned when they
should not be seen as such.
Fix it as follows: Extend the BPF_LDX handling in backtrack_insn to
also cover atomic fetch operations via is_atomic_fetch_insn() helper.
When the fetch dst register is being tracked for precision, clear it,
and propagate precision over to the stack slot. For non-stack memory,
the precision walk stops at the atomic instruction, same as regular
BPF_LDX. This covers all fetch variants.
Before:
0: (b7) r1 = 8 ; R1=8
1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8
2: (b7) r2 = 0 ; R2=0
3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm
4: (bf) r3 = r10 ; R3=fp0 R10=fp0
5: (0f) r3 += r2
mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10
mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)
mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0
6: R2=8 R3=fp8
6: (b7) r0 = 0 ; R0=0
7: (95) exit
After:
0: (b7) r1 = 8 ; R1=8
1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8
2: (b7) r2 = 0 ; R2=0
3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm
4: (bf) r3 = r10 ; R3=fp0 R10=fp0
5: (0f) r3 += r2
mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10
mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)
mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0
mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1
mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8
6: R2=8 R3=fp8
6: (b7) r0 = 0 ; R0=0
7: (95) exit
Severity ?
7.8 (High)
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ffbe45b1d227e24659998a91cfd4c27af457e71",
"status": "affected",
"version": "5ca419f2864a2c60940dcf4bbaeb69546200e36f",
"versionType": "git"
},
{
"lessThan": "179ee84a89114b854ac2dd1d293633a7f6c8dac1",
"status": "affected",
"version": "5ca419f2864a2c60940dcf4bbaeb69546200e36f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix incorrect pruning due to atomic fetch precision tracking\n\nWhen backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC\nand BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as\na destination, thus receiving the old value from the memory location.\n\nThe current backtracking logic does not account for this. It treats\natomic fetch operations the same as regular stores where the src\nregister is only an input. This leads the backtrack_insn to fail to\npropagate precision to the stack location, which is then not marked\nas precise!\n\nLater, the verifier\u0027s path pruning can incorrectly consider two states\nequivalent when they differ in terms of stack state. Meaning, two\nbranches can be treated as equivalent and thus get pruned when they\nshould not be seen as such.\n\nFix it as follows: Extend the BPF_LDX handling in backtrack_insn to\nalso cover atomic fetch operations via is_atomic_fetch_insn() helper.\nWhen the fetch dst register is being tracked for precision, clear it,\nand propagate precision over to the stack slot. For non-stack memory,\nthe precision walk stops at the atomic instruction, same as regular\nBPF_LDX. This covers all fetch variants.\n\nBefore:\n\n 0: (b7) r1 = 8 ; R1=8\n 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8\n 2: (b7) r2 = 0 ; R2=0\n 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm\n 4: (bf) r3 = r10 ; R3=fp0 R10=fp0\n 5: (0f) r3 += r2\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0\n 6: R2=8 R3=fp8\n 6: (b7) r0 = 0 ; R0=0\n 7: (95) exit\n\nAfter:\n\n 0: (b7) r1 = 8 ; R1=8\n 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8\n 2: (b7) r2 = 0 ; R2=0\n 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm\n 4: (bf) r3 = r10 ; R3=fp0 R10=fp0\n 5: (0f) r3 += r2\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0\n mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1\n mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8\n 6: R2=8 R3=fp8\n 6: (b7) r0 = 0 ; R0=0\n 7: (95) exit"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:15:56.331Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ffbe45b1d227e24659998a91cfd4c27af457e71"
},
{
"url": "https://git.kernel.org/stable/c/179ee84a89114b854ac2dd1d293633a7f6c8dac1"
}
],
"title": "bpf: Fix incorrect pruning due to atomic fetch precision tracking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43009",
"datePublished": "2026-05-01T14:15:16.271Z",
"dateReserved": "2026-05-01T14:12:55.974Z",
"dateUpdated": "2026-05-11T22:15:56.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43341 (GCVE-0-2026-43341)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:37 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
net/ipv6: ioam6: prevent schema length wraparound in trace fill
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/ipv6: ioam6: prevent schema length wraparound in trace fill
ioam6_fill_trace_data() stores the schema contribution to the trace
length in a u8. With bit 22 enabled and the largest schema payload,
sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the
remaining-space check. __ioam6_fill_trace_data() then positions the
write cursor without reserving the schema area but still copies the
4-byte schema header and the full schema payload, overrunning the trace
buffer.
Keep sclen in an unsigned int so the remaining-space check and the write
cursor calculation both see the full schema length.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8c6f6fa6772696be0c047a711858084b38763728 , < d3a1fb2ca323d7a4e10ab3afbfa25e6d8921e4f2
(git)
Affected: 8c6f6fa6772696be0c047a711858084b38763728 , < e96d48b37708d53cbdc47f6f60b0714fc4a5f596 (git) Affected: 8c6f6fa6772696be0c047a711858084b38763728 , < d1b041080086e91d3733a5438a8c51ad5d3d8e09 (git) Affected: 8c6f6fa6772696be0c047a711858084b38763728 , < 77695a69baca9b99d95fad09fc78c2318736604f (git) Affected: 8c6f6fa6772696be0c047a711858084b38763728 , < 184d2e9db27c0f76226b5cad16fe29510a5d2280 (git) Affected: 8c6f6fa6772696be0c047a711858084b38763728 , < d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d (git) Affected: 8c6f6fa6772696be0c047a711858084b38763728 , < 5e67ba9bb531e1ec6599a82a065dea9040b9ce50 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ioam6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3a1fb2ca323d7a4e10ab3afbfa25e6d8921e4f2",
"status": "affected",
"version": "8c6f6fa6772696be0c047a711858084b38763728",
"versionType": "git"
},
{
"lessThan": "e96d48b37708d53cbdc47f6f60b0714fc4a5f596",
"status": "affected",
"version": "8c6f6fa6772696be0c047a711858084b38763728",
"versionType": "git"
},
{
"lessThan": "d1b041080086e91d3733a5438a8c51ad5d3d8e09",
"status": "affected",
"version": "8c6f6fa6772696be0c047a711858084b38763728",
"versionType": "git"
},
{
"lessThan": "77695a69baca9b99d95fad09fc78c2318736604f",
"status": "affected",
"version": "8c6f6fa6772696be0c047a711858084b38763728",
"versionType": "git"
},
{
"lessThan": "184d2e9db27c0f76226b5cad16fe29510a5d2280",
"status": "affected",
"version": "8c6f6fa6772696be0c047a711858084b38763728",
"versionType": "git"
},
{
"lessThan": "d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d",
"status": "affected",
"version": "8c6f6fa6772696be0c047a711858084b38763728",
"versionType": "git"
},
{
"lessThan": "5e67ba9bb531e1ec6599a82a065dea9040b9ce50",
"status": "affected",
"version": "8c6f6fa6772696be0c047a711858084b38763728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ioam6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: ioam6: prevent schema length wraparound in trace fill\n\nioam6_fill_trace_data() stores the schema contribution to the trace\nlength in a u8. With bit 22 enabled and the largest schema payload,\nsclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the\nremaining-space check. __ioam6_fill_trace_data() then positions the\nwrite cursor without reserving the schema area but still copies the\n4-byte schema header and the full schema payload, overrunning the trace\nbuffer.\n\nKeep sclen in an unsigned int so the remaining-space check and the write\ncursor calculation both see the full schema length."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:31.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3a1fb2ca323d7a4e10ab3afbfa25e6d8921e4f2"
},
{
"url": "https://git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596"
},
{
"url": "https://git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09"
},
{
"url": "https://git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604f"
},
{
"url": "https://git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280"
},
{
"url": "https://git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d"
},
{
"url": "https://git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50"
}
],
"title": "net/ipv6: ioam6: prevent schema length wraparound in trace fill",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43341",
"datePublished": "2026-05-08T13:37:19.256Z",
"dateReserved": "2026-05-01T14:12:56.003Z",
"dateUpdated": "2026-06-19T11:58:31.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43359 (GCVE-0-2026-43359)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
btrfs: fix transaction abort on set received ioctl due to item overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort on set received ioctl due to item overflow
If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.
This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.
A test case for fstests will follow soon.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < b9914db13ac15aca3b74544c0bb1a2e0dad1f174
(git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < b19c0465e4daad5aa8f60552ea0578cf31a11b1e (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5 (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < d11aefe654a04fc41996d254748d6a38b6b0a7be (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 41fb97353ff58fa4f31904c343fc8e3df2f7517d (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 87f2c46003fce4d739138aab4af1942b1afdadac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c",
"fs/btrfs/uuid-tree.c",
"fs/btrfs/uuid-tree.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9914db13ac15aca3b74544c0bb1a2e0dad1f174",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "b19c0465e4daad5aa8f60552ea0578cf31a11b1e",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "d11aefe654a04fc41996d254748d6a38b6b0a7be",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "41fb97353ff58fa4f31904c343fc8e3df2f7517d",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "87f2c46003fce4d739138aab4af1942b1afdadac",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c",
"fs/btrfs/uuid-tree.c",
"fs/btrfs/uuid-tree.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort on set received ioctl due to item overflow\n\nIf the set received ioctl fails due to an item overflow when attempting to\nadd the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction\nsince we did some metadata updates before.\n\nThis means that if a user calls this ioctl with the same received UUID\nfield for a lot of subvolumes, we will hit the overflow, trigger the\ntransaction abort and turn the filesystem into RO mode. A malicious user\ncould exploit this, and this ioctl does not even requires that a user\nhas admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.\n\nFix this by doing an early check for item overflow before starting a\ntransaction. This is also race safe because we are holding the subvol_sem\nsemaphore in exclusive (write) mode.\n\nA test case for fstests will follow soon."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:03.390Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9914db13ac15aca3b74544c0bb1a2e0dad1f174"
},
{
"url": "https://git.kernel.org/stable/c/b19c0465e4daad5aa8f60552ea0578cf31a11b1e"
},
{
"url": "https://git.kernel.org/stable/c/2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5"
},
{
"url": "https://git.kernel.org/stable/c/d11aefe654a04fc41996d254748d6a38b6b0a7be"
},
{
"url": "https://git.kernel.org/stable/c/41fb97353ff58fa4f31904c343fc8e3df2f7517d"
},
{
"url": "https://git.kernel.org/stable/c/87f2c46003fce4d739138aab4af1942b1afdadac"
}
],
"title": "btrfs: fix transaction abort on set received ioctl due to item overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43359",
"datePublished": "2026-05-08T14:21:14.357Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:03.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43503 (GCVE-0-2026-43503)
Vulnerability from cvelistv5 – Published: 2026-05-23 11:44 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
net: skbuff: propagate shared-frag marker through frag-transfer helpers
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: propagate shared-frag marker through frag-transfer helpers
Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail
to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when
moving frags from source to destination. __pskb_copy_fclone() defers
the rest of the shinfo metadata to skb_copy_header() after copying
frag descriptors, but that helper only carries over gso_{size,segs,
type} and never touches skb_shinfo()->flags; skb_shift() moves frag
descriptors directly and leaves flags untouched. As a result, the
destination skb keeps a reference to the same externally-owned or
page-cache-backed pages while reporting skb_has_shared_frag() as
false.
The mismatch is harmful in any in-place writer that uses
skb_has_shared_frag() to decide whether shared pages must be detoured
through skb_cow_data(). ESP input is one such writer (esp4.c,
esp6.c), and a single nft 'dup to <local>' rule -- or any other
nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
skb in esp_input() with the marker stripped, letting an unprivileged
user write into the page cache of a root-owned read-only file via
authencesn-ESN stray writes.
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
were actually moved from the source. skb_copy() and skb_copy_expand()
share skb_copy_header() too but linearize all paged data into freshly
allocated head storage and emerge with nr_frags == 0, so
skb_has_shared_frag() returns false on its own; they need no change.
The same omission exists in skb_gro_receive() and skb_gro_receive_list().
The former moves the incoming skb's frag descriptors into the
accumulator's last sub-skb via two paths (a direct frag-move loop and
the head_frag + memcpy path); the latter chains the incoming skb whole
onto p's frag_list. Downstream skb_segment() reads only
skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's
shinfo as the nskb -- both p and lp must carry the marker.
The same omission also exists in tcp_clone_payload(), which builds an
MTU probe skb by moving frag descriptors from skbs on sk_write_queue
into a freshly allocated nskb. The helper falls into the same family
and warrants the same fix for consistency; no TCP TX-side in-place
writer is currently known to reach a user page through this gap, but
a future consumer depending on the marker would regress silently.
The same omission exists in skb_segment(): the per-iteration flag
merge takes only head_skb's flag, and the inner switch that rebinds
frag_skb to list_skb on head_skb-frags exhaustion does not fold the
new frag_skb's flag into nskb. Fold frag_skb's flag at both sites
so segments drawing frags from frag_list members carry the marker.
Severity ?
8.8 (High)
CWE
- CWE-664 - Improper Control of a Resource Through its Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < fbeab9555564a1b98e8582cd106dfe46c4606991
(git)
Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 179f1852bdedc300e373e807cc102cd81feff196 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 12401fcfb01f53ccc63ab0a3246570fe8f3105ee (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 989214c66884d70716d83dc1d0bf5e16287bf349 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < ff375cc75f9167168db38e0464a482d5fbc8d81d (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 9bc9d6d6967a2239aa57af2aa53554eddd640d20 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 48f6a5356a33dd78e7144ae1faef95ffc990aae0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s networking (skbuff) component. When skb_try_coalesce() attaches paged fragments, it can lose the SKBFL_SHARED_FRAG marker. This can lead to the Encapsulating Security Payload (ESP) input decrypting data in place over page-cache backed fragments, potentially resulting in data corruption."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-664",
"description": "Improper Control of a Resource Through its Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:13.320Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43503"
},
{
"name": "RHBZ#2480902",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480902"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43503.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19540"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21695"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21690"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21656"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21702"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23240"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20299"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19705"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20593"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20054"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19666"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23470"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20130"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20051"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19521"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23471"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23469"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24814"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23468"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19664"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19711"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19875"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:19540: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:21695: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:21690: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:20087: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:21656: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:21702: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:23240: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:20299: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19705: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:20593: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:20054: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20129: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19666: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:23470: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:20130: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20051: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19521: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23471: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:23469: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:24814: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:23468: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19664: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:19711: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19875: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-23T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-23T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: net: skbuff: propagate shared-frag marker through frag-transfer helpers",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/core/skbuff.c",
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbeab9555564a1b98e8582cd106dfe46c4606991",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "179f1852bdedc300e373e807cc102cd81feff196",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "12401fcfb01f53ccc63ab0a3246570fe8f3105ee",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "989214c66884d70716d83dc1d0bf5e16287bf349",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "ff375cc75f9167168db38e0464a482d5fbc8d81d",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "9bc9d6d6967a2239aa57af2aa53554eddd640d20",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "48f6a5356a33dd78e7144ae1faef95ffc990aae0",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/core/skbuff.c",
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.257",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.208",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.174",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: propagate shared-frag marker through frag-transfer helpers\n\nTwo frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail\nto propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()-\u003eflags when\nmoving frags from source to destination. __pskb_copy_fclone() defers\nthe rest of the shinfo metadata to skb_copy_header() after copying\nfrag descriptors, but that helper only carries over gso_{size,segs,\ntype} and never touches skb_shinfo()-\u003eflags; skb_shift() moves frag\ndescriptors directly and leaves flags untouched. As a result, the\ndestination skb keeps a reference to the same externally-owned or\npage-cache-backed pages while reporting skb_has_shared_frag() as\nfalse.\n\nThe mismatch is harmful in any in-place writer that uses\nskb_has_shared_frag() to decide whether shared pages must be detoured\nthrough skb_cow_data(). ESP input is one such writer (esp4.c,\nesp6.c), and a single nft \u0027dup to \u003clocal\u003e\u0027 rule -- or any other\nnf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()\u0027d\nskb in esp_input() with the marker stripped, letting an unprivileged\nuser write into the page cache of a root-owned read-only file via\nauthencesn-ESN stray writes.\n\nSet SKBFL_SHARED_FRAG on the destination whenever frag descriptors\nwere actually moved from the source. skb_copy() and skb_copy_expand()\nshare skb_copy_header() too but linearize all paged data into freshly\nallocated head storage and emerge with nr_frags == 0, so\nskb_has_shared_frag() returns false on its own; they need no change.\n\nThe same omission exists in skb_gro_receive() and skb_gro_receive_list().\nThe former moves the incoming skb\u0027s frag descriptors into the\naccumulator\u0027s last sub-skb via two paths (a direct frag-move loop and\nthe head_frag + memcpy path); the latter chains the incoming skb whole\nonto p\u0027s frag_list. Downstream skb_segment() reads only\nskb_shinfo(p)-\u003eflags, and skb_segment_list() reuses each sub-skb\u0027s\nshinfo as the nskb -- both p and lp must carry the marker.\n\nThe same omission also exists in tcp_clone_payload(), which builds an\nMTU probe skb by moving frag descriptors from skbs on sk_write_queue\ninto a freshly allocated nskb. The helper falls into the same family\nand warrants the same fix for consistency; no TCP TX-side in-place\nwriter is currently known to reach a user page through this gap, but\na future consumer depending on the marker would regress silently.\n\nThe same omission exists in skb_segment(): the per-iteration flag\nmerge takes only head_skb\u0027s flag, and the inner switch that rebinds\nfrag_skb to list_skb on head_skb-frags exhaustion does not fold the\nnew frag_skb\u0027s flag into nskb. Fold frag_skb\u0027s flag at both sites\nso segments drawing frags from frag_list members carry the marker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:45:49.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991"
},
{
"url": "https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196"
},
{
"url": "https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee"
},
{
"url": "https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349"
},
{
"url": "https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8"
},
{
"url": "https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d"
},
{
"url": "https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20"
},
{
"url": "https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0"
}
],
"title": "net: skbuff: propagate shared-frag marker through frag-transfer helpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43503",
"datePublished": "2026-05-23T11:44:01.103Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-07-03T12:05:13.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23278 (GCVE-0-2026-23278)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
netfilter: nf_tables: always walk all pending catchall elements
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: always walk all pending catchall elements
During transaction processing we might have more than one catchall element:
1 live catchall element and 1 pending element that is coming as part of the
new batch.
If the map holding the catchall elements is also going away, its
required to toggle all catchall elements and not just the first viable
candidate.
Otherwise, we get:
WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
[..]
__nft_set_elem_destroy+0x106/0x380 [nf_tables]
nf_tables_abort_release+0x348/0x8d0 [nf_tables]
nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
628bd3e49cba1c066228e23d71a852c23e26da73 , < eb0948fa13298212c5f8b30ee48efdae4389ab09
(git)
Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < de47a88c6b807910f05703fb6605f7efdaa11417 (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 77c26b5056d693ffe5e9f040e946251cdb55ae55 (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 (git) Affected: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 (git) Affected: 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 (git) Affected: a136b7942ad2a50de708f76ea299ccb45ac7a7f9 (git) Affected: 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 (git) Affected: d60be2da67d172aecf866302c91ea11533eca4d9 (git) Affected: dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 (git) Affected: 4.19.316 , < 4.20 (semver) Affected: 5.4.262 , < 5.5 (semver) Affected: 5.10.188 , < 5.11 (semver) Affected: 5.15.121 , < 5.16 (semver) Affected: 6.1.36 , < 6.2 (semver) Affected: 6.3.10 , < 6.4 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb0948fa13298212c5f8b30ee48efdae4389ab09",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "de47a88c6b807910f05703fb6605f7efdaa11417",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "77c26b5056d693ffe5e9f040e946251cdb55ae55",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"status": "affected",
"version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1",
"versionType": "git"
},
{
"status": "affected",
"version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50",
"versionType": "git"
},
{
"status": "affected",
"version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9",
"versionType": "git"
},
{
"status": "affected",
"version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8",
"versionType": "git"
},
{
"status": "affected",
"version": "d60be2da67d172aecf866302c91ea11533eca4d9",
"versionType": "git"
},
{
"status": "affected",
"version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.36",
"versionType": "semver"
},
{
"lessThan": "6.4",
"status": "affected",
"version": "6.3.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: always walk all pending catchall elements\n\nDuring transaction processing we might have more than one catchall element:\n1 live catchall element and 1 pending element that is coming as part of the\nnew batch.\n\nIf the map holding the catchall elements is also going away, its\nrequired to toggle all catchall elements and not just the first viable\ncandidate.\n\nOtherwise, we get:\n WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404\n RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]\n [..]\n __nft_set_elem_destroy+0x106/0x380 [nf_tables]\n nf_tables_abort_release+0x348/0x8d0 [nf_tables]\n nf_tables_abort+0xcf2/0x3ac0 [nf_tables]\n nfnetlink_rcv_batch+0x9c9/0x20e0 [..]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:29.137Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb0948fa13298212c5f8b30ee48efdae4389ab09"
},
{
"url": "https://git.kernel.org/stable/c/de47a88c6b807910f05703fb6605f7efdaa11417"
},
{
"url": "https://git.kernel.org/stable/c/77c26b5056d693ffe5e9f040e946251cdb55ae55"
},
{
"url": "https://git.kernel.org/stable/c/7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9"
}
],
"title": "netfilter: nf_tables: always walk all pending catchall elements",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23278",
"datePublished": "2026-03-20T08:08:58.566Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-23T16:04:29.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43360 (GCVE-0-2026-43360)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
btrfs: fix transaction abort on file creation due to name hash collision
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort on file creation due to name hash collision
If we attempt to create several files with names that result in the same
hash, we have to pack them in same dir item and that has a limit inherent
to the leaf size. However if we reach that limit, we trigger a transaction
abort and turns the filesystem into RO mode. This allows for a malicious
user to disrupt a system, without the need to have administration
privileges/capabilities.
Reproducer:
$ cat exploit-hash-collisions.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster and require fewer file
# names that result in hash collision.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# List of names that result in the same crc32c hash for btrfs.
declare -a names=(
'foobar'
'%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'
'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'
'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'
'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'
'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'
'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'
'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'
'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'
'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'
'Ono7avN5GjC:_6dBJ_'
'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'
'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'
'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'
'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'
'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'
'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'
'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'
'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'
'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'
'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'
'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'
'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='
'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'
'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'
'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'
'8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'
'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
caae78e032343df525b8d05c58b462827f10b2a3 , < 36947b5200b89bbe3a63629c12d4b31c84c0af9f
(git)
Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 64ad49597d14c495ab8b7933bfefc83936a598e4 (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688 (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 9273175bf16c83f3ec93aa242d78c9b5db452d4d (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 0625e564290450c1921b115fc3d9abef74e055bd (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36947b5200b89bbe3a63629c12d4b31c84c0af9f",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "64ad49597d14c495ab8b7933bfefc83936a598e4",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "9273175bf16c83f3ec93aa242d78c9b5db452d4d",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "0625e564290450c1921b115fc3d9abef74e055bd",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "2d1ababdedd4ba38867c2500eb7f95af5ddeeef7",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort on file creation due to name hash collision\n\nIf we attempt to create several files with names that result in the same\nhash, we have to pack them in same dir item and that has a limit inherent\nto the leaf size. However if we reach that limit, we trigger a transaction\nabort and turns the filesystem into RO mode. This allows for a malicious\nuser to disrupt a system, without the need to have administration\nprivileges/capabilities.\n\nReproducer:\n\n $ cat exploit-hash-collisions.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster and require fewer file\n # names that result in hash collision.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # List of names that result in the same crc32c hash for btrfs.\n declare -a names=(\n \u0027foobar\u0027\n \u0027%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC\u0027\n \u0027AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z\u0027\n \u0027CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4\u0027\n \u0027ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:\u0027\n \u0027HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO\u0027\n \u0027Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us\u0027\n \u0027KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY\u0027\n \u0027NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO\u0027\n \u0027Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU\u0027\n \u0027Ono7avN5GjC:_6dBJ_\u0027\n \u0027WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am\u0027\n \u0027WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k\u0027\n \u0027XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2\u0027\n \u0027d3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd\u0027\n \u0027ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm\u0027\n \u0027evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ\u0027\n \u0027gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky\u0027\n \u0027hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS\u0027\n \u0027isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz\u0027\n \u0027kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu\u0027\n \u0027lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN\u0027\n \u0027rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=\u0027\n \u0027uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn\u0027\n \u0027UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C\u0027\n \u0027y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW\u0027\n \u00278-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc\u0027\n \u0027YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:04.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36947b5200b89bbe3a63629c12d4b31c84c0af9f"
},
{
"url": "https://git.kernel.org/stable/c/64ad49597d14c495ab8b7933bfefc83936a598e4"
},
{
"url": "https://git.kernel.org/stable/c/5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688"
},
{
"url": "https://git.kernel.org/stable/c/9273175bf16c83f3ec93aa242d78c9b5db452d4d"
},
{
"url": "https://git.kernel.org/stable/c/0625e564290450c1921b115fc3d9abef74e055bd"
},
{
"url": "https://git.kernel.org/stable/c/2d1ababdedd4ba38867c2500eb7f95af5ddeeef7"
}
],
"title": "btrfs: fix transaction abort on file creation due to name hash collision",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43360",
"datePublished": "2026-05-08T14:21:15.008Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:04.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46037 (GCVE-0-2026-46037)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-06-14 17:49
VLAI?
EPSS
Title
ipv4: icmp: validate reply type before using icmp_pointers
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: icmp: validate reply type before using icmp_pointers
Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.
That value is outside the range covered by icmp_pointers[], which only
describes the traditional ICMP types up to NR_ICMP_TYPES.
Avoid consulting icmp_pointers[] for reply types outside that range, and
use array_index_nospec() for the remaining in-range lookup. Normal ICMP
replies keep their existing behavior unchanged.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d329ea5bd8845f0b196bf41b18b6173340d6e0e4 , < b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99
(git)
Affected: d329ea5bd8845f0b196bf41b18b6173340d6e0e4 , < 93df2af4f491de33827550b9d420f01808c0706b (git) Affected: d329ea5bd8845f0b196bf41b18b6173340d6e0e4 , < 92e7c209036dcc0e8ffdf806fdfd3645b263bea5 (git) Affected: d329ea5bd8845f0b196bf41b18b6173340d6e0e4 , < bc64a66e0b9ad937d3d49934242ee62b01ba9a94 (git) Affected: d329ea5bd8845f0b196bf41b18b6173340d6e0e4 , < c2178ff1c70ebfc2ab9651b230c58a34683db759 (git) Affected: d329ea5bd8845f0b196bf41b18b6173340d6e0e4 , < d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1 (git) Affected: d329ea5bd8845f0b196bf41b18b6173340d6e0e4 , < 67bf002a2d7387a6312138210d0bd06e3cf4879b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99",
"status": "affected",
"version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
"versionType": "git"
},
{
"lessThan": "93df2af4f491de33827550b9d420f01808c0706b",
"status": "affected",
"version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
"versionType": "git"
},
{
"lessThan": "92e7c209036dcc0e8ffdf806fdfd3645b263bea5",
"status": "affected",
"version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
"versionType": "git"
},
{
"lessThan": "bc64a66e0b9ad937d3d49934242ee62b01ba9a94",
"status": "affected",
"version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
"versionType": "git"
},
{
"lessThan": "c2178ff1c70ebfc2ab9651b230c58a34683db759",
"status": "affected",
"version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
"versionType": "git"
},
{
"lessThan": "d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1",
"status": "affected",
"version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
"versionType": "git"
},
{
"lessThan": "67bf002a2d7387a6312138210d0bd06e3cf4879b",
"status": "affected",
"version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: icmp: validate reply type before using icmp_pointers\n\nExtended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.\nThat value is outside the range covered by icmp_pointers[], which only\ndescribes the traditional ICMP types up to NR_ICMP_TYPES.\n\nAvoid consulting icmp_pointers[] for reply types outside that range, and\nuse array_index_nospec() for the remaining in-range lookup. Normal ICMP\nreplies keep their existing behavior unchanged."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:49:43.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99"
},
{
"url": "https://git.kernel.org/stable/c/93df2af4f491de33827550b9d420f01808c0706b"
},
{
"url": "https://git.kernel.org/stable/c/92e7c209036dcc0e8ffdf806fdfd3645b263bea5"
},
{
"url": "https://git.kernel.org/stable/c/bc64a66e0b9ad937d3d49934242ee62b01ba9a94"
},
{
"url": "https://git.kernel.org/stable/c/c2178ff1c70ebfc2ab9651b230c58a34683db759"
},
{
"url": "https://git.kernel.org/stable/c/d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1"
},
{
"url": "https://git.kernel.org/stable/c/67bf002a2d7387a6312138210d0bd06e3cf4879b"
}
],
"title": "ipv4: icmp: validate reply type before using icmp_pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46037",
"datePublished": "2026-05-27T12:56:47.795Z",
"dateReserved": "2026-05-13T15:03:33.093Z",
"dateUpdated": "2026-06-14T17:49:43.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31759 (GCVE-0-2026-31759)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-11 22:15
VLAI?
EPSS
Title
usb: ulpi: fix double free in ulpi_register_interface() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: ulpi: fix double free in ulpi_register_interface() error path
When device_register() fails, ulpi_register() calls put_device() on
ulpi->dev.
The device release callback ulpi_dev_release() drops the OF node
reference and frees ulpi, but the current error path in
ulpi_register_interface() then calls kfree(ulpi) again, causing a
double free.
Let put_device() handle the cleanup through ulpi_dev_release() and
avoid freeing ulpi again in ulpi_register_interface().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 2f70ba9dae13a190673cc3f9b4aad52179738f60
(git)
Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < ee248e6e941e4f2e634df2bd43e5f1ef810ab6df (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 272a9b26c336a295e4e209157fed809706c1b1f7 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < aaeae6533d77e6ed4def85baec01e2815ebbef61 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 8763f8317bb389aded32a32b08f6751cfff657d2 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 38c28fe25611099230f0965c925499bfcf46a795 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < a6e5461f076c2ef63159f18e5cdbd30b50f0bc15 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 01af542392b5d41fd659d487015a71f627accce3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/common/ulpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f70ba9dae13a190673cc3f9b4aad52179738f60",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "ee248e6e941e4f2e634df2bd43e5f1ef810ab6df",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "272a9b26c336a295e4e209157fed809706c1b1f7",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "aaeae6533d77e6ed4def85baec01e2815ebbef61",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "8763f8317bb389aded32a32b08f6751cfff657d2",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "38c28fe25611099230f0965c925499bfcf46a795",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "a6e5461f076c2ef63159f18e5cdbd30b50f0bc15",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "01af542392b5d41fd659d487015a71f627accce3",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/common/ulpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix double free in ulpi_register_interface() error path\n\nWhen device_register() fails, ulpi_register() calls put_device() on\nulpi-\u003edev.\n\nThe device release callback ulpi_dev_release() drops the OF node\nreference and frees ulpi, but the current error path in\nulpi_register_interface() then calls kfree(ulpi) again, causing a\ndouble free.\n\nLet put_device() handle the cleanup through ulpi_dev_release() and\navoid freeing ulpi again in ulpi_register_interface()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:15:15.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f70ba9dae13a190673cc3f9b4aad52179738f60"
},
{
"url": "https://git.kernel.org/stable/c/ee248e6e941e4f2e634df2bd43e5f1ef810ab6df"
},
{
"url": "https://git.kernel.org/stable/c/272a9b26c336a295e4e209157fed809706c1b1f7"
},
{
"url": "https://git.kernel.org/stable/c/aaeae6533d77e6ed4def85baec01e2815ebbef61"
},
{
"url": "https://git.kernel.org/stable/c/8763f8317bb389aded32a32b08f6751cfff657d2"
},
{
"url": "https://git.kernel.org/stable/c/38c28fe25611099230f0965c925499bfcf46a795"
},
{
"url": "https://git.kernel.org/stable/c/a6e5461f076c2ef63159f18e5cdbd30b50f0bc15"
},
{
"url": "https://git.kernel.org/stable/c/01af542392b5d41fd659d487015a71f627accce3"
}
],
"title": "usb: ulpi: fix double free in ulpi_register_interface() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31759",
"datePublished": "2026-05-01T14:14:51.895Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-11T22:15:15.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31613 (GCVE-0-2026-31613)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-14 17:42
VLAI?
EPSS
Title
smb: client: fix OOB reads parsing symlink error response
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix OOB reads parsing symlink error response
When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.
symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0. When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it. When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.
smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base. That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorContextCount == 0.
With at least one error context the symlink data sits 8 bytes deeper,
and each skipped non-matching context shifts it further by 8 +
ALIGN(ErrorDataLength, 8). The check is too short, allowing the
substitute name read to run past iov_len. The out-of-bound heap bytes
are UTF-16-decoded into the symlink target and returned to userspace via
readlink(2).
Fix this all up by making the loops test require the full context header
to fit, rejecting sym if its header runs past end, and bound the
substitute name against the actual position of sym->PathBuffer rather
than a fixed offset.
Because sub_offs and sub_len are 16bits, the pointer math will not
overflow here with the new greater-than.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
76894f3e2f71177747b8b4763fb180e800279585 , < 043834e72337ee7b4e9685859888623ba1504ac7
(git)
Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < d65a64755a3df68a2fd19d2a81395e9f723aca23 (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < 20ac98f0eb6047edb73c9a27af782bdde08b3757 (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < e0dd90d14cbbf318157ea8e3fb62ee68a28655ed (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < 781902e069f4ecb6c3b83502f181972c1446110a (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < a66ef2e7ed837325c5600f8617d5ee0a0a149fdd (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < 3df690bba28edec865cf7190be10708ad0ddd67e (git) Affected: 2d046892a493d9760c35fdaefc3017f27f91b621 (git) Affected: 6.0.16 , < 6.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "043834e72337ee7b4e9685859888623ba1504ac7",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "d65a64755a3df68a2fd19d2a81395e9f723aca23",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "20ac98f0eb6047edb73c9a27af782bdde08b3757",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "e0dd90d14cbbf318157ea8e3fb62ee68a28655ed",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "781902e069f4ecb6c3b83502f181972c1446110a",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "a66ef2e7ed837325c5600f8617d5ee0a0a149fdd",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "3df690bba28edec865cf7190be10708ad0ddd67e",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"status": "affected",
"version": "2d046892a493d9760c35fdaefc3017f27f91b621",
"versionType": "git"
},
{
"lessThan": "6.1",
"status": "affected",
"version": "6.0.16",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB reads parsing symlink error response\n\nWhen a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()\nreturns success without any length validation, leaving the symlink\nparsers as the only defense against an untrusted server.\n\nsymlink_data() walks SMB 3.1.1 error contexts with the loop test \"p \u003c\nend\", but reads p-\u003eErrorId at offset 4 and p-\u003eErrorDataLength at offset\n0. When the server-controlled ErrorDataLength advances p to within 1-7\nbytes of end, the next iteration will read past it. When the matching\ncontext is found, sym-\u003eSymLinkErrorTag is read at offset 4 from\np-\u003eErrorContextData with no check that the symlink header itself fits.\n\nsmb2_parse_symlink_response() then bounds-checks the substitute name\nusing SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from\niov_base. That value is computed as sizeof(smb2_err_rsp) +\nsizeof(smb2_symlink_err_rsp), which is correct only when\nErrorContextCount == 0.\n\nWith at least one error context the symlink data sits 8 bytes deeper,\nand each skipped non-matching context shifts it further by 8 +\nALIGN(ErrorDataLength, 8). The check is too short, allowing the\nsubstitute name read to run past iov_len. The out-of-bound heap bytes\nare UTF-16-decoded into the symlink target and returned to userspace via\nreadlink(2).\n\nFix this all up by making the loops test require the full context header\nto fit, rejecting sym if its header runs past end, and bound the\nsubstitute name against the actual position of sym-\u003ePathBuffer rather\nthan a fixed offset.\n\nBecause sub_offs and sub_len are 16bits, the pointer math will not\noverflow here with the new greater-than."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:42:57.094Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/043834e72337ee7b4e9685859888623ba1504ac7"
},
{
"url": "https://git.kernel.org/stable/c/d65a64755a3df68a2fd19d2a81395e9f723aca23"
},
{
"url": "https://git.kernel.org/stable/c/20ac98f0eb6047edb73c9a27af782bdde08b3757"
},
{
"url": "https://git.kernel.org/stable/c/e0dd90d14cbbf318157ea8e3fb62ee68a28655ed"
},
{
"url": "https://git.kernel.org/stable/c/781902e069f4ecb6c3b83502f181972c1446110a"
},
{
"url": "https://git.kernel.org/stable/c/a66ef2e7ed837325c5600f8617d5ee0a0a149fdd"
},
{
"url": "https://git.kernel.org/stable/c/3df690bba28edec865cf7190be10708ad0ddd67e"
}
],
"title": "smb: client: fix OOB reads parsing symlink error response",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31613",
"datePublished": "2026-04-24T14:42:33.453Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-06-14T17:42:57.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43296 (GCVE-0-2026-43296)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-11 22:21
VLAI?
EPSS
Title
octeontx2-af: Workaround SQM/PSE stalls by disabling sticky
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-af: Workaround SQM/PSE stalls by disabling sticky
NIX SQ manager sticky mode is known to cause stalls when multiple SQs
share an SMQ and transmit concurrently. Additionally, PSE may deadlock
on transitions between sticky and non-sticky transmissions. There is
also a credit drop issue observed when certain condition clocks are
gated.
work around these hardware errata by:
- Disabling SQM sticky operation:
- Clear TM6 (bit 15)
- Clear TM11 (bit 14)
- Disabling sticky → non-sticky transition path that can deadlock PSE:
- Clear TM5 (bit 23)
- Preventing credit drops by keeping the control-flow clock enabled:
- Set TM9 (bit 21)
These changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With this
configuration the SQM/PSE maintain forward progress under load without
credit loss, at the cost of disabling sticky optimizations.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < 9a3fd301329474f449e75f86d8a4f6b9c603fd6c
(git)
Affected: 5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < d0b3c8a80336029d9356f429151eb27922d80a3c (git) Affected: 5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < 36cc5a5e0178d5fb79e04173b8aa623b0108819a (git) Affected: 5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < d9b549b6951ba178ec14339a031cae65f4e43fe1 (git) Affected: 5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < cec2ceb35ce7bc874c43812bb39200d6cf691b87 (git) Affected: 5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < 8052d0587fb14b85539c3a14a226586c0c3d6b4c (git) Affected: 5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < b7eba260a34e854e2487b8363c11976f082df00d (git) Affected: 5d9b976d4480dc0dcfa3719b645636d2f0f9f156 , < 70e9a5760abfb6338d63994d4de6b0778ec795d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a3fd301329474f449e75f86d8a4f6b9c603fd6c",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
},
{
"lessThan": "d0b3c8a80336029d9356f429151eb27922d80a3c",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
},
{
"lessThan": "36cc5a5e0178d5fb79e04173b8aa623b0108819a",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
},
{
"lessThan": "d9b549b6951ba178ec14339a031cae65f4e43fe1",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
},
{
"lessThan": "cec2ceb35ce7bc874c43812bb39200d6cf691b87",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
},
{
"lessThan": "8052d0587fb14b85539c3a14a226586c0c3d6b4c",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
},
{
"lessThan": "b7eba260a34e854e2487b8363c11976f082df00d",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
},
{
"lessThan": "70e9a5760abfb6338d63994d4de6b0778ec795d6",
"status": "affected",
"version": "5d9b976d4480dc0dcfa3719b645636d2f0f9f156",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Workaround SQM/PSE stalls by disabling sticky\n\nNIX SQ manager sticky mode is known to cause stalls when multiple SQs\nshare an SMQ and transmit concurrently. Additionally, PSE may deadlock\non transitions between sticky and non-sticky transmissions. There is\nalso a credit drop issue observed when certain condition clocks are\ngated.\n\nwork around these hardware errata by:\n- Disabling SQM sticky operation:\n - Clear TM6 (bit 15)\n - Clear TM11 (bit 14)\n- Disabling sticky \u2192 non-sticky transition path that can deadlock PSE:\n - Clear TM5 (bit 23)\n- Preventing credit drops by keeping the control-flow clock enabled:\n - Set TM9 (bit 21)\n\nThese changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With this\nconfiguration the SQM/PSE maintain forward progress under load without\ncredit loss, at the cost of disabling sticky optimizations."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:48.777Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a3fd301329474f449e75f86d8a4f6b9c603fd6c"
},
{
"url": "https://git.kernel.org/stable/c/d0b3c8a80336029d9356f429151eb27922d80a3c"
},
{
"url": "https://git.kernel.org/stable/c/36cc5a5e0178d5fb79e04173b8aa623b0108819a"
},
{
"url": "https://git.kernel.org/stable/c/d9b549b6951ba178ec14339a031cae65f4e43fe1"
},
{
"url": "https://git.kernel.org/stable/c/cec2ceb35ce7bc874c43812bb39200d6cf691b87"
},
{
"url": "https://git.kernel.org/stable/c/8052d0587fb14b85539c3a14a226586c0c3d6b4c"
},
{
"url": "https://git.kernel.org/stable/c/b7eba260a34e854e2487b8363c11976f082df00d"
},
{
"url": "https://git.kernel.org/stable/c/70e9a5760abfb6338d63994d4de6b0778ec795d6"
}
],
"title": "octeontx2-af: Workaround SQM/PSE stalls by disabling sticky",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43296",
"datePublished": "2026-05-08T13:11:18.870Z",
"dateReserved": "2026-05-01T14:12:55.999Z",
"dateUpdated": "2026-05-11T22:21:48.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23359 (GCVE-0-2026-23359)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-05-11 22:05
VLAI?
EPSS
Title
bpf: Fix stack-out-of-bounds write in devmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stack-out-of-bounds write in devmap
get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.
Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.
Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.
To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aeea1b86f9363f3feabb496534d886f082a89f21 , < 88df604f0d16a692867582350ce3f2fcd22243f1
(git)
Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < 5000e40acc8d0c36ab709662e32120986ac22e7e (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < 8a95fb9df1105b1618872c2846a6c01e3ba20b45 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < d2c31d8e03d05edc16656e5ffe187f0d1da763d7 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < 75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < ca831567908fd3f73cf97d8a6c09a5054697a182 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < b7bf516c3ecd9a2aae2dc2635178ab87b734fef1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/devmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88df604f0d16a692867582350ce3f2fcd22243f1",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "5000e40acc8d0c36ab709662e32120986ac22e7e",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "8a95fb9df1105b1618872c2846a6c01e3ba20b45",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "d2c31d8e03d05edc16656e5ffe187f0d1da763d7",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "ca831567908fd3f73cf97d8a6c09a5054697a182",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "b7bf516c3ecd9a2aae2dc2635178ab87b734fef1",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/devmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stack-out-of-bounds write in devmap\n\nget_upper_ifindexes() iterates over all upper devices and writes their\nindices into an array without checking bounds.\n\nAlso the callers assume that the max number of upper devices is\nMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,\nbut that assumption is not correct and the number of upper devices could\nbe larger than MAX_NEST_DEV (e.g., many macvlans), causing a\nstack-out-of-bounds write.\n\nAdd a max parameter to get_upper_ifindexes() to avoid the issue.\nWhen there are too many upper devices, return -EOVERFLOW and abort the\nredirect.\n\nTo reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with\nan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.\nThen send a packet to the device to trigger the XDP redirect path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:05:20.650Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1"
},
{
"url": "https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e"
},
{
"url": "https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45"
},
{
"url": "https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7"
},
{
"url": "https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2"
},
{
"url": "https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182"
},
{
"url": "https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1"
}
],
"title": "bpf: Fix stack-out-of-bounds write in devmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23359",
"datePublished": "2026-03-25T10:27:43.070Z",
"dateReserved": "2026-01-13T15:37:46.000Z",
"dateUpdated": "2026-05-11T22:05:20.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31454 (GCVE-0-2026-31454)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-11 22:09
VLAI?
EPSS
Title
xfs: save ailp before dropping the AIL lock in push callbacks
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: save ailp before dropping the AIL lock in push callbacks
In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock
is dropped to perform buffer IO. Once the cluster buffer no longer
protects the log item from reclaim, the log item may be freed by
background reclaim or the dquot shrinker. The subsequent spin_lock()
call dereferences lip->li_ailp, which is a use-after-free.
Fix this by saving the ailp pointer in a local variable while the AIL
lock is held and the log item is guaranteed to be valid.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90c60e16401248a4900f3f9387f563d0178dcf34 , < edd1637d4e3911ab6c760f553f2040fe72f61a13
(git)
Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 19437e4f7bb909afde832b39372aa2f3ce3cfd88 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 75669e987137f49c99ca44406bf0200d1892dd16 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 50f5f056807b7bed74f4f307f2ca0ed92f3e556d (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 4c7d50147316cf049462f327c4a3e9dc2b7f1dd0 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 394d70b86fae9fe865e7e6d9540b7696f73aa9b6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_dquot_item.c",
"fs/xfs/xfs_inode_item.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "edd1637d4e3911ab6c760f553f2040fe72f61a13",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "19437e4f7bb909afde832b39372aa2f3ce3cfd88",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "75669e987137f49c99ca44406bf0200d1892dd16",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "50f5f056807b7bed74f4f307f2ca0ed92f3e556d",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "4c7d50147316cf049462f327c4a3e9dc2b7f1dd0",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "394d70b86fae9fe865e7e6d9540b7696f73aa9b6",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_dquot_item.c",
"fs/xfs/xfs_inode_item.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: save ailp before dropping the AIL lock in push callbacks\n\nIn xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock\nis dropped to perform buffer IO. Once the cluster buffer no longer\nprotects the log item from reclaim, the log item may be freed by\nbackground reclaim or the dquot shrinker. The subsequent spin_lock()\ncall dereferences lip-\u003eli_ailp, which is a use-after-free.\n\nFix this by saving the ailp pointer in a local variable while the AIL\nlock is held and the log item is guaranteed to be valid."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:01.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/edd1637d4e3911ab6c760f553f2040fe72f61a13"
},
{
"url": "https://git.kernel.org/stable/c/19437e4f7bb909afde832b39372aa2f3ce3cfd88"
},
{
"url": "https://git.kernel.org/stable/c/6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5"
},
{
"url": "https://git.kernel.org/stable/c/75669e987137f49c99ca44406bf0200d1892dd16"
},
{
"url": "https://git.kernel.org/stable/c/d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d"
},
{
"url": "https://git.kernel.org/stable/c/50f5f056807b7bed74f4f307f2ca0ed92f3e556d"
},
{
"url": "https://git.kernel.org/stable/c/4c7d50147316cf049462f327c4a3e9dc2b7f1dd0"
},
{
"url": "https://git.kernel.org/stable/c/394d70b86fae9fe865e7e6d9540b7696f73aa9b6"
}
],
"title": "xfs: save ailp before dropping the AIL lock in push callbacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31454",
"datePublished": "2026-04-22T13:53:48.242Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-05-11T22:09:01.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31678 (GCVE-0-2026-31678)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-05-11 22:13
VLAI?
EPSS
Title
openvswitch: defer tunnel netdev_put to RCU release
Summary
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: defer tunnel netdev_put to RCU release
ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already
detached the device. Dropping the netdev reference in destroy can race
with concurrent readers that still observe vport->dev.
Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let
vport_netdev_free() drop the reference from the RCU callback, matching
the non-tunnel destroy path and avoiding additional synchronization
under RTNL.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a9020fde67a6eb77f8130feff633189f99264db1 , < 9d56aced21fb9c104e8a3f3be9b21fbafe448ffc
(git)
Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < 42f0d3d81209654c08ffdde5a34b9b92d2645896 (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < bbe7bd722bfaea36aab3da6cc60fb4a05c644643 (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < 98b726ab5e2a4811e27c28e4d041f75bba147eab (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < b8c56a3fc5d879c0928f207a756b0f067f06c6a8 (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < 6931d21f87bc6d657f145798fad0bf077b82486c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d56aced21fb9c104e8a3f3be9b21fbafe448ffc",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "42f0d3d81209654c08ffdde5a34b9b92d2645896",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "bbe7bd722bfaea36aab3da6cc60fb4a05c644643",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "98b726ab5e2a4811e27c28e4d041f75bba147eab",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "b8c56a3fc5d879c0928f207a756b0f067f06c6a8",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "6931d21f87bc6d657f145798fad0bf077b82486c",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: defer tunnel netdev_put to RCU release\n\novs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already\ndetached the device. Dropping the netdev reference in destroy can race\nwith concurrent readers that still observe vport-\u003edev.\n\nDo not release vport-\u003edev in ovs_netdev_tunnel_destroy(). Instead, let\nvport_netdev_free() drop the reference from the RCU callback, matching\nthe non-tunnel destroy path and avoiding additional synchronization\nunder RTNL."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:13:31.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d56aced21fb9c104e8a3f3be9b21fbafe448ffc"
},
{
"url": "https://git.kernel.org/stable/c/42f0d3d81209654c08ffdde5a34b9b92d2645896"
},
{
"url": "https://git.kernel.org/stable/c/bbe7bd722bfaea36aab3da6cc60fb4a05c644643"
},
{
"url": "https://git.kernel.org/stable/c/98b726ab5e2a4811e27c28e4d041f75bba147eab"
},
{
"url": "https://git.kernel.org/stable/c/b8c56a3fc5d879c0928f207a756b0f067f06c6a8"
},
{
"url": "https://git.kernel.org/stable/c/6931d21f87bc6d657f145798fad0bf077b82486c"
}
],
"title": "openvswitch: defer tunnel netdev_put to RCU release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31678",
"datePublished": "2026-04-25T08:46:54.476Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-05-11T22:13:31.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43406 (GCVE-0-2026-43406)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
libceph: prevent potential out-of-bounds reads in process_message_header()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds reads in process_message_header()
If the message frame is (maliciously) corrupted in a way that the
length of the control segment ends up being less than the size of the
message header or a different frame is made to look like a message
frame, out-of-bounds reads may ensue in process_message_header().
Perform an explicit bounds check before decoding the message header.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 76ccf21a12c5f6d6790bc32c7da82446d877b2f4
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 75582aaa580c11aed4c7731cad6b068b700e7efb (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 50156622eb0888e62541d715a98584480a1bc7cb (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < dbd857a9e1e33ea71eaf3e211877027e533770d1 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 69fe5af33fa3806f398d21c081d73c66e5523bc2 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 035867ae6f18df0aeedb2a57a5b74091bd4e3fe8 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76ccf21a12c5f6d6790bc32c7da82446d877b2f4",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "75582aaa580c11aed4c7731cad6b068b700e7efb",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "50156622eb0888e62541d715a98584480a1bc7cb",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "dbd857a9e1e33ea71eaf3e211877027e533770d1",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "69fe5af33fa3806f398d21c081d73c66e5523bc2",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "035867ae6f18df0aeedb2a57a5b74091bd4e3fe8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "69fb5d91bba44ecf7eb80530b85fa4fb028921d5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in process_message_header()\n\nIf the message frame is (maliciously) corrupted in a way that the\nlength of the control segment ends up being less than the size of the\nmessage header or a different frame is made to look like a message\nframe, out-of-bounds reads may ensue in process_message_header().\n\nPerform an explicit bounds check before decoding the message header."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:58.001Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4"
},
{
"url": "https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb"
},
{
"url": "https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb"
},
{
"url": "https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1"
},
{
"url": "https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2"
},
{
"url": "https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8"
},
{
"url": "https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5"
}
],
"title": "libceph: prevent potential out-of-bounds reads in process_message_header()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43406",
"datePublished": "2026-05-08T14:21:46.246Z",
"dateReserved": "2026-05-01T14:12:56.007Z",
"dateUpdated": "2026-05-11T22:23:58.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43284 (GCVE-0-2026-43284)
Vulnerability from cvelistv5 – Published: 2026-05-08 07:21 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
xfrm: esp: avoid in-place decrypt on shared skb frags
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Severity ?
8.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < a6cb440f274a22456ef3e86b457344f1678f38f9
(git)
Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < ab8b995323e5237041472d07e5055f5f7dcdf15b (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < fe785bb3a8096dffcc4048a85cd0c83337eeecad (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 5d55c7336f8032d434adcc5fab987ccc93a44aec (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 8253aab4659ca16116b522203c2a6b18dccacea7 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 50ed1e7873100f77abad20fd31c51029bc49cd03 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < b54edf1e9a3fd3491bdcb82a21f8d21315271e0d (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 71a1d9d985d26716f74d21f18ee8cac821b06e97 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 52646cbd00e765a6db9c3afe9535f26218276034 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-26T17:32:27.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/13/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/4"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-detection-script-dirty-frag-linux-kernel-local-privilege-escalation"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-mitigation-script-dirty-frag-linux-kernel-local-privilege-escalation"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:46.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s xfrm-ESP and RxRPC subsystems. Unsafe in-place cryptographic processing of shared socket buffer fragments allows a low-privileged local attacker to corrupt page-cache contents of readable files, including sensitive system files, and gain root privileges. The xfrm-ESP variant requires unprivileged user or network namespace creation, while the RxRPC variant depends on the rxrpc module being available on the target system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:24.067Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43284"
},
{
"name": "RHBZ#2467771",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467771"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43284.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17795"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16180"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21695"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16176"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16171"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16160"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16161"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16157"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16155"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16314"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16062"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19074"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16202"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16328"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16100"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16312"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16206"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16195"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19574"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16201"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16204"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19564"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16061"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19572"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19575"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19573"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19577"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18025"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16196"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16203"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16254"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:17795: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:16180: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:21695: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:16176: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:16171: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:16160: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:16161: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:16157: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:16155: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:16314: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16062: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19074: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:16202: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16328: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:16100: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:16312: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16206: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19225: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:16195: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:19574: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:16201: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:16204: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19564: Red Hat Enterprise Linux BaseOS E4S (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16061: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:19572: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:19575: Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19573: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:19577: Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:18025: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16196: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:16203: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16254: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T15:56:04.044Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: \"Dirty Frag\" ESP XFRM variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6cb440f274a22456ef3e86b457344f1678f38f9",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "ab8b995323e5237041472d07e5055f5f7dcdf15b",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "fe785bb3a8096dffcc4048a85cd0c83337eeecad",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "5d55c7336f8032d434adcc5fab987ccc93a44aec",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "8253aab4659ca16116b522203c2a6b18dccacea7",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "50ed1e7873100f77abad20fd31c51029bc49cd03",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "b54edf1e9a3fd3491bdcb82a21f8d21315271e0d",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "71a1d9d985d26716f74d21f18ee8cac821b06e97",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "52646cbd00e765a6db9c3afe9535f26218276034",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.206",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.255",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.205",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.206",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.171",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.172",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.138",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.87",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.28",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.5",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:56.673Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9"
},
{
"url": "https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b"
},
{
"url": "https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad"
},
{
"url": "https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec"
},
{
"url": "https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7"
},
{
"url": "https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03"
},
{
"url": "https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d"
},
{
"url": "https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97"
},
{
"url": "https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034"
},
{
"url": "https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4"
}
],
"title": "xfrm: esp: avoid in-place decrypt on shared skb frags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43284",
"datePublished": "2026-05-08T07:21:47.524Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-07-02T12:05:24.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10263 (GCVE-0-2025-10263)
Vulnerability from cvelistv5 – Published: 2026-06-09 09:23 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Summary
Arm C1-Ultra, C1-Premium, Neoverse V3 & V3AE, Neoverse V2, Neoverse V1, Neoverse-N2, Neoverse-N1, Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 & X1C, Cortex-A710, Cortex-A78, A78AE & A78C, Cortex-A77, Cortex-A76 & A76A may allow writes to resources owned by a higher exception level.
Severity ?
9.1 (Critical)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Arm | C1-Ultra |
Affected:
0
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-09T16:53:49.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-493.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:11:21.775441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:11:48.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux for NVIDIA 26",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-09T09:23:18.802Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel on ARM processors. A race condition in Translation Lookaside Buffer Invalidation (TLBI) operations during memory permission changes allows a local attacker to write to memory resources owned by higher privilege levels. This could allow an unprivileged local attacker to gain kernel privileges or a guest VM to escape to the hypervisor, resulting in complete system compromise."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:05.282Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-10263"
},
{
"name": "RHBZ#2486958",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486958"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-10263.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34911"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34911: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-09T11:01:37.157Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-09T09:23:18.802Z",
"value": "Made public."
}
],
"title": "kernel: Arm Processors: Privilege escalation or information disclosure via writes to higher exception level resources",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "C1-Ultra",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "C1-Premium",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Neoverse V3",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Neoverse V3AE",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Neoverse V1",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Neoverse N2",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Neoverse N1",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-X925",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-X4",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-X3",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-X2",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-X1",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-X1C",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-A710",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-A78",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-A78AE",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-A78C",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-A77",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-A76",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cortex-A76AE",
"vendor": "Arm",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Arm C1-Ultra, C1-Premium, Neoverse V3 \u0026amp; V3AE, Neoverse V2, Neoverse V1, Neoverse-N2, Neoverse-N1, Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 \u0026amp; X1C, Cortex-A710, Cortex-A78, A78AE \u0026amp; A78C, Cortex-A77, Cortex-A76 \u0026amp; A76A may allow writes to resources owned by a higher exception level."
}
],
"value": "Arm C1-Ultra, C1-Premium, Neoverse V3 \u0026 V3AE, Neoverse V2, Neoverse V1, Neoverse-N2, Neoverse-N1, Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 \u0026 X1C, Cortex-A710, Cortex-A78, A78AE \u0026 A78C, Cortex-A77, Cortex-A76 \u0026 A76A may allow writes to resources owned by a higher exception level."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T09:23:18.802Z",
"orgId": "56a131ea-b967-4a0d-a41e-5f3549952846",
"shortName": "Arm"
},
"references": [
{
"url": "https://developer.arm.com/documentation/112137"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "56a131ea-b967-4a0d-a41e-5f3549952846",
"assignerShortName": "Arm",
"cveId": "CVE-2025-10263",
"datePublished": "2026-06-09T09:23:18.802Z",
"dateReserved": "2025-09-11T08:50:36.018Z",
"dateUpdated": "2026-07-03T12:05:05.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31518 (GCVE-0-2026-31518)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:10
VLAI?
EPSS
Title
esp: fix skb leak with espintcp and async crypto
Summary
In the Linux kernel, the following vulnerability has been resolved:
esp: fix skb leak with espintcp and async crypto
When the TX queue for espintcp is full, esp_output_tail_tcp will
return an error and not free the skb, because with synchronous crypto,
the common xfrm output code will drop the packet for us.
With async crypto (esp_output_done), we need to drop the skb when
esp_output_tail_tcp returns an error.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < aca3ad0c262f54a5b5c95dda80a48365997d1224
(git)
Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 41aafca57de4a4c026701622bd4648f112a9edcd (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 4820847e036ff1035b01b69ad68dfc17e7028fe9 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 6a3ec6efbc4f90e0ccb2e71574f07351f19996f4 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < df6f995358dc1f3c42484f5cfe241d7bd3e1cd15 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 88d386243ed374ac969dabd3bbc1409a31d81818 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 6aa9841d917532d0f2d932d1ff2f3a94305aaf47 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aca3ad0c262f54a5b5c95dda80a48365997d1224",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "41aafca57de4a4c026701622bd4648f112a9edcd",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "4820847e036ff1035b01b69ad68dfc17e7028fe9",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "6a3ec6efbc4f90e0ccb2e71574f07351f19996f4",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "df6f995358dc1f3c42484f5cfe241d7bd3e1cd15",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "88d386243ed374ac969dabd3bbc1409a31d81818",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "6aa9841d917532d0f2d932d1ff2f3a94305aaf47",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:20.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224"
},
{
"url": "https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd"
},
{
"url": "https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9"
},
{
"url": "https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4"
},
{
"url": "https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"
},
{
"url": "https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818"
},
{
"url": "https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47"
},
{
"url": "https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2"
}
],
"title": "esp: fix skb leak with espintcp and async crypto",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31518",
"datePublished": "2026-04-22T13:54:34.191Z",
"dateReserved": "2026-03-09T15:48:24.108Z",
"dateUpdated": "2026-05-11T22:10:20.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31473 (GCVE-0-2026-31473)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:09
VLAI?
EPSS
Title
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)
queue teardown paths. This can race request object cleanup against vb2
queue cancellation and lead to use-after-free reports.
We already serialize request queueing against STREAMON/OFF with
req_queue_mutex. Extend that serialization to REQBUFS, and also take
the same mutex in media_request_ioctl_reinit() so REINIT is in the
same exclusion domain.
This keeps request cleanup and queue cancellation from running in
parallel for request-capable devices.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 331242998a7ade5c2f65e14988901614629f3db5
(git)
Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 2c685e99efb3b3bd2b78699fba6b1cf321975db0 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 585fd9a2063dacce8b2820f675ef23d5d17434c5 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 1a0d9083c24fbd5d22f7100f09d11e4d696a5f01 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < d8549a453d5bdc0a71de66ad47a1106703406a56 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 72b9e81e0203f03c40f3adb457f55bd4c8eb112d (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < cf2023e84f0888f96f4b65dc0804e7f3651969c1 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < bef4f4a88b73e4cc550d25f665b8a9952af22773 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-request.c",
"drivers/media/v4l2-core/v4l2-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "331242998a7ade5c2f65e14988901614629f3db5",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "2c685e99efb3b3bd2b78699fba6b1cf321975db0",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "585fd9a2063dacce8b2820f675ef23d5d17434c5",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "1a0d9083c24fbd5d22f7100f09d11e4d696a5f01",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "d8549a453d5bdc0a71de66ad47a1106703406a56",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "72b9e81e0203f03c40f3adb457f55bd4c8eb112d",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "cf2023e84f0888f96f4b65dc0804e7f3651969c1",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "bef4f4a88b73e4cc550d25f665b8a9952af22773",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-request.c",
"drivers/media/v4l2-core/v4l2-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex\n\nMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)\nqueue teardown paths. This can race request object cleanup against vb2\nqueue cancellation and lead to use-after-free reports.\n\nWe already serialize request queueing against STREAMON/OFF with\nreq_queue_mutex. Extend that serialization to REQBUFS, and also take\nthe same mutex in media_request_ioctl_reinit() so REINIT is in the\nsame exclusion domain.\n\nThis keeps request cleanup and queue cancellation from running in\nparallel for request-capable devices."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:24.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/331242998a7ade5c2f65e14988901614629f3db5"
},
{
"url": "https://git.kernel.org/stable/c/2c685e99efb3b3bd2b78699fba6b1cf321975db0"
},
{
"url": "https://git.kernel.org/stable/c/585fd9a2063dacce8b2820f675ef23d5d17434c5"
},
{
"url": "https://git.kernel.org/stable/c/1a0d9083c24fbd5d22f7100f09d11e4d696a5f01"
},
{
"url": "https://git.kernel.org/stable/c/d8549a453d5bdc0a71de66ad47a1106703406a56"
},
{
"url": "https://git.kernel.org/stable/c/72b9e81e0203f03c40f3adb457f55bd4c8eb112d"
},
{
"url": "https://git.kernel.org/stable/c/cf2023e84f0888f96f4b65dc0804e7f3651969c1"
},
{
"url": "https://git.kernel.org/stable/c/bef4f4a88b73e4cc550d25f665b8a9952af22773"
}
],
"title": "media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31473",
"datePublished": "2026-04-22T13:54:00.970Z",
"dateReserved": "2026-03-09T15:48:24.098Z",
"dateUpdated": "2026-05-11T22:09:24.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46197 (GCVE-0-2026-46197)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-06-14 18:01
VLAI?
EPSS
Title
drm/amdkfd: validate SVM ioctl nattr against buffer size
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: validate SVM ioctl nattr against buffer size
Validate nattr field against the buffer size, preventing
out-of-bounds buffer access via user-controlled attribute count.
(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
42de677f79999791bee4e21be318c32d90ab62c6 , < daa8bc5f83814b55b71d2b5b3a090d57a5219c21
(git)
Affected: 42de677f79999791bee4e21be318c32d90ab62c6 , < fb07a0c9c8419164812e07274947f11b1d92dd61 (git) Affected: 42de677f79999791bee4e21be318c32d90ab62c6 , < 91c6dc5a41695d02dfc6299f106ac38a6c493e52 (git) Affected: 42de677f79999791bee4e21be318c32d90ab62c6 , < ccd060b5c7cc75ae7e211c250b97c5b6272e7efc (git) Affected: 42de677f79999791bee4e21be318c32d90ab62c6 , < db9530a9873a7c85d2266a922589ebcf427fa631 (git) Affected: 42de677f79999791bee4e21be318c32d90ab62c6 , < 6abd3a4417cb73a7d0db7e25bf11fae1074bdba3 (git) Affected: 42de677f79999791bee4e21be318c32d90ab62c6 , < 045e0ff208f0838a246c10204105126611b267a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_chardev.c",
"drivers/gpu/drm/amd/amdkfd/kfd_priv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "daa8bc5f83814b55b71d2b5b3a090d57a5219c21",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "fb07a0c9c8419164812e07274947f11b1d92dd61",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "91c6dc5a41695d02dfc6299f106ac38a6c493e52",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "ccd060b5c7cc75ae7e211c250b97c5b6272e7efc",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "db9530a9873a7c85d2266a922589ebcf427fa631",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "6abd3a4417cb73a7d0db7e25bf11fae1074bdba3",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "045e0ff208f0838a246c10204105126611b267a1",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_chardev.c",
"drivers/gpu/drm/amd/amdkfd/kfd_priv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: validate SVM ioctl nattr against buffer size\n\nValidate nattr field against the buffer size, preventing\nout-of-bounds buffer access via user-controlled attribute count.\n\n(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:01:58.427Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/daa8bc5f83814b55b71d2b5b3a090d57a5219c21"
},
{
"url": "https://git.kernel.org/stable/c/fb07a0c9c8419164812e07274947f11b1d92dd61"
},
{
"url": "https://git.kernel.org/stable/c/91c6dc5a41695d02dfc6299f106ac38a6c493e52"
},
{
"url": "https://git.kernel.org/stable/c/ccd060b5c7cc75ae7e211c250b97c5b6272e7efc"
},
{
"url": "https://git.kernel.org/stable/c/db9530a9873a7c85d2266a922589ebcf427fa631"
},
{
"url": "https://git.kernel.org/stable/c/6abd3a4417cb73a7d0db7e25bf11fae1074bdba3"
},
{
"url": "https://git.kernel.org/stable/c/045e0ff208f0838a246c10204105126611b267a1"
}
],
"title": "drm/amdkfd: validate SVM ioctl nattr against buffer size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46197",
"datePublished": "2026-05-28T09:40:13.722Z",
"dateReserved": "2026-05-13T15:03:33.104Z",
"dateUpdated": "2026-06-14T18:01:58.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46209 (GCVE-0-2026-46209)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-06-14 18:02
VLAI?
EPSS
Title
drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
using plain integer division:
unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
drm_format_info_plane_width/height() which round up dimensions via
DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
size check for certain pixel format and dimension combinations.
For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
GEM size validation path sees height=0 instead of height=1. The
expression (height - 1) then wraps to UINT_MAX as an unsigned int,
causing min_size to overflow and wrap back to a small value. A tiny
GEM object therefore passes the size guard, yet when the GPU accesses
the chroma plane it will read or write memory beyond the object's
bounds.
Fix by replacing the open-coded divisions with drm_format_info_plane_width()
and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
the calculation already used in framebuffer_check().
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < 11427ad6c9f0def5ce567982b785da3191946430
(git)
Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad (git) Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < 22922f7dae74409fc4bf0f1142710cb6b8ce8cc2 (git) Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < 6b992591e04f2cce813bcf239b354f375bbf84d3 (git) Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < 1da4ab7189f1064b3b712b388772c008b4d82580 (git) Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < 1a17ea9861e89585361caa8bc231bd22dc6dbe7d (git) Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < c5fc49d8470c5ebf3b41607600f277158f159950 (git) Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < 3d4c2268bd7243c3780fe32bf24ff876da272acf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_framebuffer_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11427ad6c9f0def5ce567982b785da3191946430",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
},
{
"lessThan": "adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
},
{
"lessThan": "22922f7dae74409fc4bf0f1142710cb6b8ce8cc2",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
},
{
"lessThan": "6b992591e04f2cce813bcf239b354f375bbf84d3",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
},
{
"lessThan": "1da4ab7189f1064b3b712b388772c008b4d82580",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
},
{
"lessThan": "1a17ea9861e89585361caa8bc231bd22dc6dbe7d",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
},
{
"lessThan": "c5fc49d8470c5ebf3b41607600f277158f159950",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
},
{
"lessThan": "3d4c2268bd7243c3780fe32bf24ff876da272acf",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_framebuffer_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()\n\ndrm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions\nusing plain integer division:\n\n unsigned int width = mode_cmd-\u003ewidth / (i ? info-\u003ehsub : 1);\n unsigned int height = mode_cmd-\u003eheight / (i ? info-\u003evsub : 1);\n\nHowever, the ioctl-level framebuffer_check() in drm_framebuffer.c uses\ndrm_format_info_plane_width/height() which round up dimensions via\nDIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object\nsize check for certain pixel format and dimension combinations.\n\nFor example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the\nGEM size validation path sees height=0 instead of height=1. The\nexpression (height - 1) then wraps to UINT_MAX as an unsigned int,\ncausing min_size to overflow and wrap back to a small value. A tiny\nGEM object therefore passes the size guard, yet when the GPU accesses\nthe chroma plane it will read or write memory beyond the object\u0027s\nbounds.\n\nFix by replacing the open-coded divisions with drm_format_info_plane_width()\nand drm_format_info_plane_height(), which use DIV_ROUND_UP() and match\nthe calculation already used in framebuffer_check()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:02:54.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11427ad6c9f0def5ce567982b785da3191946430"
},
{
"url": "https://git.kernel.org/stable/c/adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad"
},
{
"url": "https://git.kernel.org/stable/c/22922f7dae74409fc4bf0f1142710cb6b8ce8cc2"
},
{
"url": "https://git.kernel.org/stable/c/6b992591e04f2cce813bcf239b354f375bbf84d3"
},
{
"url": "https://git.kernel.org/stable/c/1da4ab7189f1064b3b712b388772c008b4d82580"
},
{
"url": "https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d"
},
{
"url": "https://git.kernel.org/stable/c/c5fc49d8470c5ebf3b41607600f277158f159950"
},
{
"url": "https://git.kernel.org/stable/c/3d4c2268bd7243c3780fe32bf24ff876da272acf"
}
],
"title": "drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46209",
"datePublished": "2026-05-28T09:40:27.092Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-06-14T18:02:54.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23392 (GCVE-0-2026-23392)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-05-11 22:05
VLAI?
EPSS
Title
netfilter: nf_tables: release flowtable after rcu grace period on error
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release flowtable after rcu grace period on error
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.
This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().
There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.
Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d2632de96ccb066e0131ad1494241b9c281c60b8
(git)
Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < adee3436ccd29f1e514c028899e400cbc6d84065 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < 7e3955b282eae20d61c75e499c75eade51c20060 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < c8092edb9a11f20f95ccceeb9422b7dd0df337bd (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < e78a2dcc7cfb87b64a631441ca7681492b347ef6 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d73f4b53aaaea4c95f245e491aa5eeb8a21874ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2632de96ccb066e0131ad1494241b9c281c60b8",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "adee3436ccd29f1e514c028899e400cbc6d84065",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "7e3955b282eae20d61c75e499c75eade51c20060",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "c8092edb9a11f20f95ccceeb9422b7dd0df337bd",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "e78a2dcc7cfb87b64a631441ca7681492b347ef6",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:05:59.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"
},
{
"url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"
},
{
"url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"
},
{
"url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"
},
{
"url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"
},
{
"url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"
}
],
"title": "netfilter: nf_tables: release flowtable after rcu grace period on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23392",
"datePublished": "2026-03-25T10:33:16.647Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-05-11T22:05:59.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31448 (GCVE-0-2026-31448)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-11 22:08
VLAI?
EPSS
Title
ext4: avoid infinite loops caused by residual data
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid infinite loops caused by residual data
On the mkdir/mknod path, when mapping logical blocks to physical blocks,
if inserting a new extent into the extent tree fails (in this example,
because the file system disabled the huge file feature when marking the
inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to
reclaim the physical block without deleting the corresponding data in
the extent tree. This causes subsequent mkdir operations to reference
the previously reclaimed physical block number again, even though this
physical block is already being used by the xattr block. Therefore, a
situation arises where both the directory and xattr are using the same
buffer head block in memory simultaneously.
The above causes ext4_xattr_block_set() to enter an infinite loop about
"inserted" and cannot release the inode lock, ultimately leading to the
143s blocking problem mentioned in [1].
If the metadata is corrupted, then trying to remove some extent space
can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE
was passed, remove space wrongly update quota information.
Jan Kara suggests distinguishing between two cases:
1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully
consistent and we must maintain its consistency including all the
accounting. However these errors can happen only early before we've
inserted the extent into the extent tree. So current code works correctly
for this case.
2) Some other error - this means metadata is corrupted. We should strive to
do as few modifications as possible to limit damage. So I'd just skip
freeing of allocated blocks.
[1]
INFO: task syz.0.17:5995 blocked for more than 143 seconds.
Call Trace:
inode_lock_nested include/linux/fs.h:1073 [inline]
__start_dirop fs/namei.c:2923 [inline]
start_dirop fs/namei.c:2934 [inline]
Severity ?
9.4 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
315054f023d28ee64f308adf8b5737831541776b , < c66545e83a802c3851d9be27a41c0479dd29ff0c
(git)
Affected: 315054f023d28ee64f308adf8b5737831541776b , < ecc50bfca9b5c2ee6aeef998181689b80477367b (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 3a7667595bcad84da53fc156a418e110267c3412 (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 416c86f30f91b4fb2642ef6b102596ca898f41a5 (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 64f425b06b3bea9abc8977fd3982779b3ad070c9 (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 5422fe71d26d42af6c454ca9527faaad4e677d6c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c66545e83a802c3851d9be27a41c0479dd29ff0c",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "ecc50bfca9b5c2ee6aeef998181689b80477367b",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "3a7667595bcad84da53fc156a418e110267c3412",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "416c86f30f91b4fb2642ef6b102596ca898f41a5",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "64f425b06b3bea9abc8977fd3982779b3ad070c9",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "5422fe71d26d42af6c454ca9527faaad4e677d6c",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid infinite loops caused by residual data\n\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\nif inserting a new extent into the extent tree fails (in this example,\nbecause the file system disabled the huge file feature when marking the\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\nreclaim the physical block without deleting the corresponding data in\nthe extent tree. This causes subsequent mkdir operations to reference\nthe previously reclaimed physical block number again, even though this\nphysical block is already being used by the xattr block. Therefore, a\nsituation arises where both the directory and xattr are using the same\nbuffer head block in memory simultaneously.\n\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\n\"inserted\" and cannot release the inode lock, ultimately leading to the\n143s blocking problem mentioned in [1].\n\nIf the metadata is corrupted, then trying to remove some extent space\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\nwas passed, remove space wrongly update quota information.\nJan Kara suggests distinguishing between two cases:\n\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\nconsistent and we must maintain its consistency including all the\naccounting. However these errors can happen only early before we\u0027ve\ninserted the extent into the extent tree. So current code works correctly\nfor this case.\n\n2) Some other error - this means metadata is corrupted. We should strive to\ndo as few modifications as possible to limit damage. So I\u0027d just skip\nfreeing of allocated blocks.\n\n[1]\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\nCall Trace:\n inode_lock_nested include/linux/fs.h:1073 [inline]\n __start_dirop fs/namei.c:2923 [inline]\n start_dirop fs/namei.c:2934 [inline]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:54.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c66545e83a802c3851d9be27a41c0479dd29ff0c"
},
{
"url": "https://git.kernel.org/stable/c/ecc50bfca9b5c2ee6aeef998181689b80477367b"
},
{
"url": "https://git.kernel.org/stable/c/3a7667595bcad84da53fc156a418e110267c3412"
},
{
"url": "https://git.kernel.org/stable/c/416c86f30f91b4fb2642ef6b102596ca898f41a5"
},
{
"url": "https://git.kernel.org/stable/c/64f425b06b3bea9abc8977fd3982779b3ad070c9"
},
{
"url": "https://git.kernel.org/stable/c/5422fe71d26d42af6c454ca9527faaad4e677d6c"
}
],
"title": "ext4: avoid infinite loops caused by residual data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31448",
"datePublished": "2026-04-22T13:53:44.129Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-05-11T22:08:54.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31629 (GCVE-0-2026-31629)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-14 17:43
VLAI?
EPSS
Title
nfc: llcp: add missing return after LLCP_CLOSED checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: add missing return after LLCP_CLOSED checks
In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket
state is LLCP_CLOSED, the code correctly calls release_sock() and
nfc_llcp_sock_put() but fails to return. Execution falls through to
the remainder of the function, which calls release_sock() and
nfc_llcp_sock_put() again. This results in a double release_sock()
and a refcount underflow via double nfc_llcp_sock_put(), leading to
a use-after-free.
Add the missing return statements after the LLCP_CLOSED branches
in both functions to prevent the fall-through.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < b2a23529593d011fb433a3d711fc597ed6a6bd2f
(git)
Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 665315df9c3486cb213fc44d83cc8bcd47fe0d26 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 0eb1263a3b8c36418c9ba295c9ab3abed664edbf (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 796e0cac058252d0ad34ebe288e6f7979b5fc9b2 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 8977fad2b3c6eefd414131168d597c5d1d5e1abf (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < ff3d9e8f7244293e303f7b6ef70774291c7c27e9 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < aba4712e8f0381cd5d196534ce2ad082626a5ab6 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 2b5dd4632966c39da6ba74dbc8689b309065e82c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2a23529593d011fb433a3d711fc597ed6a6bd2f",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "665315df9c3486cb213fc44d83cc8bcd47fe0d26",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "0eb1263a3b8c36418c9ba295c9ab3abed664edbf",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "796e0cac058252d0ad34ebe288e6f7979b5fc9b2",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "8977fad2b3c6eefd414131168d597c5d1d5e1abf",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "ff3d9e8f7244293e303f7b6ef70774291c7c27e9",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "aba4712e8f0381cd5d196534ce2ad082626a5ab6",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "2b5dd4632966c39da6ba74dbc8689b309065e82c",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:43:21.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2a23529593d011fb433a3d711fc597ed6a6bd2f"
},
{
"url": "https://git.kernel.org/stable/c/665315df9c3486cb213fc44d83cc8bcd47fe0d26"
},
{
"url": "https://git.kernel.org/stable/c/9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6"
},
{
"url": "https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf"
},
{
"url": "https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2"
},
{
"url": "https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf"
},
{
"url": "https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9"
},
{
"url": "https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6"
},
{
"url": "https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c"
}
],
"title": "nfc: llcp: add missing return after LLCP_CLOSED checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31629",
"datePublished": "2026-04-24T14:42:49.849Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-06-14T17:43:21.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45852 (GCVE-0-2026-45852)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:15 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
RDMA/rxe: Fix double free in rxe_srq_from_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix double free in rxe_srq_from_init
In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.
The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.
The call trace looks like this:
kmem_cache_free+0x.../0x...
rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
rxe_elem_release+0x31/0x70 [rdma_rxe]
rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
ib_create_srq_user+0x9a/0x150 [ib_core]
Fix this by moving 'srq->rq.queue = q' after copy_to_user.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < b98ab5494dbd48652561aa0b9c32f10500220745
(git)
Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < d493e0bfc748a520c349d6c8791b262aa5ad2e4e (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 9abff51163aa1bc275ec356f74fe976291860a7f (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 26793db60925df1e88a29466813d586cbc190b8c (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < ce6f8e007682f378279d4cf83b240f12d52c723b (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 5c07aef09a121a4cd622a71eb0753a9e135c84a8 (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 26a9cfe12f4ffdeaa136f252478986fa5f397ddc (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 0beefd0e15d962f497aad750b2d5e9c3570b66d1 (git) Affected: 350703fae672d4d649c3562c199eab5ec9dc7c79 (git) Affected: 4.19.86 , < 4.20 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Remote Direct Memory Access (RDMA) subsystem, specifically within the `rxe` driver. An error in the `rxe_srq_from_init` function\u0027s memory management can lead to a double free vulnerability. This occurs when an attempt to copy data to user space fails, causing the same memory region to be freed twice. A local attacker could potentially exploit this flaw to cause a denial of service (DoS) by crashing the system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:27.975Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-45852"
},
{
"name": "RHBZ#2482166",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482166"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45852.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27713"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25217"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25121"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33899"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25120"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27713: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:25217: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25121: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33899: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:25120: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: RDMA/rxe: Fix double free in rxe_srq_from_init",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b98ab5494dbd48652561aa0b9c32f10500220745",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"lessThan": "d493e0bfc748a520c349d6c8791b262aa5ad2e4e",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"lessThan": "9abff51163aa1bc275ec356f74fe976291860a7f",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"lessThan": "26793db60925df1e88a29466813d586cbc190b8c",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"lessThan": "ce6f8e007682f378279d4cf83b240f12d52c723b",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"lessThan": "5c07aef09a121a4cd622a71eb0753a9e135c84a8",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"lessThan": "26a9cfe12f4ffdeaa136f252478986fa5f397ddc",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"lessThan": "0beefd0e15d962f497aad750b2d5e9c3570b66d1",
"status": "affected",
"version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
"versionType": "git"
},
{
"status": "affected",
"version": "350703fae672d4d649c3562c199eab5ec9dc7c79",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.86",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix double free in rxe_srq_from_init\n\nIn rxe_srq_from_init(), the queue pointer \u0027q\u0027 is assigned to\n\u0027srq-\u003erq.queue\u0027 before copying the SRQ number to user space.\nIf copy_to_user() fails, the function calls rxe_queue_cleanup()\nto free the queue, but leaves the now-invalid pointer in\n\u0027srq-\u003erq.queue\u0027.\n\nThe caller of rxe_srq_from_init() (rxe_create_srq) eventually\ncalls rxe_srq_cleanup() upon receiving the error, which triggers\na second rxe_queue_cleanup() on the same memory, leading to a\ndouble free.\n\nThe call trace looks like this:\n kmem_cache_free+0x.../0x...\n rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]\n rxe_srq_cleanup+0x42/0x60 [rdma_rxe]\n rxe_elem_release+0x31/0x70 [rdma_rxe]\n rxe_create_srq+0x12b/0x1a0 [rdma_rxe]\n ib_create_srq_user+0x9a/0x150 [ib_core]\n\nFix this by moving \u0027srq-\u003erq.queue = q\u0027 after copy_to_user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:44.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b98ab5494dbd48652561aa0b9c32f10500220745"
},
{
"url": "https://git.kernel.org/stable/c/d493e0bfc748a520c349d6c8791b262aa5ad2e4e"
},
{
"url": "https://git.kernel.org/stable/c/9abff51163aa1bc275ec356f74fe976291860a7f"
},
{
"url": "https://git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8c"
},
{
"url": "https://git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723b"
},
{
"url": "https://git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8"
},
{
"url": "https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc"
},
{
"url": "https://git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1"
}
],
"title": "RDMA/rxe: Fix double free in rxe_srq_from_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45852",
"datePublished": "2026-05-27T12:15:26.084Z",
"dateReserved": "2026-05-13T15:03:33.079Z",
"dateUpdated": "2026-07-02T12:05:27.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46113 (GCVE-0-2026-46113)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-14 17:55
VLAI?
EPSS
Title
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
the SPTE index. This assumption breaks for shadow paging if the guest
page tables are modified between VM entries (similar to commit
aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even
when creating an MMIO SPTE", 2026-03-27). The flow is as follows:
- a PDE is installed for a 2MB mapping, and a page in that area is
accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages;
the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because
the guest's mapping is a huge page (and thus contiguous).
- the PDE mapping is changed from outside the guest.
- the guest accesses another page in the same 2MB area. KVM installs
a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN
(i.e. based on the new mapping, as changed in the previous step) but
that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore
the rmap entry cannot be found and removed when the kvm_mmu_page
is zapped.
- the memslot that covers the first 2MB mapping is deleted, and the
kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove()
only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,
and fails to find the rmap entry that was recorded by step 3.
- any operation that causes an rmap walk for the same page accessed
by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.
This includes dirty logging or MMU notifier invalidations (e.g., from
MADV_DONTNEED).
The underlying issue is that KVM's walking of shadow PTEs assumes that
if a SPTE is present when KVM wants to install a non-leaf SPTE, then the
existing kvm_mmu_page must be for the correct gfn. Because the only way
for the gfn to be wrong is if KVM messed up and failed to zap a SPTE...
which shouldn't happen, but *actually* only happens in response to a
guest write.
That bug dates back literally forever, as even the first version of KVM
assumes that the GFN matches and walks into the "wrong" shadow page.
However, that was only an imprecision until 2032a93d66fa ("KVM: MMU:
Don't allocate gfns page for direct mmu pages") came along.
Fix it by checking for a target gfn mismatch and zapping the existing
SPTE. That way the old SP and rmap entries are gone, KVM installs
the rmap in the right location, and everyone is happy.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 , < e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0
(git)
Affected: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 , < 488e386484ec8c0e558be6e156edf34ed9f4d5c8 (git) Affected: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 , < 06c19c967b845b63172601fe459667d973b7e6b7 (git) Affected: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 , < 738ec97b1855df6c08fe2369f798fa0b972e556b (git) Affected: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 , < 14d1e55dfd2cf4711bff164a6aaaddb783552134 (git) Affected: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 , < 0cb2af2ea66ad8ff195c156ea690f11216285bdf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0",
"status": "affected",
"version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
"versionType": "git"
},
{
"lessThan": "488e386484ec8c0e558be6e156edf34ed9f4d5c8",
"status": "affected",
"version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
"versionType": "git"
},
{
"lessThan": "06c19c967b845b63172601fe459667d973b7e6b7",
"status": "affected",
"version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
"versionType": "git"
},
{
"lessThan": "738ec97b1855df6c08fe2369f798fa0b972e556b",
"status": "affected",
"version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
"versionType": "git"
},
{
"lessThan": "14d1e55dfd2cf4711bff164a6aaaddb783552134",
"status": "affected",
"version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
"versionType": "git"
},
{
"lessThan": "0cb2af2ea66ad8ff195c156ea690f11216285bdf",
"status": "affected",
"version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix shadow paging use-after-free due to unexpected GFN\n\nThe shadow MMU computes GFNs for direct shadow pages using sp-\u003egfn plus\nthe SPTE index. This assumption breaks for shadow paging if the guest\npage tables are modified between VM entries (similar to commit\naad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even\nwhen creating an MMIO SPTE\", 2026-03-27). The flow is as follows:\n\n- a PDE is installed for a 2MB mapping, and a page in that area is\n accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages;\n the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because\n the guest\u0027s mapping is a huge page (and thus contiguous).\n\n- the PDE mapping is changed from outside the guest.\n\n- the guest accesses another page in the same 2MB area. KVM installs\n a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN\n (i.e. based on the new mapping, as changed in the previous step) but\n that GFN is outside of the [sp-\u003egfn, sp-\u003egfn + 511] range; therefore\n the rmap entry cannot be found and removed when the kvm_mmu_page\n is zapped.\n\n- the memslot that covers the first 2MB mapping is deleted, and the\n kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove()\n only looks at the [sp-\u003egfn, sp-\u003egfn + 511] range established in step 1,\n and fails to find the rmap entry that was recorded by step 3.\n\n- any operation that causes an rmap walk for the same page accessed\n by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.\n This includes dirty logging or MMU notifier invalidations (e.g., from\n MADV_DONTNEED).\n\nThe underlying issue is that KVM\u0027s walking of shadow PTEs assumes that\nif a SPTE is present when KVM wants to install a non-leaf SPTE, then the\nexisting kvm_mmu_page must be for the correct gfn. Because the only way\nfor the gfn to be wrong is if KVM messed up and failed to zap a SPTE...\nwhich shouldn\u0027t happen, but *actually* only happens in response to a\nguest write.\n\nThat bug dates back literally forever, as even the first version of KVM\nassumes that the GFN matches and walks into the \"wrong\" shadow page.\nHowever, that was only an imprecision until 2032a93d66fa (\"KVM: MMU:\nDon\u0027t allocate gfns page for direct mmu pages\") came along.\n\nFix it by checking for a target gfn mismatch and zapping the existing\nSPTE. That way the old SP and rmap entries are gone, KVM installs\nthe rmap in the right location, and everyone is happy."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:55:24.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0"
},
{
"url": "https://git.kernel.org/stable/c/488e386484ec8c0e558be6e156edf34ed9f4d5c8"
},
{
"url": "https://git.kernel.org/stable/c/06c19c967b845b63172601fe459667d973b7e6b7"
},
{
"url": "https://git.kernel.org/stable/c/738ec97b1855df6c08fe2369f798fa0b972e556b"
},
{
"url": "https://git.kernel.org/stable/c/14d1e55dfd2cf4711bff164a6aaaddb783552134"
},
{
"url": "https://git.kernel.org/stable/c/0cb2af2ea66ad8ff195c156ea690f11216285bdf"
}
],
"title": "KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46113",
"datePublished": "2026-05-28T09:35:23.035Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-14T17:55:24.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31493 (GCVE-0-2026-31493)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:09
VLAI?
EPSS
Title
RDMA/efa: Fix use of completion ctx after free
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/efa: Fix use of completion ctx after free
On admin queue completion handling, if the admin command completed with
error we print data from the completion context. The issue is that we
already freed the completion context in polling/interrupts handler which
means we print data from context in an unknown state (it might be
already used again).
Change the admin submission flow so alloc/dealloc of the context will be
symmetric and dealloc will be called after any potential use of the
context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
68fb9f3e312a36e49fd05ec2d6b668daf2c4931a , < 0dd98aea1c0c45987fa2dd92f988b0eb1a72c125
(git)
Affected: 68fb9f3e312a36e49fd05ec2d6b668daf2c4931a , < 1cf95fe5dc5471efea947b4c6f8913da6bc7976e (git) Affected: 68fb9f3e312a36e49fd05ec2d6b668daf2c4931a , < ef3b06742c8a201d0e83edc9a33a89a4fe3009f8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/efa/efa_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0dd98aea1c0c45987fa2dd92f988b0eb1a72c125",
"status": "affected",
"version": "68fb9f3e312a36e49fd05ec2d6b668daf2c4931a",
"versionType": "git"
},
{
"lessThan": "1cf95fe5dc5471efea947b4c6f8913da6bc7976e",
"status": "affected",
"version": "68fb9f3e312a36e49fd05ec2d6b668daf2c4931a",
"versionType": "git"
},
{
"lessThan": "ef3b06742c8a201d0e83edc9a33a89a4fe3009f8",
"status": "affected",
"version": "68fb9f3e312a36e49fd05ec2d6b668daf2c4931a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/efa/efa_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/efa: Fix use of completion ctx after free\n\nOn admin queue completion handling, if the admin command completed with\nerror we print data from the completion context. The issue is that we\nalready freed the completion context in polling/interrupts handler which\nmeans we print data from context in an unknown state (it might be\nalready used again).\nChange the admin submission flow so alloc/dealloc of the context will be\nsymmetric and dealloc will be called after any potential use of the\ncontext."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:47.997Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0dd98aea1c0c45987fa2dd92f988b0eb1a72c125"
},
{
"url": "https://git.kernel.org/stable/c/1cf95fe5dc5471efea947b4c6f8913da6bc7976e"
},
{
"url": "https://git.kernel.org/stable/c/ef3b06742c8a201d0e83edc9a33a89a4fe3009f8"
}
],
"title": "RDMA/efa: Fix use of completion ctx after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31493",
"datePublished": "2026-04-22T13:54:16.255Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-05-11T22:09:47.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31446 (GCVE-0-2026-31446)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-23 16:05
VLAI?
EPSS
Title
ext4: fix use-after-free in update_super_work when racing with umount
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in update_super_work when racing with umount
Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount
filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work
to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups
reads during unmount. However, this introduced a use-after-free because
update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which
accesses the kobject's kernfs_node after it has been freed by kobject_del()
in ext4_unregister_sysfs():
update_super_work ext4_put_super
----------------- --------------
ext4_unregister_sysfs(sb)
kobject_del(&sbi->s_kobj)
__kobject_del()
sysfs_remove_dir()
kobj->sd = NULL
sysfs_put(sd)
kernfs_put() // RCU free
ext4_notify_error_sysfs(sbi)
sysfs_notify(&sbi->s_kobj)
kn = kobj->sd // stale pointer
kernfs_get(kn) // UAF on freed kernfs_node
ext4_journal_destroy()
flush_work(&sbi->s_sb_upd_work)
Instead of reordering the teardown sequence, fix this by making
ext4_notify_error_sysfs() detect that sysfs has already been torn down
by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call
in that case. A dedicated mutex (s_error_notify_mutex) serializes
ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()
to prevent TOCTOU races where the kobject could be deleted between the
state_in_sysfs check and the sysfs_notify() call.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
52c3a04f9ec2a16a4204d6274db338cb8d5b2d74 , < c8fe17a1b308c3d8c703ebfb049b325f844342c3
(git)
Affected: b98535d091795a79336f520b0708457aacf55c67 , < c4d829737329f2290dd41e290b7d75effdb2a7ff (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < 9449f99ba04f5dd1c8423ad8a90b3651d7240d1d (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < 034053378dd81837fd6c7a43b37ee2e58d4f0b4e (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < 08b10e6f37fc533a759e9833af0692242e8b3f93 (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < d15e4b0a418537aafa56b2cb80d44add83e83697 (git) Affected: 585ef03c9e79672781f954daae730dfe24bf3a46 (git) Affected: afe490e48d47df1b3f64012835c1bc2f075a8c8b (git) Affected: 5.15.38 , < 5.15.203 (semver) Affected: 5.10.114 , < 5.11 (semver) Affected: 5.17.6 , < 5.18 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/super.c",
"fs/ext4/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8fe17a1b308c3d8c703ebfb049b325f844342c3",
"status": "affected",
"version": "52c3a04f9ec2a16a4204d6274db338cb8d5b2d74",
"versionType": "git"
},
{
"lessThan": "c4d829737329f2290dd41e290b7d75effdb2a7ff",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "9449f99ba04f5dd1c8423ad8a90b3651d7240d1d",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "034053378dd81837fd6c7a43b37ee2e58d4f0b4e",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "08b10e6f37fc533a759e9833af0692242e8b3f93",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "d15e4b0a418537aafa56b2cb80d44add83e83697",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"status": "affected",
"version": "585ef03c9e79672781f954daae730dfe24bf3a46",
"versionType": "git"
},
{
"status": "affected",
"version": "afe490e48d47df1b3f64012835c1bc2f075a8c8b",
"versionType": "git"
},
{
"lessThan": "5.15.203",
"status": "affected",
"version": "5.15.38",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.114",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/super.c",
"fs/ext4/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -\u003e sysfs_notify() which\naccesses the kobject\u0027s kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n update_super_work ext4_put_super\n ----------------- --------------\n ext4_unregister_sysfs(sb)\n kobject_del(\u0026sbi-\u003es_kobj)\n __kobject_del()\n sysfs_remove_dir()\n kobj-\u003esd = NULL\n sysfs_put(sd)\n kernfs_put() // RCU free\n ext4_notify_error_sysfs(sbi)\n sysfs_notify(\u0026sbi-\u003es_kobj)\n kn = kobj-\u003esd // stale pointer\n kernfs_get(kn) // UAF on freed kernfs_node\n ext4_journal_destroy()\n flush_work(\u0026sbi-\u003es_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:05:05.795Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3"
},
{
"url": "https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff"
},
{
"url": "https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d"
},
{
"url": "https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e"
},
{
"url": "https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe"
},
{
"url": "https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93"
},
{
"url": "https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697"
}
],
"title": "ext4: fix use-after-free in update_super_work when racing with umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31446",
"datePublished": "2026-04-22T13:53:42.751Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-05-23T16:05:05.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43013 (GCVE-0-2026-43013)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16
VLAI?
EPSS
Title
net/mlx5: lag: Check for LAG device before creating debugfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: lag: Check for LAG device before creating debugfs
__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error
occurs that is handled gracefully. Consequently, the initialization
flow proceeds to call mlx5_ldev_add_debugfs() even when there is no
valid LAG context.
mlx5_ldev_add_debugfs() blindly created the debugfs directory and
attributes. This exposed interfaces (like the members file) that rely on
a valid ldev pointer, leading to potential NULL pointer dereferences if
accessed when ldev is NULL.
Add a check to verify that mlx5_lag_dev(dev) returns a valid pointer
before attempting to create the debugfs entries.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7f46a0b7327ae261f9981888708dbca22c283900 , < a3db46d5f4df92630a96f7bc77b60e75c2353e06
(git)
Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < 7129632cab3e4d23510b21930aa73b8d97a859f5 (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < cfa774e6c920c81e700327bf10db8cb50d5db456 (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < c53cf44588a93000f71817a6bb87a66353c48dee (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < 89c65f2fcd8801365b410f40a427cbcd7f4c28e9 (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < bf16bca6653679d8a514d6c1c5a2c67065033f14 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3db46d5f4df92630a96f7bc77b60e75c2353e06",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "7129632cab3e4d23510b21930aa73b8d97a859f5",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "cfa774e6c920c81e700327bf10db8cb50d5db456",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "c53cf44588a93000f71817a6bb87a66353c48dee",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "89c65f2fcd8801365b410f40a427cbcd7f4c28e9",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "bf16bca6653679d8a514d6c1c5a2c67065033f14",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: lag: Check for LAG device before creating debugfs\n\n__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error\noccurs that is handled gracefully. Consequently, the initialization\nflow proceeds to call mlx5_ldev_add_debugfs() even when there is no\nvalid LAG context.\n\nmlx5_ldev_add_debugfs() blindly created the debugfs directory and\nattributes. This exposed interfaces (like the members file) that rely on\na valid ldev pointer, leading to potential NULL pointer dereferences if\naccessed when ldev is NULL.\n\nAdd a check to verify that mlx5_lag_dev(dev) returns a valid pointer\nbefore attempting to create the debugfs entries."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:00.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3db46d5f4df92630a96f7bc77b60e75c2353e06"
},
{
"url": "https://git.kernel.org/stable/c/7129632cab3e4d23510b21930aa73b8d97a859f5"
},
{
"url": "https://git.kernel.org/stable/c/cfa774e6c920c81e700327bf10db8cb50d5db456"
},
{
"url": "https://git.kernel.org/stable/c/c53cf44588a93000f71817a6bb87a66353c48dee"
},
{
"url": "https://git.kernel.org/stable/c/89c65f2fcd8801365b410f40a427cbcd7f4c28e9"
},
{
"url": "https://git.kernel.org/stable/c/bf16bca6653679d8a514d6c1c5a2c67065033f14"
}
],
"title": "net/mlx5: lag: Check for LAG device before creating debugfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43013",
"datePublished": "2026-05-01T14:15:18.907Z",
"dateReserved": "2026-05-01T14:12:55.974Z",
"dateUpdated": "2026-05-11T22:16:00.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23303 (GCVE-0-2026-23303)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-05-11 22:04
VLAI?
EPSS
Title
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
When debug logging is enabled, cifs_set_cifscreds() logs the key
payload and exposes the plaintext username and password. Remove the
debug log to avoid exposing credentials.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < e5a3b11e07b335006371915b2da47b6056c9e3bc
(git)
Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 54c570de9a35860dfa85fe668f23ddfda8cc7e26 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < ff0ece8ed04180c52167c003362284b23cf54e8d (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 3990f352bb0adc8688d0949a9c13e3110570eb61 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < b746a357abfb8fdb0a171d51ec5091e786d34be1 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 3e182701db612ddd794ccd5ed822e6cc1db2b972 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5a3b11e07b335006371915b2da47b6056c9e3bc",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "54c570de9a35860dfa85fe668f23ddfda8cc7e26",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "ff0ece8ed04180c52167c003362284b23cf54e8d",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "3990f352bb0adc8688d0949a9c13e3110570eb61",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "b746a357abfb8fdb0a171d51ec5091e786d34be1",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "3e182701db612ddd794ccd5ed822e6cc1db2b972",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Don\u0027t log plaintext credentials in cifs_set_cifscreds\n\nWhen debug logging is enabled, cifs_set_cifscreds() logs the key\npayload and exposes the plaintext username and password. Remove the\ndebug log to avoid exposing credentials."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:04:16.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5a3b11e07b335006371915b2da47b6056c9e3bc"
},
{
"url": "https://git.kernel.org/stable/c/54c570de9a35860dfa85fe668f23ddfda8cc7e26"
},
{
"url": "https://git.kernel.org/stable/c/ff0ece8ed04180c52167c003362284b23cf54e8d"
},
{
"url": "https://git.kernel.org/stable/c/3990f352bb0adc8688d0949a9c13e3110570eb61"
},
{
"url": "https://git.kernel.org/stable/c/b746a357abfb8fdb0a171d51ec5091e786d34be1"
},
{
"url": "https://git.kernel.org/stable/c/2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1"
},
{
"url": "https://git.kernel.org/stable/c/3e182701db612ddd794ccd5ed822e6cc1db2b972"
},
{
"url": "https://git.kernel.org/stable/c/2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d"
}
],
"title": "smb: client: Don\u0027t log plaintext credentials in cifs_set_cifscreds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23303",
"datePublished": "2026-03-25T10:26:58.166Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-05-11T22:04:16.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46273 (GCVE-0-2026-46273)
Vulnerability from cvelistv5 – Published: 2026-06-03 16:19 – Updated: 2026-06-14 18:05
VLAI?
EPSS
Title
ibmveth: Disable GSO for packets with small MSS
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmveth: Disable GSO for packets with small MSS
Some physical adapters on Power systems do not support segmentation
offload when the MSS is less than 224 bytes. Attempting to send such
packets causes the adapter to freeze, stopping all traffic until
manually reset.
Implement ndo_features_check to disable GSO for packets with small MSS
values. The network stack will perform software segmentation instead.
The 224-byte minimum matches ibmvnic
commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks
on GSO packets")
which uses the same physical adapters in SEA configurations.
The issue occurs specifically when the hardware attempts to perform
segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets
(gso_segs == 1) do not trigger the problematic LSO code path and are
transmitted normally without segmentation.
Add an ndo_features_check callback to disable GSO when MSS < 224 bytes.
Also call vlan_features_check() to ensure proper handling of VLAN packets,
particularly QinQ (802.1ad) configurations where the hardware parser may
not support certain offload features.
Validated using iptables to force small MSS values. Without the fix,
the adapter freezes. With the fix, packets are segmented in software
and transmission succeeds. Comprehensive regression testing completedd
(MSS tests, performance, stability).
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 86fc64584811d43c9ccd74447de58620189d8b77
(git)
Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 9a5e984d7af910e46dcbed3ce77873e000a4f77d (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 1cdf5dbcec988d06f5f720bdf89e91073f77fa10 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 82bc89fbb82d9396fb4eaee8720ea85e2e787957 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < db8012c631cb845e9ae2b4b531e17d86c9519755 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < c1f261863e65b508f37416dfbc5c5d911c9b9233 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 3af24f0c4c31f18a4a2d927990759194832bb6e9 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmveth.c",
"drivers/net/ethernet/ibm/ibmveth.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86fc64584811d43c9ccd74447de58620189d8b77",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "9a5e984d7af910e46dcbed3ce77873e000a4f77d",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "1cdf5dbcec988d06f5f720bdf89e91073f77fa10",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "82bc89fbb82d9396fb4eaee8720ea85e2e787957",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "db8012c631cb845e9ae2b4b531e17d86c9519755",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "c1f261863e65b508f37416dfbc5c5d911c9b9233",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "3af24f0c4c31f18a4a2d927990759194832bb6e9",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "cc427d24ac6442ffdeafd157a63c7c5b73ed4de4",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmveth.c",
"drivers/net/ethernet/ibm/ibmveth.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmveth: Disable GSO for packets with small MSS\n\nSome physical adapters on Power systems do not support segmentation\noffload when the MSS is less than 224 bytes. Attempting to send such\npackets causes the adapter to freeze, stopping all traffic until\nmanually reset.\n\nImplement ndo_features_check to disable GSO for packets with small MSS\nvalues. The network stack will perform software segmentation instead.\n\nThe 224-byte minimum matches ibmvnic\ncommit \u003cf10b09ef687f\u003e (\"ibmvnic: Enforce stronger sanity checks\non GSO packets\")\nwhich uses the same physical adapters in SEA configurations.\n\nThe issue occurs specifically when the hardware attempts to perform\nsegmentation (gso_segs \u003e 1) with a small MSS. Single-segment GSO packets\n(gso_segs == 1) do not trigger the problematic LSO code path and are\ntransmitted normally without segmentation.\n\nAdd an ndo_features_check callback to disable GSO when MSS \u003c 224 bytes.\nAlso call vlan_features_check() to ensure proper handling of VLAN packets,\nparticularly QinQ (802.1ad) configurations where the hardware parser may\nnot support certain offload features.\n\nValidated using iptables to force small MSS values. Without the fix,\nthe adapter freezes. With the fix, packets are segmented in software\nand transmission succeeds. Comprehensive regression testing completedd\n(MSS tests, performance, stability)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:05:30.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86fc64584811d43c9ccd74447de58620189d8b77"
},
{
"url": "https://git.kernel.org/stable/c/9a5e984d7af910e46dcbed3ce77873e000a4f77d"
},
{
"url": "https://git.kernel.org/stable/c/1cdf5dbcec988d06f5f720bdf89e91073f77fa10"
},
{
"url": "https://git.kernel.org/stable/c/82bc89fbb82d9396fb4eaee8720ea85e2e787957"
},
{
"url": "https://git.kernel.org/stable/c/db8012c631cb845e9ae2b4b531e17d86c9519755"
},
{
"url": "https://git.kernel.org/stable/c/c1f261863e65b508f37416dfbc5c5d911c9b9233"
},
{
"url": "https://git.kernel.org/stable/c/3af24f0c4c31f18a4a2d927990759194832bb6e9"
},
{
"url": "https://git.kernel.org/stable/c/cc427d24ac6442ffdeafd157a63c7c5b73ed4de4"
}
],
"title": "ibmveth: Disable GSO for packets with small MSS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46273",
"datePublished": "2026-06-03T16:19:18.056Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-14T18:05:30.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31405 (GCVE-0-2026-31405)
Vulnerability from cvelistv5 – Published: 2026-04-06 07:33 – Updated: 2026-05-11 22:08
VLAI?
EPSS
Title
media: dvb-net: fix OOB access in ULE extension header tables
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-net: fix OOB access in ULE extension header tables
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.
Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e51238718217c4abdb3ccc3b0c0cde265c7ec629
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b2bd2ee73b697c177157bba534e1b1064c2e66a0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 29ef43ceb121d67b87f4cbb08439e4e9e732eff8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a6da3dbb9985d00743073a1cc1f96e59f5abc30 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 145e50c2c700fa52b840df7bab206043997dd18e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2b65dcb78c8990e4c68a906627433be1fe38a92 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 24d87712727a5017ad142d63940589a36cd25647 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvb_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e51238718217c4abdb3ccc3b0c0cde265c7ec629",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2bd2ee73b697c177157bba534e1b1064c2e66a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29ef43ceb121d67b87f4cbb08439e4e9e732eff8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a6da3dbb9985d00743073a1cc1f96e59f5abc30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "145e50c2c700fa52b840df7bab206043997dd18e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2b65dcb78c8990e4c68a906627433be1fe38a92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "24d87712727a5017ad142d63940589a36cd25647",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvb_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-net: fix OOB access in ULE extension header tables\n\nThe ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables\nin handle_one_ule_extension() are declared with 255 elements (valid\nindices 0-254), but the index htype is derived from network-controlled\ndata as (ule_sndu_type \u0026 0x00FF), giving a range of 0-255. When\nhtype equals 255, an out-of-bounds read occurs on the function pointer\ntable, and the OOB value may be called as a function pointer.\n\nAdd a bounds check on htype against the array size before either table\nis accessed. Out-of-range values now cause the SNDU to be discarded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:04.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e51238718217c4abdb3ccc3b0c0cde265c7ec629"
},
{
"url": "https://git.kernel.org/stable/c/b2bd2ee73b697c177157bba534e1b1064c2e66a0"
},
{
"url": "https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8"
},
{
"url": "https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30"
},
{
"url": "https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e"
},
{
"url": "https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe"
},
{
"url": "https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92"
},
{
"url": "https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647"
}
],
"title": "media: dvb-net: fix OOB access in ULE extension header tables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31405",
"datePublished": "2026-04-06T07:33:00.544Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:04.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43066 (GCVE-0-2026-43066)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:23 – Updated: 2026-05-11 22:17
VLAI?
EPSS
Title
ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
During code review, Joseph found that ext4_fc_replay_inode() calls
ext4_get_fc_inode_loc() to get the inode location, which holds a
reference to iloc.bh that must be released via brelse().
However, several error paths jump to the 'out' label without
releasing iloc.bh:
- ext4_handle_dirty_metadata() failure
- sync_dirty_buffer() failure
- ext4_mark_inode_used() failure
- ext4_iget() failure
Fix this by introducing an 'out_brelse' label placed just before
the existing 'out' label to ensure iloc.bh is always released.
Additionally, make ext4_fc_replay_inode() propagate errors
properly instead of always returning 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < 0892f12cd49fde5d5db68137923db107f894f3a3
(git)
Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < 5a63033696e60b5d70816f1d119645ac5b0b0a03 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < 9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50b (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < 19782b4c793b49a6aa4abbb307ddff3610009d21 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < f7817ad399d604e8639005d87d148b5ec626ad26 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < c426231e3d51916e83b6d1ab7ed8a65e83bca5b4 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < ec0a7500d8eace5b4f305fa0c594dd148f0e8d29 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0892f12cd49fde5d5db68137923db107f894f3a3",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "5a63033696e60b5d70816f1d119645ac5b0b0a03",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50b",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "19782b4c793b49a6aa4abbb307ddff3610009d21",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "f7817ad399d604e8639005d87d148b5ec626ad26",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "c426231e3d51916e83b6d1ab7ed8a65e83bca5b4",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "ec0a7500d8eace5b4f305fa0c594dd148f0e8d29",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_fc_replay_inode() error paths\n\nDuring code review, Joseph found that ext4_fc_replay_inode() calls\next4_get_fc_inode_loc() to get the inode location, which holds a\nreference to iloc.bh that must be released via brelse().\n\nHowever, several error paths jump to the \u0027out\u0027 label without\nreleasing iloc.bh:\n\n - ext4_handle_dirty_metadata() failure\n - sync_dirty_buffer() failure\n - ext4_mark_inode_used() failure\n - ext4_iget() failure\n\nFix this by introducing an \u0027out_brelse\u0027 label placed just before\nthe existing \u0027out\u0027 label to ensure iloc.bh is always released.\n\nAdditionally, make ext4_fc_replay_inode() propagate errors\nproperly instead of always returning 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:17:03.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0892f12cd49fde5d5db68137923db107f894f3a3"
},
{
"url": "https://git.kernel.org/stable/c/5a63033696e60b5d70816f1d119645ac5b0b0a03"
},
{
"url": "https://git.kernel.org/stable/c/9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25"
},
{
"url": "https://git.kernel.org/stable/c/ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50b"
},
{
"url": "https://git.kernel.org/stable/c/19782b4c793b49a6aa4abbb307ddff3610009d21"
},
{
"url": "https://git.kernel.org/stable/c/f7817ad399d604e8639005d87d148b5ec626ad26"
},
{
"url": "https://git.kernel.org/stable/c/c426231e3d51916e83b6d1ab7ed8a65e83bca5b4"
},
{
"url": "https://git.kernel.org/stable/c/ec0a7500d8eace5b4f305fa0c594dd148f0e8d29"
}
],
"title": "ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43066",
"datePublished": "2026-05-05T15:23:25.984Z",
"dateReserved": "2026-05-01T14:12:55.981Z",
"dateUpdated": "2026-05-11T22:17:03.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46150 (GCVE-0-2026-46150)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-14 17:58
VLAI?
EPSS
Title
fanotify: fix false positive on permission events
Summary
In the Linux kernel, the following vulnerability has been resolved:
fanotify: fix false positive on permission events
fsnotify_get_mark_safe() may return false for a mark on an unrelated group,
which results in bypassing the permission check.
Fix by skipping over detached marks that are not in the current group.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
abc77577a669f424c5d0c185b9994f2621c52aa4 , < a24765332e129c1916d5a6615418b75599b8fcdc
(git)
Affected: abc77577a669f424c5d0c185b9994f2621c52aa4 , < 4a7611ad653785fcdea5ff5f4441e2b7d05b7f11 (git) Affected: abc77577a669f424c5d0c185b9994f2621c52aa4 , < 04bb66be92f48ed13c3faf1139d892df228789bc (git) Affected: abc77577a669f424c5d0c185b9994f2621c52aa4 , < 895ebbedf88318607c24acc0f591c74b165e1d0a (git) Affected: abc77577a669f424c5d0c185b9994f2621c52aa4 , < f130790f1acc8399f32652846c875a251efd040f (git) Affected: abc77577a669f424c5d0c185b9994f2621c52aa4 , < 7baa02b0ae9d17ec5f08836d8ea88ce1927d0678 (git) Affected: abc77577a669f424c5d0c185b9994f2621c52aa4 , < b7b24b28c8cd55844cab908f4f39dded638d5538 (git) Affected: abc77577a669f424c5d0c185b9994f2621c52aa4 , < 7746e3bd4cc19b5092e00d32d676e329bfcb6900 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c",
"fs/notify/mark.c",
"include/linux/fsnotify_backend.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a24765332e129c1916d5a6615418b75599b8fcdc",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
},
{
"lessThan": "4a7611ad653785fcdea5ff5f4441e2b7d05b7f11",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
},
{
"lessThan": "04bb66be92f48ed13c3faf1139d892df228789bc",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
},
{
"lessThan": "895ebbedf88318607c24acc0f591c74b165e1d0a",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
},
{
"lessThan": "f130790f1acc8399f32652846c875a251efd040f",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
},
{
"lessThan": "7baa02b0ae9d17ec5f08836d8ea88ce1927d0678",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
},
{
"lessThan": "b7b24b28c8cd55844cab908f4f39dded638d5538",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
},
{
"lessThan": "7746e3bd4cc19b5092e00d32d676e329bfcb6900",
"status": "affected",
"version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c",
"fs/notify/mark.c",
"include/linux/fsnotify_backend.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfanotify: fix false positive on permission events\n\nfsnotify_get_mark_safe() may return false for a mark on an unrelated group,\nwhich results in bypassing the permission check.\n\nFix by skipping over detached marks that are not in the current group."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:58:15.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a24765332e129c1916d5a6615418b75599b8fcdc"
},
{
"url": "https://git.kernel.org/stable/c/4a7611ad653785fcdea5ff5f4441e2b7d05b7f11"
},
{
"url": "https://git.kernel.org/stable/c/04bb66be92f48ed13c3faf1139d892df228789bc"
},
{
"url": "https://git.kernel.org/stable/c/895ebbedf88318607c24acc0f591c74b165e1d0a"
},
{
"url": "https://git.kernel.org/stable/c/f130790f1acc8399f32652846c875a251efd040f"
},
{
"url": "https://git.kernel.org/stable/c/7baa02b0ae9d17ec5f08836d8ea88ce1927d0678"
},
{
"url": "https://git.kernel.org/stable/c/b7b24b28c8cd55844cab908f4f39dded638d5538"
},
{
"url": "https://git.kernel.org/stable/c/7746e3bd4cc19b5092e00d32d676e329bfcb6900"
}
],
"title": "fanotify: fix false positive on permission events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46150",
"datePublished": "2026-05-28T09:36:06.494Z",
"dateReserved": "2026-05-13T15:03:33.101Z",
"dateUpdated": "2026-06-14T17:58:15.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31396 (GCVE-0-2026-31396)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-05-11 22:07
VLAI?
EPSS
Title
net: macb: fix use-after-free access to PTP clock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix use-after-free access to PTP clock
PTP clock is registered on every opening of the interface and destroyed on
every closing. However it may be accessed via get_ts_info ethtool call
which is possible while the interface is just present in the kernel.
BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426
Read of size 4 at addr ffff8880194345cc by task syz.0.6/948
CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x17f/0x496 mm/kasan/report.c:420
kasan_report+0xd9/0x180 mm/kasan/report.c:524
ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426
gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349
macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371
__ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558
ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]
__dev_ethtool net/ethtool/ioctl.c:3017 [inline]
dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095
dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
sock_ioctl+0x577/0x6d0 net/socket.c:1320
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
</TASK>
Allocated by task 457:
kmalloc include/linux/slab.h:563 [inline]
kzalloc include/linux/slab.h:699 [inline]
ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235
gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375
macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920
__dev_open+0x2ce/0x500 net/core/dev.c:1501
__dev_change_flags+0x56a/0x740 net/core/dev.c:8651
dev_change_flags+0x92/0x170 net/core/dev.c:8722
do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833
__rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608
rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655
rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150
netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0x14b/0x180 net/socket.c:730
__sys_sendto+0x320/0x3b0 net/socket.c:2152
__do_sys_sendto net/socket.c:2164 [inline]
__se_sys_sendto net/socket.c:2160 [inline]
__x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 938:
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1729 [inline]
slab_free_freelist_hook mm/slub.c:1755 [inline]
slab_free mm/slub.c:3687 [inline]
__kmem_cache_free+0xbc/0x320 mm/slub.c:3700
device_release+0xa0/0x240 drivers/base/core.c:2507
kobject_cleanup lib/kobject.c:681 [inline]
kobject_release lib/kobject.c:712 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1cd/0x350 lib/kobject.c:729
put_device+0x1b/0x30 drivers/base/core.c:3805
ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391
gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404
macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966
__dev_close_many+0x1b9/0x310 net/core/dev.c:1585
__dev_close net/core/dev.c:1597 [inline]
__dev_change_flags+0x2bb/0x740 net/core/dev.c:8649
dev_change_fl
---truncated---
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c2594d804d5c8033861d44840673d852d98508c1 , < 8820ffe0975fd2efbe50453e9179c8e1c33a13d3
(git)
Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 6b757f345eeea87ed5d8afd6de35b927a1a57a2f (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 341d01087f821aa0f165fb1ffc8bfe4e50776da7 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 5653af416a48f6c18f9626ae9df96f814f45ff34 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 0bb848d8c64938024e45780f8032f1f67d3a3607 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 1f4714065b2bcbb0a4013fd355b84b848e6cc345 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < eb652535e9ec795ef5c1078f7578eaaed755268b (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 8da13e6d63c1a97f7302d342c89c4a56a55c7015 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8820ffe0975fd2efbe50453e9179c8e1c33a13d3",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "6b757f345eeea87ed5d8afd6de35b927a1a57a2f",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "341d01087f821aa0f165fb1ffc8bfe4e50776da7",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "5653af416a48f6c18f9626ae9df96f814f45ff34",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "0bb848d8c64938024e45780f8032f1f67d3a3607",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "1f4714065b2bcbb0a4013fd355b84b848e6cc345",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "eb652535e9ec795ef5c1078f7578eaaed755268b",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "8da13e6d63c1a97f7302d342c89c4a56a55c7015",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix use-after-free access to PTP clock\n\nPTP clock is registered on every opening of the interface and destroyed on\nevery closing. However it may be accessed via get_ts_info ethtool call\nwhich is possible while the interface is just present in the kernel.\n\nBUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\nRead of size 4 at addr ffff8880194345cc by task syz.0.6/948\n\nCPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x17f/0x496 mm/kasan/report.c:420\n kasan_report+0xd9/0x180 mm/kasan/report.c:524\n ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\n gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349\n macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371\n __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558\n ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]\n __dev_ethtool net/ethtool/ioctl.c:3017 [inline]\n dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095\n dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510\n sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\n sock_ioctl+0x577/0x6d0 net/socket.c:1320\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n \u003c/TASK\u003e\n\nAllocated by task 457:\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:699 [inline]\n ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235\n gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375\n macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920\n __dev_open+0x2ce/0x500 net/core/dev.c:1501\n __dev_change_flags+0x56a/0x740 net/core/dev.c:8651\n dev_change_flags+0x92/0x170 net/core/dev.c:8722\n do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833\n __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608\n rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655\n rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150\n netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x14b/0x180 net/socket.c:730\n __sys_sendto+0x320/0x3b0 net/socket.c:2152\n __do_sys_sendto net/socket.c:2164 [inline]\n __se_sys_sendto net/socket.c:2160 [inline]\n __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 938:\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1729 [inline]\n slab_free_freelist_hook mm/slub.c:1755 [inline]\n slab_free mm/slub.c:3687 [inline]\n __kmem_cache_free+0xbc/0x320 mm/slub.c:3700\n device_release+0xa0/0x240 drivers/base/core.c:2507\n kobject_cleanup lib/kobject.c:681 [inline]\n kobject_release lib/kobject.c:712 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1cd/0x350 lib/kobject.c:729\n put_device+0x1b/0x30 drivers/base/core.c:3805\n ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391\n gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404\n macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966\n __dev_close_many+0x1b9/0x310 net/core/dev.c:1585\n __dev_close net/core/dev.c:1597 [inline]\n __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649\n dev_change_fl\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:53.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8820ffe0975fd2efbe50453e9179c8e1c33a13d3"
},
{
"url": "https://git.kernel.org/stable/c/6b757f345eeea87ed5d8afd6de35b927a1a57a2f"
},
{
"url": "https://git.kernel.org/stable/c/341d01087f821aa0f165fb1ffc8bfe4e50776da7"
},
{
"url": "https://git.kernel.org/stable/c/5653af416a48f6c18f9626ae9df96f814f45ff34"
},
{
"url": "https://git.kernel.org/stable/c/0bb848d8c64938024e45780f8032f1f67d3a3607"
},
{
"url": "https://git.kernel.org/stable/c/1f4714065b2bcbb0a4013fd355b84b848e6cc345"
},
{
"url": "https://git.kernel.org/stable/c/eb652535e9ec795ef5c1078f7578eaaed755268b"
},
{
"url": "https://git.kernel.org/stable/c/8da13e6d63c1a97f7302d342c89c4a56a55c7015"
}
],
"title": "net: macb: fix use-after-free access to PTP clock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31396",
"datePublished": "2026-04-03T15:16:00.579Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-05-11T22:07:53.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45842 (GCVE-0-2026-45842)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
slip: reject VJ receive packets on instances with no rstate array
Summary
In the Linux kernel, the following vulnerability has been resolved:
slip: reject VJ receive packets on instances with no rstate array
slhc_init() accepts rslots == 0 as a valid configuration, with the
documented meaning of 'no receive compression'. In that case the
allocation loop in slhc_init() is skipped, so comp->rstate stays
NULL and comp->rslot_limit stays 0 (from the kzalloc of struct
slcompress).
The receive helpers do not defend against that configuration.
slhc_uncompress() dereferences comp->rstate[x] when the VJ header
carries an explicit connection ID, and slhc_remember() later assigns
cs = &comp->rstate[...] after only comparing the packet's slot number
to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the
range check, and the code dereferences a NULL rstate.
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID
stores its argument in a signed int, and (val >> 16) uses arithmetic
shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1
is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because
/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path
is reachable from an unprivileged user namespace. Once the malformed
VJ state is installed, any inbound VJ-compressed or VJ-uncompressed
frame that selects slot 0 crashes the kernel in softirq context:
Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)
Call Trace:
<TASK>
ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)
ppp_input (drivers/net/ppp/ppp_generic.c:2359)
ppp_async_process (drivers/net/ppp/ppp_async.c:492)
tasklet_action_common (kernel/softirq.c:926)
handle_softirqs (kernel/softirq.c:623)
run_ksoftirqd (kernel/softirq.c:1055)
smpboot_thread_fn (kernel/smpboot.c:160)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:164)
</TASK>
Reject the receive side on such instances instead of touching rstate.
slhc_uncompress() falls through to its existing 'bad' label, which
bumps sls_i_error and enters the toss state. slhc_remember() mirrors
that with an explicit sls_i_error increment followed by slhc_toss();
the sls_i_runt counter is not used here because a missing rstate is
an internal configuration state, not a runt packet.
The transmit path is unaffected: the only in-tree caller that picks
rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and
slip.c always calls slhc_init(16, 16), so comp->tstate remains valid
and slhc_compress() continues to work.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 3d71c961febddd855d3ae9a519eeb96c8023f430
(git)
Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 72304fec672e8aac9ee7b9c475db96b37cca8d8d (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 4aa9eca6fda2919027dfd7a7cc69334982d89586 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < c6980e8b1a86288167f34966fa5219031999b6f1 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < de42f86e2cf5028a97e74c25869d1a962b13c301 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 9e1ff0eead073c4f46d874ad2526b7dda5465faf (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 7b0d9e878ec2b21d99ae8051b3dda59cdb66c152 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < e76607442d5b73e1ba6768f501ef815bb58c2c0e (git) Affected: 42fc512469e78939c1e419d3310c47de55bdcbb8 (git) Affected: df085f1cb3acd3d75408ff94f366983873bce7d2 (git) Affected: a1c3860d3c5fc62bd35f089bcb03f18a37242de9 (git) Affected: f82699de104eaf8a7ffc2849a566a94818dd8a3c (git) Affected: 354b254af5c1350de9586af75fe5a821b35bfb33 (git) Affected: 5148857f5d4c812cc918cf4627f7880521e987eb (git) Affected: 82185755d90c8047c6f4b589c39998ff3d4ca3ad (git) Affected: a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d (git) Affected: 6b4fa561e26526c62636414d267342c945084f44 (git) Affected: 2.6.32.70 , < 2.6.33 (semver) Affected: 3.2.75 , < 3.3 (semver) Affected: 3.4.111 , < 3.5 (semver) Affected: 3.10.96 , < 3.11 (semver) Affected: 3.12.53 , < 3.13 (semver) Affected: 3.14.60 , < 3.15 (semver) Affected: 3.18.27 , < 3.19 (semver) Affected: 4.1.17 , < 4.2 (semver) Affected: 4.3.5 , < 4.4 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d71c961febddd855d3ae9a519eeb96c8023f430",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "72304fec672e8aac9ee7b9c475db96b37cca8d8d",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "4aa9eca6fda2919027dfd7a7cc69334982d89586",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "c6980e8b1a86288167f34966fa5219031999b6f1",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "de42f86e2cf5028a97e74c25869d1a962b13c301",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "9e1ff0eead073c4f46d874ad2526b7dda5465faf",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "7b0d9e878ec2b21d99ae8051b3dda59cdb66c152",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "e76607442d5b73e1ba6768f501ef815bb58c2c0e",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"status": "affected",
"version": "42fc512469e78939c1e419d3310c47de55bdcbb8",
"versionType": "git"
},
{
"status": "affected",
"version": "df085f1cb3acd3d75408ff94f366983873bce7d2",
"versionType": "git"
},
{
"status": "affected",
"version": "a1c3860d3c5fc62bd35f089bcb03f18a37242de9",
"versionType": "git"
},
{
"status": "affected",
"version": "f82699de104eaf8a7ffc2849a566a94818dd8a3c",
"versionType": "git"
},
{
"status": "affected",
"version": "354b254af5c1350de9586af75fe5a821b35bfb33",
"versionType": "git"
},
{
"status": "affected",
"version": "5148857f5d4c812cc918cf4627f7880521e987eb",
"versionType": "git"
},
{
"status": "affected",
"version": "82185755d90c8047c6f4b589c39998ff3d4ca3ad",
"versionType": "git"
},
{
"status": "affected",
"version": "a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d",
"versionType": "git"
},
{
"status": "affected",
"version": "6b4fa561e26526c62636414d267342c945084f44",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.70",
"versionType": "semver"
},
{
"lessThan": "3.3",
"status": "affected",
"version": "3.2.75",
"versionType": "semver"
},
{
"lessThan": "3.5",
"status": "affected",
"version": "3.4.111",
"versionType": "semver"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.96",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.53",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.60",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.27",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.17",
"versionType": "semver"
},
{
"lessThan": "4.4",
"status": "affected",
"version": "4.3.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n \u003cTASK\u003e\n ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n tasklet_action_common (kernel/softirq.c:926)\n handle_softirqs (kernel/softirq.c:623)\n run_ksoftirqd (kernel/softirq.c:1055)\n smpboot_thread_fn (kernel/smpboot.c:160)\n kthread (kernel/kthread.c:436)\n ret_from_fork (arch/x86/kernel/process.c:164)\n \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:17.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430"
},
{
"url": "https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d"
},
{
"url": "https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586"
},
{
"url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
},
{
"url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
},
{
"url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
},
{
"url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
},
{
"url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
}
],
"title": "slip: reject VJ receive packets on instances with no rstate array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45842",
"datePublished": "2026-05-27T09:24:42.637Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:17.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31698 (GCVE-0-2026-31698)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:55 – Updated: 2026-06-14 17:43
VLAI?
EPSS
Title
crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
When retrieving the PDH cert, don't attempt to copy the blobs to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033
CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347
sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < af67d35da744b6b678c7a0296d9c679658779829
(git)
Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 854d7846e1d29f32f1bbeb2e869e794df12067f6 (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 25d9b3446001185484209cf57951f3368462b631 (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < b5c14bd4da1f376f385722fe1da993f1edab6472 (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 051e51aa55fd4cdc3e8283cf4476aeeb5f563274 (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 50808c13452dae43a2c90b1bbbf9daa16501ce70 (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < e76239fed3cffd6d304d8ca3ce23984fd24f57d3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af67d35da744b6b678c7a0296d9c679658779829",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "854d7846e1d29f32f1bbeb2e869e794df12067f6",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "25d9b3446001185484209cf57951f3368462b631",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "b5c14bd4da1f376f385722fe1da993f1edab6472",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "051e51aa55fd4cdc3e8283cf4476aeeb5f563274",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "50808c13452dae43a2c90b1bbbf9daa16501ce70",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "e76239fed3cffd6d304d8ca3ce23984fd24f57d3",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don\u0027t attempt to copy PDH cert to userspace if PSP command failed\n\nWhen retrieving the PDH cert, don\u0027t attempt to copy the blobs to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033\n\n CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347\n sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:43:32.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af67d35da744b6b678c7a0296d9c679658779829"
},
{
"url": "https://git.kernel.org/stable/c/854d7846e1d29f32f1bbeb2e869e794df12067f6"
},
{
"url": "https://git.kernel.org/stable/c/25d9b3446001185484209cf57951f3368462b631"
},
{
"url": "https://git.kernel.org/stable/c/b5c14bd4da1f376f385722fe1da993f1edab6472"
},
{
"url": "https://git.kernel.org/stable/c/78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf"
},
{
"url": "https://git.kernel.org/stable/c/051e51aa55fd4cdc3e8283cf4476aeeb5f563274"
},
{
"url": "https://git.kernel.org/stable/c/50808c13452dae43a2c90b1bbbf9daa16501ce70"
},
{
"url": "https://git.kernel.org/stable/c/e76239fed3cffd6d304d8ca3ce23984fd24f57d3"
}
],
"title": "crypto: ccp: Don\u0027t attempt to copy PDH cert to userspace if PSP command failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31698",
"datePublished": "2026-05-01T13:55:58.854Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-06-14T17:43:32.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31774 (GCVE-0-2026-31774)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:15
VLAI?
EPSS
Title
io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()
sqe->len is __u32 but gets stored into sr->len which is int. When
userspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),
sr->len overflows to a negative value. This negative value propagates
through the bundle recv/send path:
1. io_recv(): sel.val = sr->len (ssize_t gets -1)
2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets
0xFFFFFFFFFFFFFFFF)
3. io_ring_buffers_peek(): buf->len is not clamped because max_len
is astronomically large
4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()
5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,
causing ret to increase instead of decrease, creating an
infinite loop that reads past the allocated iov[] array
This results in a slab-out-of-bounds read in io_bundle_nbufs() from
the kmalloc-64 slab, as nbufs increments past the allocated iovec
entries.
BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160
Read of size 8 at addr ffff888100ae05c8 by task exp/145
Call Trace:
io_bundle_nbufs+0x128/0x160
io_recv_finish+0x117/0xe20
io_recv+0x2db/0x1160
Fix this by rejecting negative sr->len values early in both
io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,
any value > INT_MAX indicates overflow and is not a valid length.
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a05d1f625c7aa681d8816bc0f10089289ad07aad , < 90ced24c500ad4e129e9e34b7e56fd7849e350b6
(git)
Affected: a05d1f625c7aa681d8816bc0f10089289ad07aad , < c314b405dcc4d8b9041124f928f81715d6328bec (git) Affected: a05d1f625c7aa681d8816bc0f10089289ad07aad , < 1b655cd311344117d3052f6552cb20d9901c9d7c (git) Affected: a05d1f625c7aa681d8816bc0f10089289ad07aad , < b948f9d5d3057b01188e36664e7c7604d1c8ecb5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90ced24c500ad4e129e9e34b7e56fd7849e350b6",
"status": "affected",
"version": "a05d1f625c7aa681d8816bc0f10089289ad07aad",
"versionType": "git"
},
{
"lessThan": "c314b405dcc4d8b9041124f928f81715d6328bec",
"status": "affected",
"version": "a05d1f625c7aa681d8816bc0f10089289ad07aad",
"versionType": "git"
},
{
"lessThan": "1b655cd311344117d3052f6552cb20d9901c9d7c",
"status": "affected",
"version": "a05d1f625c7aa681d8816bc0f10089289ad07aad",
"versionType": "git"
},
{
"lessThan": "b948f9d5d3057b01188e36664e7c7604d1c8ecb5",
"status": "affected",
"version": "a05d1f625c7aa681d8816bc0f10089289ad07aad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()\n\nsqe-\u003elen is __u32 but gets stored into sr-\u003elen which is int. When\nuserspace passes sqe-\u003elen values exceeding INT_MAX (e.g. 0xFFFFFFFF),\nsr-\u003elen overflows to a negative value. This negative value propagates\nthrough the bundle recv/send path:\n\n 1. io_recv(): sel.val = sr-\u003elen (ssize_t gets -1)\n 2. io_recv_buf_select(): arg.max_len = sel-\u003eval (size_t gets\n 0xFFFFFFFFFFFFFFFF)\n 3. io_ring_buffers_peek(): buf-\u003elen is not clamped because max_len\n is astronomically large\n 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()\n 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,\n causing ret to increase instead of decrease, creating an\n infinite loop that reads past the allocated iov[] array\n\nThis results in a slab-out-of-bounds read in io_bundle_nbufs() from\nthe kmalloc-64 slab, as nbufs increments past the allocated iovec\nentries.\n\n BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160\n Read of size 8 at addr ffff888100ae05c8 by task exp/145\n Call Trace:\n io_bundle_nbufs+0x128/0x160\n io_recv_finish+0x117/0xe20\n io_recv+0x2db/0x1160\n\nFix this by rejecting negative sr-\u003elen values early in both\nio_sendmsg_prep() and io_recvmsg_prep(). Since sqe-\u003elen is __u32,\nany value \u003e INT_MAX indicates overflow and is not a valid length."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:15:33.122Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90ced24c500ad4e129e9e34b7e56fd7849e350b6"
},
{
"url": "https://git.kernel.org/stable/c/c314b405dcc4d8b9041124f928f81715d6328bec"
},
{
"url": "https://git.kernel.org/stable/c/1b655cd311344117d3052f6552cb20d9901c9d7c"
},
{
"url": "https://git.kernel.org/stable/c/b948f9d5d3057b01188e36664e7c7604d1c8ecb5"
}
],
"title": "io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31774",
"datePublished": "2026-05-01T14:15:02.903Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-11T22:15:33.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46157 (GCVE-0-2026-46157)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-14 17:58
VLAI?
EPSS
Title
ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
Currently the runtime.oss.trigger field may be accessed concurrently
without protection, which may lead to the data race. And, in this
case, it may lead to more severe problem because it's a bit field; as
writing the data, it may overwrite other bit fields as well, which
confuses the operation completely, as spotted by fuzzing.
Fix it by covering runtime.oss.trigger bit fled also with the existing
params_lock mutex in both snd_pcm_oss_get_trigger() and
snd_pcm_oss_poll().
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 49f9d048845be874df7997e4b1ce662de450c4b6
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ac3e9b55b7da6f0be51720bd330a0edc1a8b61f1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6b01c1bc9a4748ab37548a700a8aaff910e298e6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49f9d048845be874df7997e4b1ce662de450c4b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ac3e9b55b7da6f0be51720bd330a0edc1a8b61f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b01c1bc9a4748ab37548a700a8aaff910e298e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "901ac0ff15edf9503162e2cf6579bd11a30f1ed4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger\n\nCurrently the runtime.oss.trigger field may be accessed concurrently\nwithout protection, which may lead to the data race. And, in this\ncase, it may lead to more severe problem because it\u0027s a bit field; as\nwriting the data, it may overwrite other bit fields as well, which\nconfuses the operation completely, as spotted by fuzzing.\n\nFix it by covering runtime.oss.trigger bit fled also with the existing\nparams_lock mutex in both snd_pcm_oss_get_trigger() and\nsnd_pcm_oss_poll()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:58:48.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49f9d048845be874df7997e4b1ce662de450c4b6"
},
{
"url": "https://git.kernel.org/stable/c/ac3e9b55b7da6f0be51720bd330a0edc1a8b61f1"
},
{
"url": "https://git.kernel.org/stable/c/6b01c1bc9a4748ab37548a700a8aaff910e298e6"
},
{
"url": "https://git.kernel.org/stable/c/901ac0ff15edf9503162e2cf6579bd11a30f1ed4"
}
],
"title": "ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46157",
"datePublished": "2026-05-28T09:36:12.895Z",
"dateReserved": "2026-05-13T15:03:33.102Z",
"dateUpdated": "2026-06-14T17:58:48.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31703 (GCVE-0-2026-31703)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-06-30 12:07
VLAI?
EPSS
Title
writeback: Fix use after free in inode_switch_wbs_work_fn()
Summary
In the Linux kernel, the following vulnerability has been resolved:
writeback: Fix use after free in inode_switch_wbs_work_fn()
inode_switch_wbs_work_fn() has a loop like:
wb_get(new_wb);
while (1) {
list = llist_del_all(&new_wb->switch_wbs_ctxs);
/* Nothing to do? */
if (!list)
break;
... process the items ...
}
Now adding of items to the list looks like:
wb_queue_isw()
if (llist_add(&isw->list, &wb->switch_wbs_ctxs))
queue_work(isw_wq, &wb->switch_work);
Because inode_switch_wbs_work_fn() loops when processing isw items, it
can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is
empty. This is a problem because in that case wb can get freed (no isw
items -> no wb reference) while the work is still pending causing
use-after-free issues.
We cannot just fix this by cancelling work when freeing wb because that
could still trigger problematic 0 -> 1 transitions on wb refcount due to
wb_get() in inode_switch_wbs_work_fn(). It could be all handled with
more careful code but that seems unnecessarily complex so let's avoid
that until it is proven that the looping actually brings practical
benefit. Just remove the loop from inode_switch_wbs_work_fn() instead.
That way when wb_queue_isw() queues work, we are guaranteed we have
added the first item to wb->switch_wbs_ctxs and nobody is going to
remove it (and drop the wb reference it holds) until the queued work
runs.
Severity ?
7.8 (High)
CWE
- CWE-825 - Expired Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fabfc1fcddc5d8185722d4fde5f0968c4760b71e , < 156cc63691c1f20905510b1007896e090355e6c2
(git)
Affected: e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b , < 028103656b84273c73e9e271cf95c9f3421f4b8a (git) Affected: e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b , < 9223e5f30403a9b506d6d0bff4f2e29a2d7d46af (git) Affected: e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b , < 6689f01d6740cf358932b3e97ee968c6099800d9 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel. A use-after-free vulnerability exists in the `inode_switch_wbs_work_fn()` function, part of the kernel\u0027s writeback subsystem. This issue arises when a work item remains active after its associated memory object (`wb`) has been released, leading to system instability. An attacker could potentially exploit this vulnerability to cause a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:48.790Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-31703"
},
{
"name": "RHBZ#2464385",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464385"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31703.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: writeback: Fix use after free in inode_switch_wbs_work_fn()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "156cc63691c1f20905510b1007896e090355e6c2",
"status": "affected",
"version": "fabfc1fcddc5d8185722d4fde5f0968c4760b71e",
"versionType": "git"
},
{
"lessThan": "028103656b84273c73e9e271cf95c9f3421f4b8a",
"status": "affected",
"version": "e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b",
"versionType": "git"
},
{
"lessThan": "9223e5f30403a9b506d6d0bff4f2e29a2d7d46af",
"status": "affected",
"version": "e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b",
"versionType": "git"
},
{
"lessThan": "6689f01d6740cf358932b3e97ee968c6099800d9",
"status": "affected",
"version": "e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: Fix use after free in inode_switch_wbs_work_fn()\n\ninode_switch_wbs_work_fn() has a loop like:\n\n wb_get(new_wb);\n while (1) {\n list = llist_del_all(\u0026new_wb-\u003eswitch_wbs_ctxs);\n /* Nothing to do? */\n if (!list)\n break;\n ... process the items ...\n }\n\nNow adding of items to the list looks like:\n\nwb_queue_isw()\n if (llist_add(\u0026isw-\u003elist, \u0026wb-\u003eswitch_wbs_ctxs))\n queue_work(isw_wq, \u0026wb-\u003eswitch_work);\n\nBecause inode_switch_wbs_work_fn() loops when processing isw items, it\ncan happen that wb-\u003eswitch_work is pending while wb-\u003eswitch_wbs_ctxs is\nempty. This is a problem because in that case wb can get freed (no isw\nitems -\u003e no wb reference) while the work is still pending causing\nuse-after-free issues.\n\nWe cannot just fix this by cancelling work when freeing wb because that\ncould still trigger problematic 0 -\u003e 1 transitions on wb refcount due to\nwb_get() in inode_switch_wbs_work_fn(). It could be all handled with\nmore careful code but that seems unnecessarily complex so let\u0027s avoid\nthat until it is proven that the looping actually brings practical\nbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.\nThat way when wb_queue_isw() queues work, we are guaranteed we have\nadded the first item to wb-\u003eswitch_wbs_ctxs and nobody is going to\nremove it (and drop the wb reference it holds) until the queued work\nruns."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:53.371Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/156cc63691c1f20905510b1007896e090355e6c2"
},
{
"url": "https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a"
},
{
"url": "https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af"
},
{
"url": "https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9"
}
],
"title": "writeback: Fix use after free in inode_switch_wbs_work_fn()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31703",
"datePublished": "2026-05-01T13:56:02.415Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-06-30T12:07:48.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31591 (GCVE-0-2026-31591)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-14 17:42
VLAI?
EPSS
Title
KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish
Lock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as
allowing userspace to manipulate and/or run a vCPU while its state is being
synchronized would at best corrupt vCPU state, and at worst crash the host
kernel.
Opportunistically assert that vcpu->mutex is held when synchronizing its
VMSA (the SEV-ES path already locks vCPUs).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ad27ce155566f2b4400fa865859834592bd18777 , < 30fd9d8c82087742168db779929d8be0459b0716
(git)
Affected: ad27ce155566f2b4400fa865859834592bd18777 , < 4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5 (git) Affected: ad27ce155566f2b4400fa865859834592bd18777 , < c87938fc7d99a06a7e5477c45b4e5a4148f85d66 (git) Affected: ad27ce155566f2b4400fa865859834592bd18777 , < cb923ee6a80f4e604e6242a4702b59251e61a380 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30fd9d8c82087742168db779929d8be0459b0716",
"status": "affected",
"version": "ad27ce155566f2b4400fa865859834592bd18777",
"versionType": "git"
},
{
"lessThan": "4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5",
"status": "affected",
"version": "ad27ce155566f2b4400fa865859834592bd18777",
"versionType": "git"
},
{
"lessThan": "c87938fc7d99a06a7e5477c45b4e5a4148f85d66",
"status": "affected",
"version": "ad27ce155566f2b4400fa865859834592bd18777",
"versionType": "git"
},
{
"lessThan": "cb923ee6a80f4e604e6242a4702b59251e61a380",
"status": "affected",
"version": "ad27ce155566f2b4400fa865859834592bd18777",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish\n\nLock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as\nallowing userspace to manipulate and/or run a vCPU while its state is being\nsynchronized would at best corrupt vCPU state, and at worst crash the host\nkernel.\n\nOpportunistically assert that vcpu-\u003emutex is held when synchronizing its\nVMSA (the SEV-ES path already locks vCPUs)."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:42:31.923Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30fd9d8c82087742168db779929d8be0459b0716"
},
{
"url": "https://git.kernel.org/stable/c/4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5"
},
{
"url": "https://git.kernel.org/stable/c/c87938fc7d99a06a7e5477c45b4e5a4148f85d66"
},
{
"url": "https://git.kernel.org/stable/c/cb923ee6a80f4e604e6242a4702b59251e61a380"
}
],
"title": "KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31591",
"datePublished": "2026-04-24T14:42:18.276Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-06-14T17:42:31.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46079 (GCVE-0-2026-46079)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:58 – Updated: 2026-06-14 17:52
VLAI?
EPSS
Title
rbd: fix null-ptr-deref when device_add_disk() fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
rbd: fix null-ptr-deref when device_add_disk() fails
do_rbd_add() publishes the device with device_add() before calling
device_add_disk(). If device_add_disk() fails after device_add()
succeeds, the error path calls rbd_free_disk() directly and then later
falls through to rbd_dev_device_release(), which calls rbd_free_disk()
again. This double teardown can leave blk-mq cleanup operating on
invalid state and trigger a null-ptr-deref in
__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().
Fix this by following the normal remove ordering: call device_del()
before rbd_dev_device_release() when device_add_disk() fails after
device_add(). That keeps the teardown sequence consistent and avoids
re-entering disk cleanup through the wrong path.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available.
We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64
guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer
confines failslab injections to the __add_disk() range and injects
fail-nth while mapping an RBD image through
/sys/bus/rbd/add_single_major.
On the unpatched kernel, fail-nth=4 reliably triggered the fault:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240
Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00
RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4
RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b
R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000
R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004
FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0
PKRU: 55555554
Call Trace:
<TASK>
blk_mq_free_tag_set+0x77/0x460
do_rbd_add+0x1446/0x2b80
? __pfx_do_rbd_add+0x10/0x10
? lock_acquire+0x18c/0x300
? find_held_lock+0x2b/0x80
? sysfs_file_kobj+0xb6/0x1b0
? __pfx_sysfs_kf_write+0x10/0x10
kernfs_fop_write_iter+0x2f4/0x4a0
vfs_write+0x98e/0x1000
? expand_files+0x51f/0x850
? __pfx_vfs_write+0x10/0x10
ksys_write+0xf2/0x1d0
? __pfx_ksys_write+0x10/0x10
do_syscall_64+0x115/0x690
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0fbea15907
Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907
RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001
RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141
R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058
R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004
</TASK>
With this fix applied, rerunning the reproducer over fail-nth=1..256
yields no KASAN reports.
[ idryomov: rename err_out_device_del -> err_out_device ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
27c97abc30e2b9ad2288977c0ecbef4d50553f57 , < 78bd0c143dea4b7a4c23c13356987ca0eafb442e
(git)
Affected: 27c97abc30e2b9ad2288977c0ecbef4d50553f57 , < 2f4809a879f0750c7790bbeeae86c9505797a06f (git) Affected: 27c97abc30e2b9ad2288977c0ecbef4d50553f57 , < 564cd8f4aeb9a938e470c5c91922fd02e4d41acc (git) Affected: 27c97abc30e2b9ad2288977c0ecbef4d50553f57 , < ad0126ffcba8777109852979eaaa6dca6703abdb (git) Affected: 27c97abc30e2b9ad2288977c0ecbef4d50553f57 , < 059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e (git) Affected: 27c97abc30e2b9ad2288977c0ecbef4d50553f57 , < d1fef92e414433ca7b89abf85cb0df42b8d475eb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/rbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78bd0c143dea4b7a4c23c13356987ca0eafb442e",
"status": "affected",
"version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
"versionType": "git"
},
{
"lessThan": "2f4809a879f0750c7790bbeeae86c9505797a06f",
"status": "affected",
"version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
"versionType": "git"
},
{
"lessThan": "564cd8f4aeb9a938e470c5c91922fd02e4d41acc",
"status": "affected",
"version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
"versionType": "git"
},
{
"lessThan": "ad0126ffcba8777109852979eaaa6dca6703abdb",
"status": "affected",
"version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
"versionType": "git"
},
{
"lessThan": "059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e",
"status": "affected",
"version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
"versionType": "git"
},
{
"lessThan": "d1fef92e414433ca7b89abf85cb0df42b8d475eb",
"status": "affected",
"version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/rbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: fix null-ptr-deref when device_add_disk() fails\n\ndo_rbd_add() publishes the device with device_add() before calling\ndevice_add_disk(). If device_add_disk() fails after device_add()\nsucceeds, the error path calls rbd_free_disk() directly and then later\nfalls through to rbd_dev_device_release(), which calls rbd_free_disk()\nagain. This double teardown can leave blk-mq cleanup operating on\ninvalid state and trigger a null-ptr-deref in\n__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().\n\nFix this by following the normal remove ordering: call device_del()\nbefore rbd_dev_device_release() when device_add_disk() fails after\ndevice_add(). That keeps the teardown sequence consistent and avoids\nre-entering disk cleanup through the wrong path.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable.\n\nWe reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64\nguest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer\nconfines failslab injections to the __add_disk() range and injects\nfail-nth while mapping an RBD image through\n/sys/bus/rbd/add_single_major.\n\nOn the unpatched kernel, fail-nth=4 reliably triggered the fault:\n\n\tOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n\tKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\tCPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tRIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240\n\tCode: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 \u003c80\u003e 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00\n\tRSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246\n\tRAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000\n\tRDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4\n\tRBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b\n\tR10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000\n\tR13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004\n\tFS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0\n\tPKRU: 55555554\n\tCall Trace:\n\t \u003cTASK\u003e\n\t blk_mq_free_tag_set+0x77/0x460\n\t do_rbd_add+0x1446/0x2b80\n\t ? __pfx_do_rbd_add+0x10/0x10\n\t ? lock_acquire+0x18c/0x300\n\t ? find_held_lock+0x2b/0x80\n\t ? sysfs_file_kobj+0xb6/0x1b0\n\t ? __pfx_sysfs_kf_write+0x10/0x10\n\t kernfs_fop_write_iter+0x2f4/0x4a0\n\t vfs_write+0x98e/0x1000\n\t ? expand_files+0x51f/0x850\n\t ? __pfx_vfs_write+0x10/0x10\n\t ksys_write+0xf2/0x1d0\n\t ? __pfx_ksys_write+0x10/0x10\n\t do_syscall_64+0x115/0x690\n\t entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7f0fbea15907\n\tCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\n\tRSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n\tRAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907\n\tRDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001\n\tRBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141\n\tR10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058\n\tR13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004\n\t \u003c/TASK\u003e\n\nWith this fix applied, rerunning the reproducer over fail-nth=1..256\nyields no KASAN reports.\n\n[ idryomov: rename err_out_device_del -\u003e err_out_device ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:52:46.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78bd0c143dea4b7a4c23c13356987ca0eafb442e"
},
{
"url": "https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f"
},
{
"url": "https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc"
},
{
"url": "https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb"
},
{
"url": "https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e"
},
{
"url": "https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb"
}
],
"title": "rbd: fix null-ptr-deref when device_add_disk() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46079",
"datePublished": "2026-05-27T12:58:13.903Z",
"dateReserved": "2026-05-13T15:03:33.096Z",
"dateUpdated": "2026-06-14T17:52:46.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43054 (GCVE-0-2026-43054)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16
VLAI?
EPSS
Title
scsi: target: tcm_loop: Drain commands in target_reset handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Drain commands in target_reset handler
tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS
without draining any in-flight commands. The SCSI EH documentation
(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver
has made lower layers "forget about timed out scmds" and is ready for new
commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,
mpi3mr) enforces this by draining or completing outstanding commands before
returning SUCCESS.
Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight
scsi_cmnd structures for recovery commands (e.g. TUR) while the target core
still has async completion work queued for the old se_cmd. The memset in
queuecommand zeroes se_lun and lun_ref_active, causing
transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN
reference prevents transport_clear_lun_ref() from completing, hanging
configfs LUN unlink forever in D-state:
INFO: task rm:264 blocked for more than 122 seconds.
rm D 0 264 258 0x00004000
Call Trace:
__schedule+0x3d0/0x8e0
schedule+0x36/0xf0
transport_clear_lun_ref+0x78/0x90 [target_core_mod]
core_tpg_remove_lun+0x28/0xb0 [target_core_mod]
target_fabric_port_unlink+0x50/0x60 [target_core_mod]
configfs_unlink+0x156/0x1f0 [configfs]
vfs_unlink+0x109/0x290
do_unlinkat+0x1d5/0x2d0
Fix this by making tcm_loop_target_reset() actually drain commands:
1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that
the target core knows about (those not yet CMD_T_COMPLETE).
2. Use blk_mq_tagset_busy_iter() to iterate all started requests and
flush_work() on each se_cmd — this drains any deferred completion work
for commands that already had CMD_T_COMPLETE set before the TMR (which
the TMR skips via __target_check_io_state()). This is the same pattern
used by mpi3mr, scsi_debug, and libsas to drain outstanding commands
during reset.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 757c43c692294cdfad31390accc0e90429b2ef8a
(git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 103f79e4949513247d763c6e7f3cbbf62017afdf (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 15f5241d5a52364a7e7867b49128b0442dbcad9d (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 7cbd69aaa507b1245240a28022bf5da0f07c68d9 (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < a836054ea81014117ec6b73529a21626a9e1f829 (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 05ac3754467363558a0a54ae4bb7c89b2c9574cf (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "757c43c692294cdfad31390accc0e90429b2ef8a",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "103f79e4949513247d763c6e7f3cbbf62017afdf",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "15f5241d5a52364a7e7867b49128b0442dbcad9d",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "7cbd69aaa507b1245240a28022bf5da0f07c68d9",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "a836054ea81014117ec6b73529a21626a9e1f829",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "05ac3754467363558a0a54ae4bb7c89b2c9574cf",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "1333eee56cdf3f0cf67c6ab4114c2c9e0a952026",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Drain commands in target_reset handler\n\ntcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS\nwithout draining any in-flight commands. The SCSI EH documentation\n(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver\nhas made lower layers \"forget about timed out scmds\" and is ready for new\ncommands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,\nmpi3mr) enforces this by draining or completing outstanding commands before\nreturning SUCCESS.\n\nBecause tcm_loop_target_reset() doesn\u0027t drain, the SCSI EH reuses in-flight\nscsi_cmnd structures for recovery commands (e.g. TUR) while the target core\nstill has async completion work queued for the old se_cmd. The memset in\nqueuecommand zeroes se_lun and lun_ref_active, causing\ntransport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN\nreference prevents transport_clear_lun_ref() from completing, hanging\nconfigfs LUN unlink forever in D-state:\n\n INFO: task rm:264 blocked for more than 122 seconds.\n rm D 0 264 258 0x00004000\n Call Trace:\n __schedule+0x3d0/0x8e0\n schedule+0x36/0xf0\n transport_clear_lun_ref+0x78/0x90 [target_core_mod]\n core_tpg_remove_lun+0x28/0xb0 [target_core_mod]\n target_fabric_port_unlink+0x50/0x60 [target_core_mod]\n configfs_unlink+0x156/0x1f0 [configfs]\n vfs_unlink+0x109/0x290\n do_unlinkat+0x1d5/0x2d0\n\nFix this by making tcm_loop_target_reset() actually drain commands:\n\n 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that\n the target core knows about (those not yet CMD_T_COMPLETE).\n\n 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and\n flush_work() on each se_cmd \u2014 this drains any deferred completion work\n for commands that already had CMD_T_COMPLETE set before the TMR (which\n the TMR skips via __target_check_io_state()). This is the same pattern\n used by mpi3mr, scsi_debug, and libsas to drain outstanding commands\n during reset."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:49.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a"
},
{
"url": "https://git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf"
},
{
"url": "https://git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d"
},
{
"url": "https://git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9"
},
{
"url": "https://git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829"
},
{
"url": "https://git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf"
},
{
"url": "https://git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026"
}
],
"title": "scsi: target: tcm_loop: Drain commands in target_reset handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43054",
"datePublished": "2026-05-01T14:15:47.396Z",
"dateReserved": "2026-05-01T14:12:55.980Z",
"dateUpdated": "2026-05-11T22:16:49.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46159 (GCVE-0-2026-46159)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-19 11:59
VLAI?
EPSS
Title
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
block group RAID type lists. The first pass counts entries to determine
the allocation size, then the second pass fills the buffer. The
groups_sem rwlock is released between passes, allowing concurrent block
group removal to reduce the entry count.
When the second pass fills fewer entries than the first pass counted,
copy_to_user() copies the full alloc_size bytes including trailing
uninitialized kmalloc bytes to userspace.
Fix by copying only total_spaces entries (the actually-filled count from
the second pass) instead of alloc_size bytes, and switch to kzalloc so
any future copy size mismatch cannot leak heap data.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7fde62bffb576d384ea49a3aed3403d5609ee5bc , < f407aad350bdea4db300c47433573b7a41630d33
(git)
Affected: 7fde62bffb576d384ea49a3aed3403d5609ee5bc , < d8224b1be6627c6c3b204bfb264508d27c65ac44 (git) Affected: 7fde62bffb576d384ea49a3aed3403d5609ee5bc , < d69a4a6813fdba7c4cc3695a7e843842b240790d (git) Affected: 7fde62bffb576d384ea49a3aed3403d5609ee5bc , < f5ee467b56764964027c361641f64953fc0f8f9a (git) Affected: 7fde62bffb576d384ea49a3aed3403d5609ee5bc , < 4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3 (git) Affected: 7fde62bffb576d384ea49a3aed3403d5609ee5bc , < 5d12e0ab009ade48c1bff9324fd9bea2c773d088 (git) Affected: 7fde62bffb576d384ea49a3aed3403d5609ee5bc , < d09d67d5de577cedae3de9497dff217e0ac8b641 (git) Affected: 7fde62bffb576d384ea49a3aed3403d5609ee5bc , < 973e57c726c1f8e77259d1c8e519519f1e9aea77 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f407aad350bdea4db300c47433573b7a41630d33",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
},
{
"lessThan": "d8224b1be6627c6c3b204bfb264508d27c65ac44",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
},
{
"lessThan": "d69a4a6813fdba7c4cc3695a7e843842b240790d",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
},
{
"lessThan": "f5ee467b56764964027c361641f64953fc0f8f9a",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
},
{
"lessThan": "4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
},
{
"lessThan": "5d12e0ab009ade48c1bff9324fd9bea2c773d088",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
},
{
"lessThan": "d09d67d5de577cedae3de9497dff217e0ac8b641",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
},
{
"lessThan": "973e57c726c1f8e77259d1c8e519519f1e9aea77",
"status": "affected",
"version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak\n\nbtrfs_ioctl_space_info() has a TOCTOU race between two passes over the\nblock group RAID type lists. The first pass counts entries to determine\nthe allocation size, then the second pass fills the buffer. The\ngroups_sem rwlock is released between passes, allowing concurrent block\ngroup removal to reduce the entry count.\n\nWhen the second pass fills fewer entries than the first pass counted,\ncopy_to_user() copies the full alloc_size bytes including trailing\nuninitialized kmalloc bytes to userspace.\n\nFix by copying only total_spaces entries (the actually-filled count from\nthe second pass) instead of alloc_size bytes, and switch to kzalloc so\nany future copy size mismatch cannot leak heap data."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:41.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f407aad350bdea4db300c47433573b7a41630d33"
},
{
"url": "https://git.kernel.org/stable/c/d8224b1be6627c6c3b204bfb264508d27c65ac44"
},
{
"url": "https://git.kernel.org/stable/c/d69a4a6813fdba7c4cc3695a7e843842b240790d"
},
{
"url": "https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a"
},
{
"url": "https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3"
},
{
"url": "https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088"
},
{
"url": "https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641"
},
{
"url": "https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77"
}
],
"title": "btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46159",
"datePublished": "2026-05-28T09:36:14.676Z",
"dateReserved": "2026-05-13T15:03:33.102Z",
"dateUpdated": "2026-06-19T11:59:41.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31671 (GCVE-0-2026-31671)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-05-11 22:13
VLAI?
EPSS
Title
xfrm_user: fix info leak in build_report()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm_user: fix info leak in build_report()
struct xfrm_user_report is a __u8 proto field followed by a struct
xfrm_selector which means there is three "empty" bytes of padding, but
the padding is never zeroed before copying to userspace. Fix that up by
zeroing the structure before setting individual member variables.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < d27c02eec529f78055a46a5c9e6c62684382b2d8
(git)
Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 716c546e88cfe49d841658240e10cb57bc50a2cc (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < e0c8542c3d097ed4205ded51868195d5d6ddac62 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < ff5ee507302303b15859753c3e0d67d38fd12c88 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 6c55714c931051cd7f4839c19ce0867179fd22fe (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d27c02eec529f78055a46a5c9e6c62684382b2d8",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "716c546e88cfe49d841658240e10cb57bc50a2cc",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "e0c8542c3d097ed4205ded51868195d5d6ddac62",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "ff5ee507302303b15859753c3e0d67d38fd12c88",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "6c55714c931051cd7f4839c19ce0867179fd22fe",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "d10119968d0e1f2b669604baf2a8b5fdb72fa6b4",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace. Fix that up by\nzeroing the structure before setting individual member variables."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:13:23.374Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8"
},
{
"url": "https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc"
},
{
"url": "https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9"
},
{
"url": "https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62"
},
{
"url": "https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88"
},
{
"url": "https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe"
},
{
"url": "https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72"
},
{
"url": "https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4"
}
],
"title": "xfrm_user: fix info leak in build_report()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31671",
"datePublished": "2026-04-24T14:45:18.669Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-05-11T22:13:23.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43325 (GCVE-0-2026-43325)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-05-11 22:22
VLAI?
EPSS
Title
wifi: iwlwifi: mvm: don't send a 6E related command when not supported
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: don't send a 6E related command when not supported
MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the
device doesn't support 6E.
Apparently, the firmware is mistakenly advertising support for this
command even on AX201 which does not support 6E and then the firmware
crashes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0d2fc8821a7d667180ce27732697105db843a1b9 , < c0b3fa5e0eaecd38e6a9f8f78e86f468fbde719a
(git)
Affected: 0d2fc8821a7d667180ce27732697105db843a1b9 , < 6607d0e58ceca997816122568ce54db9e134edab (git) Affected: 0d2fc8821a7d667180ce27732697105db843a1b9 , < 323156c3541e23da7e582008a7ac30cd51b60acd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0b3fa5e0eaecd38e6a9f8f78e86f468fbde719a",
"status": "affected",
"version": "0d2fc8821a7d667180ce27732697105db843a1b9",
"versionType": "git"
},
{
"lessThan": "6607d0e58ceca997816122568ce54db9e134edab",
"status": "affected",
"version": "0d2fc8821a7d667180ce27732697105db843a1b9",
"versionType": "git"
},
{
"lessThan": "323156c3541e23da7e582008a7ac30cd51b60acd",
"status": "affected",
"version": "0d2fc8821a7d667180ce27732697105db843a1b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don\u0027t send a 6E related command when not supported\n\nMCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the\ndevice doesn\u0027t support 6E.\nApparently, the firmware is mistakenly advertising support for this\ncommand even on AX201 which does not support 6E and then the firmware\ncrashes."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:22.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0b3fa5e0eaecd38e6a9f8f78e86f468fbde719a"
},
{
"url": "https://git.kernel.org/stable/c/6607d0e58ceca997816122568ce54db9e134edab"
},
{
"url": "https://git.kernel.org/stable/c/323156c3541e23da7e582008a7ac30cd51b60acd"
}
],
"title": "wifi: iwlwifi: mvm: don\u0027t send a 6E related command when not supported",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43325",
"datePublished": "2026-05-08T13:31:09.536Z",
"dateReserved": "2026-05-01T14:12:56.002Z",
"dateUpdated": "2026-05-11T22:22:22.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45843 (GCVE-0-2026-45843)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
slip: bound decode() reads against the compressed packet length
Summary
In the Linux kernel, the following vulnerability has been resolved:
slip: bound decode() reads against the compressed packet length
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6268f01ae989013671b526c883e92655342c6f6f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9aafba2f49e1fcccc2018816f5836a609c925879 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 335957df4ed60f02a2ec0432fbedbf0cc7241d8b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 37537e42e6df387398bee85cb85070cc80bb1e10 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4cefe32639933d652614b0bd50f818f9af4af78f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d42bec6e4f6d6d658be365539400b3314b76b2a7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6268f01ae989013671b526c883e92655342c6f6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9aafba2f49e1fcccc2018816f5836a609c925879",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "335957df4ed60f02a2ec0432fbedbf0cc7241d8b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37537e42e6df387398bee85cb85070cc80bb1e10",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4cefe32639933d652614b0bd50f818f9af4af78f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d42bec6e4f6d6d658be365539400b3314b76b2a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: bound decode() reads against the compressed packet length\n\nslhc_uncompress() parses a VJ-compressed TCP header by advancing a\npointer through the packet via decode() and pull16(). Neither helper\nbounds-checks against isize, and decode() masks its return with\n\u0026 0xffff so it can never return the -1 that callers test for -- those\nerror paths are dead code.\n\nA short compressed frame whose change byte requests optional fields\nlets decode() read past the end of the packet. The over-read bytes\nare folded into the cached cstate and reflected into subsequent\nreconstructed packets.\n\nMake decode() and pull16() take the packet end pointer and return -1\nwhen exhausted. Add a bounds check before the TCP-checksum read.\nThe existing == -1 tests now do what they were always meant to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:20.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6268f01ae989013671b526c883e92655342c6f6f"
},
{
"url": "https://git.kernel.org/stable/c/9aafba2f49e1fcccc2018816f5836a609c925879"
},
{
"url": "https://git.kernel.org/stable/c/335957df4ed60f02a2ec0432fbedbf0cc7241d8b"
},
{
"url": "https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10"
},
{
"url": "https://git.kernel.org/stable/c/4cefe32639933d652614b0bd50f818f9af4af78f"
},
{
"url": "https://git.kernel.org/stable/c/0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d"
},
{
"url": "https://git.kernel.org/stable/c/d42bec6e4f6d6d658be365539400b3314b76b2a7"
},
{
"url": "https://git.kernel.org/stable/c/4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7"
}
],
"title": "slip: bound decode() reads against the compressed packet length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45843",
"datePublished": "2026-05-27T09:24:45.516Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:20.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31655 (GCVE-0-2026-31655)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-05-11 22:13
VLAI?
EPSS
Title
pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
Keep the NOC_HDCP clock always enabled to fix the potential hang
caused by the NoC ADB400 port power down handshake.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
77b0ddb42add47748c661f714e6f4b116a6e8759 , < 80fd0de89805a3f92dc320f5ab5a18007c260374
(git)
Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < 3086374e8bc7fd65f2cc62ef52351c6d662f1543 (git) Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < e44919669f07b8f113ad49a248b44ca4f119bc94 (git) Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < d1ef779d02b5df4e8bff4083b20bfea587b43c4b (git) Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < e91d5f94acf68618ea3ad9c92ac28614e791ae7d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8mp-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80fd0de89805a3f92dc320f5ab5a18007c260374",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "3086374e8bc7fd65f2cc62ef52351c6d662f1543",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "e44919669f07b8f113ad49a248b44ca4f119bc94",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "d1ef779d02b5df4e8bff4083b20bfea587b43c4b",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "e91d5f94acf68618ea3ad9c92ac28614e791ae7d",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8mp-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled\n\nKeep the NOC_HDCP clock always enabled to fix the potential hang\ncaused by the NoC ADB400 port power down handshake."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:13:00.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80fd0de89805a3f92dc320f5ab5a18007c260374"
},
{
"url": "https://git.kernel.org/stable/c/3086374e8bc7fd65f2cc62ef52351c6d662f1543"
},
{
"url": "https://git.kernel.org/stable/c/e44919669f07b8f113ad49a248b44ca4f119bc94"
},
{
"url": "https://git.kernel.org/stable/c/d1ef779d02b5df4e8bff4083b20bfea587b43c4b"
},
{
"url": "https://git.kernel.org/stable/c/e91d5f94acf68618ea3ad9c92ac28614e791ae7d"
}
],
"title": "pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31655",
"datePublished": "2026-04-24T14:45:07.085Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-05-11T22:13:00.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31480 (GCVE-0-2026-31480)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:09
VLAI?
EPSS
Title
tracing: Fix potential deadlock in cpu hotplug with osnoise
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix potential deadlock in cpu hotplug with osnoise
The following sequence may leads deadlock in cpu hotplug:
task1 task2 task3
----- ----- -----
mutex_lock(&interface_lock)
[CPU GOING OFFLINE]
cpus_write_lock();
osnoise_cpu_die();
kthread_stop(task3);
wait_for_completion();
osnoise_sleep();
mutex_lock(&interface_lock);
cpus_read_lock();
[DEAD LOCK]
Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < cf929c21eeed5bd39873fb14bfdfff963fa6f1da
(git)
Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 7aa095ce7d224308cb6979956f0de8607df93d4f (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < ef41a85a55022e27cdaebf22a6676910b66f65aa (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 03474a01c199de17a8e2d39b51df6beb9c76e831 (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7 (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 1f9885732248d22f788e4992c739a98c88ab8a55 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf929c21eeed5bd39873fb14bfdfff963fa6f1da",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "7aa095ce7d224308cb6979956f0de8607df93d4f",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "ef41a85a55022e27cdaebf22a6676910b66f65aa",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "03474a01c199de17a8e2d39b51df6beb9c76e831",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "1f9885732248d22f788e4992c739a98c88ab8a55",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential deadlock in cpu hotplug with osnoise\n\nThe following sequence may leads deadlock in cpu hotplug:\n\n task1 task2 task3\n ----- ----- -----\n\n mutex_lock(\u0026interface_lock)\n\n [CPU GOING OFFLINE]\n\n cpus_write_lock();\n osnoise_cpu_die();\n kthread_stop(task3);\n wait_for_completion();\n\n osnoise_sleep();\n mutex_lock(\u0026interface_lock);\n\n cpus_read_lock();\n\n [DEAD LOCK]\n\nFix by swap the order of cpus_read_lock() and mutex_lock(\u0026interface_lock)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:32.978Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf929c21eeed5bd39873fb14bfdfff963fa6f1da"
},
{
"url": "https://git.kernel.org/stable/c/7aa095ce7d224308cb6979956f0de8607df93d4f"
},
{
"url": "https://git.kernel.org/stable/c/ef41a85a55022e27cdaebf22a6676910b66f65aa"
},
{
"url": "https://git.kernel.org/stable/c/03474a01c199de17a8e2d39b51df6beb9c76e831"
},
{
"url": "https://git.kernel.org/stable/c/f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7"
},
{
"url": "https://git.kernel.org/stable/c/7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f"
},
{
"url": "https://git.kernel.org/stable/c/1f9885732248d22f788e4992c739a98c88ab8a55"
}
],
"title": "tracing: Fix potential deadlock in cpu hotplug with osnoise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31480",
"datePublished": "2026-04-22T13:54:07.566Z",
"dateReserved": "2026-03-09T15:48:24.100Z",
"dateUpdated": "2026-05-11T22:09:32.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45910 (GCVE-0-2026-45910)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-30 10:45
VLAI?
EPSS
Title
RDMA/rxe: Fix race condition in QP timer handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix race condition in QP timer handlers
I encontered the following warning:
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0
...
libsha1 [last unloaded: ip6_udp_tunnel]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT
Tainted: [C]=CRAP
Hardware name: Raspberry Pi 4 Model B Rev 1.2
Call trace:
rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P)
retransmit_timer+0x130/0x188 [rdma_rxe]
call_timer_fn+0x68/0x4d0
__run_timers+0x630/0x888
...
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0
...
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400
...
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400
The issue is caused by a race condition between retransmit_timer() and
rxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping
to zero during timer handler execution.
It seems this warning is harmless because rxe_qp_do_cleanup() will flush
all pending timers and requests.
Example of flow causing the issue:
CPU0 CPU1
retransmit_timer() {
spin_lock_irqsave
rxe_destroy_qp()
__rxe_cleanup()
__rxe_put() // qp->ref_count decrease to 0
rxe_qp_do_cleanup() {
if (qp->valid) {
rxe_sched_task() {
WARN_ON(rxe_read(task->qp) <= 0);
}
}
spin_unlock_irqrestore
}
spin_lock_irqsave
qp->valid = 0
spin_unlock_irqrestore
}
Ensure the QP's reference count is maintained and its validity is checked
within the timer callbacks by adding calls to rxe_get(qp) and corresponding
rxe_put(qp) after use.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d94671632572813e90bcf475bb4c7d51fbf20173 , < 756c93d6df7c3bc599f6590b8e5afead6a41de1c
(git)
Affected: d94671632572813e90bcf475bb4c7d51fbf20173 , < 3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2 (git) Affected: d94671632572813e90bcf475bb4c7d51fbf20173 , < 5ae9da022ee3c97e6469eabcddce9271501ddbad (git) Affected: d94671632572813e90bcf475bb4c7d51fbf20173 , < da379ca16af3722f159860d91a99cb6976a7500f (git) Affected: d94671632572813e90bcf475bb4c7d51fbf20173 , < 87bf646921430e303176edc4eb07c30160361b73 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c",
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "756c93d6df7c3bc599f6590b8e5afead6a41de1c",
"status": "affected",
"version": "d94671632572813e90bcf475bb4c7d51fbf20173",
"versionType": "git"
},
{
"lessThan": "3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2",
"status": "affected",
"version": "d94671632572813e90bcf475bb4c7d51fbf20173",
"versionType": "git"
},
{
"lessThan": "5ae9da022ee3c97e6469eabcddce9271501ddbad",
"status": "affected",
"version": "d94671632572813e90bcf475bb4c7d51fbf20173",
"versionType": "git"
},
{
"lessThan": "da379ca16af3722f159860d91a99cb6976a7500f",
"status": "affected",
"version": "d94671632572813e90bcf475bb4c7d51fbf20173",
"versionType": "git"
},
{
"lessThan": "87bf646921430e303176edc4eb07c30160361b73",
"status": "affected",
"version": "d94671632572813e90bcf475bb4c7d51fbf20173",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c",
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix race condition in QP timer handlers\n\nI encontered the following warning:\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0\n...\n libsha1 [last unloaded: ip6_udp_tunnel]\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT\n Tainted: [C]=CRAP\n Hardware name: Raspberry Pi 4 Model B Rev 1.2\n Call trace:\n rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P)\n retransmit_timer+0x130/0x188 [rdma_rxe]\n call_timer_fn+0x68/0x4d0\n __run_timers+0x630/0x888\n...\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0\n...\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400\n...\n refcount_t: underflow; use-after-free.\n WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400\n\nThe issue is caused by a race condition between retransmit_timer() and\nrxe_destroy_qp, leading to the Queue Pair\u0027s (QP) reference count dropping\nto zero during timer handler execution.\n\nIt seems this warning is harmless because rxe_qp_do_cleanup() will flush\nall pending timers and requests.\n\nExample of flow causing the issue:\n\nCPU0 CPU1\nretransmit_timer() {\n spin_lock_irqsave\n rxe_destroy_qp()\n __rxe_cleanup()\n __rxe_put() // qp-\u003eref_count decrease to 0\n rxe_qp_do_cleanup() {\n if (qp-\u003evalid) {\n rxe_sched_task() {\n WARN_ON(rxe_read(task-\u003eqp) \u003c= 0);\n }\n }\n spin_unlock_irqrestore\n}\n spin_lock_irqsave\n qp-\u003evalid = 0\n spin_unlock_irqrestore\n }\n\nEnsure the QP\u0027s reference count is maintained and its validity is checked\nwithin the timer callbacks by adding calls to rxe_get(qp) and corresponding\nrxe_put(qp) after use."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T10:45:53.742Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/756c93d6df7c3bc599f6590b8e5afead6a41de1c"
},
{
"url": "https://git.kernel.org/stable/c/3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2"
},
{
"url": "https://git.kernel.org/stable/c/5ae9da022ee3c97e6469eabcddce9271501ddbad"
},
{
"url": "https://git.kernel.org/stable/c/da379ca16af3722f159860d91a99cb6976a7500f"
},
{
"url": "https://git.kernel.org/stable/c/87bf646921430e303176edc4eb07c30160361b73"
}
],
"title": "RDMA/rxe: Fix race condition in QP timer handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45910",
"datePublished": "2026-05-27T12:17:24.619Z",
"dateReserved": "2026-05-13T15:03:33.084Z",
"dateUpdated": "2026-05-30T10:45:53.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31614 (GCVE-0-2026-31614)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-14 17:42
VLAI?
EPSS
Title
smb: client: fix off-by-8 bounds check in check_wsl_eas()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix off-by-8 bounds check in check_wsl_eas()
The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()
later reads ea->ea_data[0..nlen-1] and the value bytes follow at
ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
+ vlen. Isn't pointer math fun?
The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the
8-byte header is in bounds, but since the last EA is placed within 8
bytes of the end of the response, the name and value bytes are read past
the end of iov.
Fix this mess all up by using ea->ea_data as the base for the bounds
check.
An "untrusted" server can use this to leak up to 8 bytes of kernel heap
into the EA name comparison and influence which WSL xattr the data is
interpreted as.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7449d736bbbd160c76b01b8fcdf72f58a8757d4b , < bfbc74df8bbe095b3ed68f6d4487b368af087890
(git)
Affected: ea41367b2a602f602ea6594fc4a310520dcc64f4 , < 5cc0574c84aa73946ade587c41e81757b8b01cb5 (git) Affected: ea41367b2a602f602ea6594fc4a310520dcc64f4 , < b2b76d09a64c538c57006180103fc1841e8cfa66 (git) Affected: ea41367b2a602f602ea6594fc4a310520dcc64f4 , < ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18 (git) Affected: ea41367b2a602f602ea6594fc4a310520dcc64f4 , < a893f1757d9a4009e4a8d7ceb2312142fe29cea4 (git) Affected: ea41367b2a602f602ea6594fc4a310520dcc64f4 , < 3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b (git) Affected: 6.6.32 , < 6.6.136 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bfbc74df8bbe095b3ed68f6d4487b368af087890",
"status": "affected",
"version": "7449d736bbbd160c76b01b8fcdf72f58a8757d4b",
"versionType": "git"
},
{
"lessThan": "5cc0574c84aa73946ade587c41e81757b8b01cb5",
"status": "affected",
"version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
"versionType": "git"
},
{
"lessThan": "b2b76d09a64c538c57006180103fc1841e8cfa66",
"status": "affected",
"version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
"versionType": "git"
},
{
"lessThan": "ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18",
"status": "affected",
"version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
"versionType": "git"
},
{
"lessThan": "a893f1757d9a4009e4a8d7ceb2312142fe29cea4",
"status": "affected",
"version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
"versionType": "git"
},
{
"lessThan": "3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b",
"status": "affected",
"version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
"versionType": "git"
},
{
"lessThan": "6.6.136",
"status": "affected",
"version": "6.6.32",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix off-by-8 bounds check in check_wsl_eas()\n\nThe bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA\nname and value, but ea_data sits at offset sizeof(struct\nsmb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()\nlater reads ea-\u003eea_data[0..nlen-1] and the value bytes follow at\nea_data[nlen+1..nlen+vlen], so the actual end is ea-\u003eea_data + nlen + 1\n+ vlen. Isn\u0027t pointer math fun?\n\nThe earlier check (u8 *)ea \u003e end - sizeof(*ea) only guarantees the\n8-byte header is in bounds, but since the last EA is placed within 8\nbytes of the end of the response, the name and value bytes are read past\nthe end of iov.\n\nFix this mess all up by using ea-\u003eea_data as the base for the bounds\ncheck.\n\nAn \"untrusted\" server can use this to leak up to 8 bytes of kernel heap\ninto the EA name comparison and influence which WSL xattr the data is\ninterpreted as."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:42:58.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bfbc74df8bbe095b3ed68f6d4487b368af087890"
},
{
"url": "https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5"
},
{
"url": "https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66"
},
{
"url": "https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18"
},
{
"url": "https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4"
},
{
"url": "https://git.kernel.org/stable/c/3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b"
}
],
"title": "smb: client: fix off-by-8 bounds check in check_wsl_eas()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31614",
"datePublished": "2026-04-24T14:42:34.153Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-06-14T17:42:58.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43068 (GCVE-0-2026-43068)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:23 – Updated: 2026-05-11 22:17
VLAI?
EPSS
Title
ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
There's issue as follows:
...
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): error count since last fsck: 1
EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760
EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760
...
According to the log analysis, blocks are always requested from the
corrupted block group. This may happen as follows:
ext4_mb_find_by_goal
ext4_mb_load_buddy
ext4_mb_load_buddy_gfp
ext4_mb_init_cache
ext4_read_block_bitmap_nowait
ext4_wait_block_bitmap
ext4_validate_block_bitmap
if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
return -EFSCORRUPTED; // There's no logs.
if (err)
return err; // Will return error
ext4_lock_group(ac->ac_sb, group);
if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable
goto out;
After commit 9008a58e5dce ("ext4: make the bitmap read routines return
real error codes") merged, Commit 163a203ddb36 ("ext4: mark block group
as corrupt on block bitmap error") is no real solution for allocating
blocks from corrupted block groups. This is because if
'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then
'ext4_mb_load_buddy()' may return an error. This means that the block
allocation will fail.
Therefore, check block group if corrupted when ext4_mb_load_buddy()
returns error.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < fea6b2e250ff48f10d166011b57a8516ae5438c9
(git)
Affected: 163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < 0b84571c886719823d537f05f4f07cad6357c4b7 (git) Affected: 163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < ffc0a282462d45fee5957621be5afa29752f3b6d (git) Affected: 163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < 2d31a5073f86a177edf44015e0dedb0c47cfd6d8 (git) Affected: 163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < 9370207b36d26e45a8c8ef0500706d37036edd6b (git) Affected: 163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < 1895f7904be71c48f1e6f338b28f24dabd6b8aeb (git) Affected: 163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < 1c0d7c4cde38a887c6d74e0c89ddb25226943c78 (git) Affected: 163a203ddb36c36d4a1c942aececda0cc8d06aa7 , < 46066e3a06647c5b186cc6334409722622d05c44 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fea6b2e250ff48f10d166011b57a8516ae5438c9",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
},
{
"lessThan": "0b84571c886719823d537f05f4f07cad6357c4b7",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
},
{
"lessThan": "ffc0a282462d45fee5957621be5afa29752f3b6d",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
},
{
"lessThan": "2d31a5073f86a177edf44015e0dedb0c47cfd6d8",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
},
{
"lessThan": "9370207b36d26e45a8c8ef0500706d37036edd6b",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
},
{
"lessThan": "1895f7904be71c48f1e6f338b28f24dabd6b8aeb",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
},
{
"lessThan": "1c0d7c4cde38a887c6d74e0c89ddb25226943c78",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
},
{
"lessThan": "46066e3a06647c5b186cc6334409722622d05c44",
"status": "affected",
"version": "163a203ddb36c36d4a1c942aececda0cc8d06aa7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()\n\nThere\u0027s issue as follows:\n...\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): error count since last fsck: 1\nEXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760\nEXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760\n...\n\nAccording to the log analysis, blocks are always requested from the\ncorrupted block group. This may happen as follows:\next4_mb_find_by_goal\n ext4_mb_load_buddy\n ext4_mb_load_buddy_gfp\n ext4_mb_init_cache\n ext4_read_block_bitmap_nowait\n ext4_wait_block_bitmap\n ext4_validate_block_bitmap\n if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))\n return -EFSCORRUPTED; // There\u0027s no logs.\n if (err)\n return err; // Will return error\next4_lock_group(ac-\u003eac_sb, group);\n if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b-\u003ebd_info))) // Unreachable\n goto out;\n\nAfter commit 9008a58e5dce (\"ext4: make the bitmap read routines return\nreal error codes\") merged, Commit 163a203ddb36 (\"ext4: mark block group\nas corrupt on block bitmap error\") is no real solution for allocating\nblocks from corrupted block groups. This is because if\n\u0027EXT4_MB_GRP_BBITMAP_CORRUPT(e4b-\u003ebd_info)\u0027 is true, then\n\u0027ext4_mb_load_buddy()\u0027 may return an error. This means that the block\nallocation will fail.\nTherefore, check block group if corrupted when ext4_mb_load_buddy()\nreturns error."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:17:05.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fea6b2e250ff48f10d166011b57a8516ae5438c9"
},
{
"url": "https://git.kernel.org/stable/c/0b84571c886719823d537f05f4f07cad6357c4b7"
},
{
"url": "https://git.kernel.org/stable/c/ffc0a282462d45fee5957621be5afa29752f3b6d"
},
{
"url": "https://git.kernel.org/stable/c/2d31a5073f86a177edf44015e0dedb0c47cfd6d8"
},
{
"url": "https://git.kernel.org/stable/c/9370207b36d26e45a8c8ef0500706d37036edd6b"
},
{
"url": "https://git.kernel.org/stable/c/1895f7904be71c48f1e6f338b28f24dabd6b8aeb"
},
{
"url": "https://git.kernel.org/stable/c/1c0d7c4cde38a887c6d74e0c89ddb25226943c78"
},
{
"url": "https://git.kernel.org/stable/c/46066e3a06647c5b186cc6334409722622d05c44"
}
],
"title": "ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43068",
"datePublished": "2026-05-05T15:23:27.371Z",
"dateReserved": "2026-05-01T14:12:55.982Z",
"dateUpdated": "2026-05-11T22:17:05.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43338 (GCVE-0-2026-43338)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-05-11 22:22
VLAI?
EPSS
Title
btrfs: reserve enough transaction items for qgroup ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reserve enough transaction items for qgroup ioctls
Currently our qgroup ioctls don't reserve any space, they just do a
transaction join, which does not reserve any space, neither for the quota
tree updates nor for the delayed refs generated when updating the quota
tree. The quota root uses the global block reserve, which is fine most of
the time since we don't expect a lot of updates to the quota root, or to
be too close to -ENOSPC such that other critical metadata updates need to
resort to the global reserve.
However this is not optimal, as not reserving proper space may result in a
transaction abort due to not reserving space for delayed refs and then
abusing the use of the global block reserve.
For example, the following reproducer (which is unlikely to model any
real world use case, but just to illustrate the problem), triggers such a
transaction abort due to -ENOSPC when running delayed refs:
$ cat test.sh
#!/bin/bash
DEV=/dev/nullb0
MNT=/mnt/nullb0
umount $DEV &> /dev/null
# Limit device to 1G so that it's much faster to reproduce the issue.
mkfs.btrfs -f -b 1G $DEV
mount -o commit=600 $DEV $MNT
fallocate -l 800M $MNT/filler
btrfs quota enable $MNT
for ((i = 1; i <= 400000; i++)); do
btrfs qgroup create 1/$i $MNT
done
umount $MNT
When running this, we can see in dmesg/syslog that a transaction abort
happened:
[436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28
[436.493] ------------[ cut here ]------------
[436.494] BTRFS: Transaction aborted (error -28)
[436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372
[436.497] Modules linked in: btrfs loop (...)
[436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[436.510] Tainted: [W]=WARN
[436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs]
[436.514] Code: 0f 82 ea (...)
[436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292
[436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001
[436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80
[436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867
[436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400
[436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000
[436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000
[436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0
[436.530] Call Trace:
[436.530] <TASK>
[436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs]
[436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs]
[436.532] sync_filesystem+0x7a/0x90
[436.533] generic_shutdown_super+0x28/0x180
[436.533] kill_anon_super+0x12/0x40
[436.534] btrfs_kill_super+0x12/0x20 [btrfs]
[436.534] deactivate_locked_super+0x2f/0xb0
[436.534] cleanup_mnt+0xea/0x180
[436.535] task_work_run+0x58/0xa0
[436.535] exit_to_user_mode_loop+0xed/0x480
[436.536] ? __x64_sys_umount+0x68/0x80
[436.536] do_syscall_64+0x2a5/0xf20
[436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[436.537] RIP: 0033:0x7fe5906b6217
[436.538] Code: 0d 00 f7 (...)
[436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217
[436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100
[436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff
[436.544] R10: 0000000000000103 R11:
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5d13a37bd5327220e13329943d1228acfbe5934a , < bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8
(git)
Affected: 5d13a37bd5327220e13329943d1228acfbe5934a , < cf930a651eef6f8d915bf0ccd60c2045974f870c (git) Affected: 5d13a37bd5327220e13329943d1228acfbe5934a , < 386f5e16a383101a68e195c806b4eedb233cd1d3 (git) Affected: 5d13a37bd5327220e13329943d1228acfbe5934a , < f9a4e3015db1aeafbef407650eb8555445ca943e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
},
{
"lessThan": "cf930a651eef6f8d915bf0ccd60c2045974f870c",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
},
{
"lessThan": "386f5e16a383101a68e195c806b4eedb233cd1d3",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
},
{
"lessThan": "f9a4e3015db1aeafbef407650eb8555445ca943e",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reserve enough transaction items for qgroup ioctls\n\nCurrently our qgroup ioctls don\u0027t reserve any space, they just do a\ntransaction join, which does not reserve any space, neither for the quota\ntree updates nor for the delayed refs generated when updating the quota\ntree. The quota root uses the global block reserve, which is fine most of\nthe time since we don\u0027t expect a lot of updates to the quota root, or to\nbe too close to -ENOSPC such that other critical metadata updates need to\nresort to the global reserve.\n\nHowever this is not optimal, as not reserving proper space may result in a\ntransaction abort due to not reserving space for delayed refs and then\nabusing the use of the global block reserve.\n\nFor example, the following reproducer (which is unlikely to model any\nreal world use case, but just to illustrate the problem), triggers such a\ntransaction abort due to -ENOSPC when running delayed refs:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/nullb0\n MNT=/mnt/nullb0\n\n umount $DEV \u0026\u003e /dev/null\n # Limit device to 1G so that it\u0027s much faster to reproduce the issue.\n mkfs.btrfs -f -b 1G $DEV\n mount -o commit=600 $DEV $MNT\n\n fallocate -l 800M $MNT/filler\n btrfs quota enable $MNT\n\n for ((i = 1; i \u003c= 400000; i++)); do\n btrfs qgroup create 1/$i $MNT\n done\n\n umount $MNT\n\nWhen running this, we can see in dmesg/syslog that a transaction abort\nhappened:\n\n [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28\n [436.493] ------------[ cut here ]------------\n [436.494] BTRFS: Transaction aborted (error -28)\n [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372\n [436.497] Modules linked in: btrfs loop (...)\n [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [436.510] Tainted: [W]=WARN\n [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs]\n [436.514] Code: 0f 82 ea (...)\n [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292\n [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001\n [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80\n [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867\n [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400\n [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000\n [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000\n [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0\n [436.530] Call Trace:\n [436.530] \u003cTASK\u003e\n [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs]\n [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs]\n [436.532] sync_filesystem+0x7a/0x90\n [436.533] generic_shutdown_super+0x28/0x180\n [436.533] kill_anon_super+0x12/0x40\n [436.534] btrfs_kill_super+0x12/0x20 [btrfs]\n [436.534] deactivate_locked_super+0x2f/0xb0\n [436.534] cleanup_mnt+0xea/0x180\n [436.535] task_work_run+0x58/0xa0\n [436.535] exit_to_user_mode_loop+0xed/0x480\n [436.536] ? __x64_sys_umount+0x68/0x80\n [436.536] do_syscall_64+0x2a5/0xf20\n [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [436.537] RIP: 0033:0x7fe5906b6217\n [436.538] Code: 0d 00 f7 (...)\n [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217\n [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100\n [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff\n [436.544] R10: 0000000000000103 R11: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:38.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8"
},
{
"url": "https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c"
},
{
"url": "https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3"
},
{
"url": "https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e"
}
],
"title": "btrfs: reserve enough transaction items for qgroup ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43338",
"datePublished": "2026-05-08T13:31:23.623Z",
"dateReserved": "2026-05-01T14:12:56.003Z",
"dateUpdated": "2026-05-11T22:22:38.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46120 (GCVE-0-2026-46120)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-14 17:55
VLAI?
EPSS
Title
ip6_gre: Use cached t->net in ip6erspan_changelink().
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: Use cached t->net in ip6erspan_changelink().
After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.
This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).
ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d665034f239412927b1e71329f20f001c92da09 , < 7bd0f2b162b426b343a114e1b329f0d8d14fdc6e
(git)
Affected: 2d665034f239412927b1e71329f20f001c92da09 , < 01b71ff2857d3598337de11e7840a8e3ff21553c (git) Affected: 2d665034f239412927b1e71329f20f001c92da09 , < 0fcf6731706f73494245a9c0d64f93bebf95bb51 (git) Affected: 2d665034f239412927b1e71329f20f001c92da09 , < eca62bb0569de4d43a4dac06a2092a9d4ca1d702 (git) Affected: 2d665034f239412927b1e71329f20f001c92da09 , < 311fdd26eb4443d43b909cc67a10f3a5fd1b21b2 (git) Affected: 2d665034f239412927b1e71329f20f001c92da09 , < e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82 (git) Affected: 2d665034f239412927b1e71329f20f001c92da09 , < cf7fc624329e76c6394653d12353e1d033adea91 (git) Affected: 2d665034f239412927b1e71329f20f001c92da09 , < 1d324c2f43f70c965f25c58cc3611c779adbe47e (git) Affected: c6d72628352c949629af619b77b042e0fb5245e7 (git) Affected: 4.16.12 , < 4.17 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bd0f2b162b426b343a114e1b329f0d8d14fdc6e",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"lessThan": "01b71ff2857d3598337de11e7840a8e3ff21553c",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"lessThan": "0fcf6731706f73494245a9c0d64f93bebf95bb51",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"lessThan": "eca62bb0569de4d43a4dac06a2092a9d4ca1d702",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"lessThan": "311fdd26eb4443d43b909cc67a10f3a5fd1b21b2",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"lessThan": "e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"lessThan": "cf7fc624329e76c6394653d12353e1d033adea91",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"lessThan": "1d324c2f43f70c965f25c58cc3611c779adbe47e",
"status": "affected",
"version": "2d665034f239412927b1e71329f20f001c92da09",
"versionType": "git"
},
{
"status": "affected",
"version": "c6d72628352c949629af619b77b042e0fb5245e7",
"versionType": "git"
},
{
"lessThan": "4.17",
"status": "affected",
"version": "4.16.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: Use cached t-\u003enet in ip6erspan_changelink().\n\nAfter commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of\nrtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns\nip6gre hash via link_net. ip6erspan_changelink() was not converted in\nthat series and still uses dev_net(dev), which diverges from the\ndevice\u0027s creation netns after IFLA_NET_NS_FD migration.\n\nThis re-inserts the tunnel into the wrong per-netns hash. The\noriginal netns keeps a stale entry. When that netns is later\ndestroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a\nslab-use-after-free reported by KASAN, followed by a kernel BUG at\nnet/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().\n\nReachable from an unprivileged user namespace (unshare --user\n--map-root-user --net).\n\nip6gre_changelink() earlier in the same file already uses the cached\nt-\u003enet; only ip6erspan_changelink() has the wrong shape."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:55:54.746Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bd0f2b162b426b343a114e1b329f0d8d14fdc6e"
},
{
"url": "https://git.kernel.org/stable/c/01b71ff2857d3598337de11e7840a8e3ff21553c"
},
{
"url": "https://git.kernel.org/stable/c/0fcf6731706f73494245a9c0d64f93bebf95bb51"
},
{
"url": "https://git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702"
},
{
"url": "https://git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2"
},
{
"url": "https://git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82"
},
{
"url": "https://git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91"
},
{
"url": "https://git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e"
}
],
"title": "ip6_gre: Use cached t-\u003enet in ip6erspan_changelink().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46120",
"datePublished": "2026-05-28T09:35:35.385Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-14T17:55:54.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31758 (GCVE-0-2026-31758)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-11 22:15
VLAI?
EPSS
Title
usb: usbtmc: Flush anchored URBs in usbtmc_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: usbtmc: Flush anchored URBs in usbtmc_release
When calling usbtmc_release, pending anchored URBs must be flushed or
killed to prevent use-after-free errors (e.g. in the HCD giveback
path). Call usbtmc_draw_down() to allow anchored URBs to be completed.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4f3c8d6eddc272b386464524235440a418ed2029 , < 959ef329071136e4335b54822fe2f607659b4569
(git)
Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < e189d443767f7cd390c52f2e122e1fc41c7562d6 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 95e09b07e50290254b28b8395509473104518f8c (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < d13318dec0c1e0e2ac16f8ecbd522db14cea4bb1 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 977b632db51d231dec0bc571089a5c2402674139 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < d40198de50232e04c14c6e2092e896766c95ea48 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 8a768552f7a8276fb9e01d49773d2094ace7c8f1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/usbtmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "959ef329071136e4335b54822fe2f607659b4569",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "e189d443767f7cd390c52f2e122e1fc41c7562d6",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "95e09b07e50290254b28b8395509473104518f8c",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "d13318dec0c1e0e2ac16f8ecbd522db14cea4bb1",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "977b632db51d231dec0bc571089a5c2402674139",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "d40198de50232e04c14c6e2092e896766c95ea48",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "8a768552f7a8276fb9e01d49773d2094ace7c8f1",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/usbtmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Flush anchored URBs in usbtmc_release\n\nWhen calling usbtmc_release, pending anchored URBs must be flushed or\nkilled to prevent use-after-free errors (e.g. in the HCD giveback\npath). Call usbtmc_draw_down() to allow anchored URBs to be completed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:15:14.753Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/959ef329071136e4335b54822fe2f607659b4569"
},
{
"url": "https://git.kernel.org/stable/c/e189d443767f7cd390c52f2e122e1fc41c7562d6"
},
{
"url": "https://git.kernel.org/stable/c/7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f"
},
{
"url": "https://git.kernel.org/stable/c/95e09b07e50290254b28b8395509473104518f8c"
},
{
"url": "https://git.kernel.org/stable/c/d13318dec0c1e0e2ac16f8ecbd522db14cea4bb1"
},
{
"url": "https://git.kernel.org/stable/c/977b632db51d231dec0bc571089a5c2402674139"
},
{
"url": "https://git.kernel.org/stable/c/d40198de50232e04c14c6e2092e896766c95ea48"
},
{
"url": "https://git.kernel.org/stable/c/8a768552f7a8276fb9e01d49773d2094ace7c8f1"
}
],
"title": "usb: usbtmc: Flush anchored URBs in usbtmc_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31758",
"datePublished": "2026-05-01T14:14:48.390Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-11T22:15:14.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43411 (GCVE-0-2026-43411)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:24
VLAI?
EPSS
Title
tipc: fix divide-by-zero in tipc_sk_filter_connect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix divide-by-zero in tipc_sk_filter_connect()
A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:
delay %= (tsk->conn_timeout / 4);
If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.
Fix this by clamping conn_timeout to a minimum of 4 at the point of use
in tipc_sk_filter_connect().
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)
Call Trace:
tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)
__release_sock (include/net/sock.h:1185 net/core/sock.c:3213)
release_sock (net/core/sock.c:3797)
tipc_connect (net/tipc/socket.c:2570)
__sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6787927475e52f6933e3affce365dabb2aa2fadf , < 600feb0a66a98c6b7f6f02b5f3612e75f9b8540f
(git)
Affected: 6787927475e52f6933e3affce365dabb2aa2fadf , < 3bc9998041076ee05d3f312a22cee6b2ca35527f (git) Affected: 6787927475e52f6933e3affce365dabb2aa2fadf , < 579956f9f297eb1b6a5d24de313f3acccee1f9d5 (git) Affected: 6787927475e52f6933e3affce365dabb2aa2fadf , < a360d3815aae1f00dd71b7714a846482e85cc1f7 (git) Affected: 6787927475e52f6933e3affce365dabb2aa2fadf , < c2ebfbe63deb7bfd4dc2532bae62a7ed67713272 (git) Affected: 6787927475e52f6933e3affce365dabb2aa2fadf , < 2754e7b3d64748643df867d1ea6fec522914b635 (git) Affected: 6787927475e52f6933e3affce365dabb2aa2fadf , < 338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3 (git) Affected: 6787927475e52f6933e3affce365dabb2aa2fadf , < 6c5a9baa15de240e747263aba435a0951da8d8d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "600feb0a66a98c6b7f6f02b5f3612e75f9b8540f",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
},
{
"lessThan": "3bc9998041076ee05d3f312a22cee6b2ca35527f",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
},
{
"lessThan": "579956f9f297eb1b6a5d24de313f3acccee1f9d5",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
},
{
"lessThan": "a360d3815aae1f00dd71b7714a846482e85cc1f7",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
},
{
"lessThan": "c2ebfbe63deb7bfd4dc2532bae62a7ed67713272",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
},
{
"lessThan": "2754e7b3d64748643df867d1ea6fec522914b635",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
},
{
"lessThan": "338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
},
{
"lessThan": "6c5a9baa15de240e747263aba435a0951da8d8d2",
"status": "affected",
"version": "6787927475e52f6933e3affce365dabb2aa2fadf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix divide-by-zero in tipc_sk_filter_connect()\n\nA user can set conn_timeout to any value via\nsetsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a\nSYN is rejected with TIPC_ERR_OVERLOAD and the retry path in\ntipc_sk_filter_connect() executes:\n\n delay %= (tsk-\u003econn_timeout / 4);\n\nIf conn_timeout is in the range [0, 3], the integer division yields 0,\nand the modulo operation triggers a divide-by-zero exception, causing a\nkernel oops/panic.\n\nFix this by clamping conn_timeout to a minimum of 4 at the point of use\nin tipc_sk_filter_connect().\n\nOops: divide error: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+\nRIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)\nCall Trace:\n tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)\n __release_sock (include/net/sock.h:1185 net/core/sock.c:3213)\n release_sock (net/core/sock.c:3797)\n tipc_connect (net/tipc/socket.c:2570)\n __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:04.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/600feb0a66a98c6b7f6f02b5f3612e75f9b8540f"
},
{
"url": "https://git.kernel.org/stable/c/3bc9998041076ee05d3f312a22cee6b2ca35527f"
},
{
"url": "https://git.kernel.org/stable/c/579956f9f297eb1b6a5d24de313f3acccee1f9d5"
},
{
"url": "https://git.kernel.org/stable/c/a360d3815aae1f00dd71b7714a846482e85cc1f7"
},
{
"url": "https://git.kernel.org/stable/c/c2ebfbe63deb7bfd4dc2532bae62a7ed67713272"
},
{
"url": "https://git.kernel.org/stable/c/2754e7b3d64748643df867d1ea6fec522914b635"
},
{
"url": "https://git.kernel.org/stable/c/338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3"
},
{
"url": "https://git.kernel.org/stable/c/6c5a9baa15de240e747263aba435a0951da8d8d2"
}
],
"title": "tipc: fix divide-by-zero in tipc_sk_filter_connect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43411",
"datePublished": "2026-05-08T14:21:49.543Z",
"dateReserved": "2026-05-01T14:12:56.008Z",
"dateUpdated": "2026-05-11T22:24:04.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46043 (GCVE-0-2026-46043)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-06-14 17:50
VLAI?
EPSS
Title
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.
However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:
payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
- RXE_ICRC_SIZE
This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.
Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < c4376c672c3648d5bdc31dfffc329d07164f93c4
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 5fedefec757192dcaad29a664ac332c7601be144 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 2c0d71ef12f46c57d37bc571f3f2797db7eb50cc (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 2fd4f8b749309a61c3f3f88ee8891d94f79e1240 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f83519a4c122c9c7a850a2197648a9ff4c67c520 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 9b924f3a26b21330a837cfe72e819b6393bbeeaa (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < e8ee0e792d475b1067c199ef0af1b6221fa6f43d (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 7244491dab347f648e661da96dc0febadd9daec3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_recv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4376c672c3648d5bdc31dfffc329d07164f93c4",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "5fedefec757192dcaad29a664ac332c7601be144",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "2c0d71ef12f46c57d37bc571f3f2797db7eb50cc",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "2fd4f8b749309a61c3f3f88ee8891d94f79e1240",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f83519a4c122c9c7a850a2197648a9ff4c67c520",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "9b924f3a26b21330a837cfe72e819b6393bbeeaa",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "e8ee0e792d475b1067c199ef0af1b6221fa6f43d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "7244491dab347f648e661da96dc0febadd9daec3",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_recv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\n\nrxe_rcv() currently checks only that the incoming packet is at least\nheader_size(pkt) bytes long before payload_size() is used.\n\nHowever, payload_size() subtracts both the attacker-controlled BTH pad\nfield and RXE_ICRC_SIZE from pkt-\u003epaylen:\n\n payload_size = pkt-\u003epaylen - offset[RXE_PAYLOAD] - bth_pad(pkt)\n - RXE_ICRC_SIZE\n\nThis means a short packet can still make payload_size() underflow even\nif it includes enough bytes for the fixed headers. Simply requiring\nheader_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a\npacket with a forged non-zero BTH pad can still leave payload_size()\nnegative and pass an underflowed value to later receive-path users.\n\nFix this by validating pkt-\u003epaylen against the full minimum length\nrequired by payload_size(): header_size(pkt) + bth_pad(pkt) +\nRXE_ICRC_SIZE."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:50:11.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4376c672c3648d5bdc31dfffc329d07164f93c4"
},
{
"url": "https://git.kernel.org/stable/c/5fedefec757192dcaad29a664ac332c7601be144"
},
{
"url": "https://git.kernel.org/stable/c/2c0d71ef12f46c57d37bc571f3f2797db7eb50cc"
},
{
"url": "https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240"
},
{
"url": "https://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520"
},
{
"url": "https://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa"
},
{
"url": "https://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d"
},
{
"url": "https://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3"
}
],
"title": "RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46043",
"datePublished": "2026-05-27T12:56:57.987Z",
"dateReserved": "2026-05-13T15:03:33.094Z",
"dateUpdated": "2026-06-14T17:50:11.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43366 (GCVE-0-2026-43366)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
io_uring/kbuf: check if target buffer list is still legacy on recycle
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/kbuf: check if target buffer list is still legacy on recycle
There's a gap between when the buffer was grabbed and when it
potentially gets recycled, where if the list is empty, someone could've
upgraded it to a ring provided type. This can happen if the request
is forced via io-wq. The legacy recycling is missing checking if the
buffer_list still exists, and if it's of the correct type. Add those
checks.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < a7b33671e418fca507feebd1d56e7f4952a4b25c
(git)
Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < 439a6728ec4641ffad1ca796622c19bc525e570f (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < 50ad880db3013c6fee0ef13781762a39e2e7ef83 (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < 97b57f69fee1b61b41acbf37e7720cac9d389fa4 (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < c2c185be5c85d37215397c8e8781abf0a69bec1f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7b33671e418fca507feebd1d56e7f4952a4b25c",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "439a6728ec4641ffad1ca796622c19bc525e570f",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "50ad880db3013c6fee0ef13781762a39e2e7ef83",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "97b57f69fee1b61b41acbf37e7720cac9d389fa4",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "c2c185be5c85d37215397c8e8781abf0a69bec1f",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: check if target buffer list is still legacy on recycle\n\nThere\u0027s a gap between when the buffer was grabbed and when it\npotentially gets recycled, where if the list is empty, someone could\u0027ve\nupgraded it to a ring provided type. This can happen if the request\nis forced via io-wq. The legacy recycling is missing checking if the\nbuffer_list still exists, and if it\u0027s of the correct type. Add those\nchecks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:11.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c"
},
{
"url": "https://git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f"
},
{
"url": "https://git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa"
},
{
"url": "https://git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83"
},
{
"url": "https://git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4"
},
{
"url": "https://git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f"
}
],
"title": "io_uring/kbuf: check if target buffer list is still legacy on recycle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43366",
"datePublished": "2026-05-08T14:21:19.191Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:11.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31516 (GCVE-0-2026-31516)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:10
VLAI?
EPSS
Title
xfrm: prevent policy_hthresh.work from racing with netns teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: prevent policy_hthresh.work from racing with netns teardown
A XFRM_MSG_NEWSPDINFO request can queue the per-net work item
policy_hthresh.work onto the system workqueue.
The queued callback, xfrm_hash_rebuild(), retrieves the enclosing
struct net via container_of(). If the net namespace is torn down
before that work runs, the associated struct net may already have
been freed, and xfrm_hash_rebuild() may then dereference stale memory.
xfrm_policy_fini() already flushes policy_hash_work during teardown,
but it does not synchronize policy_hthresh.work.
Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the
queued work cannot outlive the net namespace teardown and access a
freed struct net.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 56ea2257b83ee29a543f158159e3d1abc1e3e4fe
(git)
Affected: 880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 8854e9367465d784046362698731c1111e3b39b8 (git) Affected: 880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 4e2e77843fef473ef47e322d52436d8308582a96 (git) Affected: 880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 29fe3a61bcdce398ee3955101c39f89c01a8a77e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56ea2257b83ee29a543f158159e3d1abc1e3e4fe",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
},
{
"lessThan": "8854e9367465d784046362698731c1111e3b39b8",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
},
{
"lessThan": "4e2e77843fef473ef47e322d52436d8308582a96",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
},
{
"lessThan": "29fe3a61bcdce398ee3955101c39f89c01a8a77e",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: prevent policy_hthresh.work from racing with netns teardown\n\nA XFRM_MSG_NEWSPDINFO request can queue the per-net work item\npolicy_hthresh.work onto the system workqueue.\n\nThe queued callback, xfrm_hash_rebuild(), retrieves the enclosing\nstruct net via container_of(). If the net namespace is torn down\nbefore that work runs, the associated struct net may already have\nbeen freed, and xfrm_hash_rebuild() may then dereference stale memory.\n\nxfrm_policy_fini() already flushes policy_hash_work during teardown,\nbut it does not synchronize policy_hthresh.work.\n\nSynchronize policy_hthresh.work in xfrm_policy_fini() as well, so the\nqueued work cannot outlive the net namespace teardown and access a\nfreed struct net."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:18.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56ea2257b83ee29a543f158159e3d1abc1e3e4fe"
},
{
"url": "https://git.kernel.org/stable/c/8854e9367465d784046362698731c1111e3b39b8"
},
{
"url": "https://git.kernel.org/stable/c/4e2e77843fef473ef47e322d52436d8308582a96"
},
{
"url": "https://git.kernel.org/stable/c/29fe3a61bcdce398ee3955101c39f89c01a8a77e"
}
],
"title": "xfrm: prevent policy_hthresh.work from racing with netns teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31516",
"datePublished": "2026-04-22T13:54:32.851Z",
"dateReserved": "2026-03-09T15:48:24.107Z",
"dateUpdated": "2026-05-11T22:10:18.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23438 (GCVE-0-2026-23438)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:06
VLAI?
EPSS
Title
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
mvpp2_bm_switch_buffers() unconditionally calls
mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
shared buffer pool modes. This function programs CM3 flow control
registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
priv->cm3_base without any NULL check.
When the CM3 SRAM resource is not present in the device tree (the
third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
NULL and priv->global_tx_fc is false. Any operation that triggers
mvpp2_bm_switch_buffers(), for example an MTU change that crosses
the jumbo frame threshold, will crash:
Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
pc : readl+0x0/0x18
lr : mvpp2_cm3_read.isra.0+0x14/0x20
Call trace:
readl+0x0/0x18
mvpp2_bm_pool_update_fc+0x40/0x12c
mvpp2_bm_pool_update_priv_fc+0x94/0xd8
mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
mvpp2_change_mtu+0x140/0x380
__dev_set_mtu+0x1c/0x38
dev_set_mtu_ext+0x78/0x118
dev_set_mtu+0x48/0xa8
dev_ifsioc+0x21c/0x43c
dev_ioctl+0x2d8/0x42c
sock_ioctl+0x314/0x378
Every other flow control call site in the driver already guards
hardware access with either priv->global_tx_fc or port->tx_fc.
mvpp2_bm_switch_buffers() is the only place that omits this check.
Add the missing priv->global_tx_fc guard to both the disable and
re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
rest of the driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3a616b92a9d17448d96a33bf58e69f01457fd43a , < 0cfcd31f98fc608dc9406bff3fee3a9dd364d014
(git)
Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < da089f74a993f846685067b14158cb41b879ff29 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < ff0c54f088f7ab91dbbf47cf8244460f99122750 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 8baced53a35fc9710f80d6ca016a2c418dc3231f (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 8a63baadf08453f66eb582fdb6dd234f72024723 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cfcd31f98fc608dc9406bff3fee3a9dd364d014",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "da089f74a993f846685067b14158cb41b879ff29",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "ff0c54f088f7ab91dbbf47cf8244460f99122750",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "8baced53a35fc9710f80d6ca016a2c418dc3231f",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "8a63baadf08453f66eb582fdb6dd234f72024723",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv-\u003ecm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv-\u003ecm3_base remains\nNULL and priv-\u003eglobal_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv-\u003eglobal_tx_fc or port-\u003etx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv-\u003eglobal_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:54.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cfcd31f98fc608dc9406bff3fee3a9dd364d014"
},
{
"url": "https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29"
},
{
"url": "https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750"
},
{
"url": "https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"
},
{
"url": "https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"
},
{
"url": "https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f"
},
{
"url": "https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723"
}
],
"title": "net: mvpp2: guard flow control update with global_tx_fc in buffer switching",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23438",
"datePublished": "2026-04-03T15:15:22.701Z",
"dateReserved": "2026-01-13T15:37:46.017Z",
"dateUpdated": "2026-05-11T22:06:54.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43065 (GCVE-0-2026-43065)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:23 – Updated: 2026-05-11 22:17
VLAI?
EPSS
Title
ext4: always drain queued discard work in ext4_mb_release()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: always drain queued discard work in ext4_mb_release()
While reviewing recent ext4 patch[1], Sashiko raised the following
concern[2]:
> If the filesystem is initially mounted with the discard option,
> deleting files will populate sbi->s_discard_list and queue
> s_discard_work. If it is then remounted with nodiscard, the
> EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is
> neither cancelled nor flushed.
[1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/
[2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev
The concern was valid, but it had nothing to do with the patch[1].
One of the problems with Sashiko in its current (early) form is that
it will detect pre-existing issues and report it as a problem with the
patch that it is reviewing.
In practice, it would be hard to hit deliberately (unless you are a
malicious syzkaller fuzzer), since it would involve mounting the file
system with -o discard, and then deleting a large number of files,
remounting the file system with -o nodiscard, and then immediately
unmounting the file system before the queued discard work has a change
to drain on its own.
Fix it because it's a real bug, and to avoid Sashiko from raising this
concern when analyzing future patches to mballoc.c.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55cdd0af2bc5ffc92a2deb745627755aecd5db33 , < e96c2354b170aaa53300c8e8fd59e41b133160f7
(git)
Affected: 55cdd0af2bc5ffc92a2deb745627755aecd5db33 , < c360e9d0def4f4ae03254a67c683103908555b75 (git) Affected: 55cdd0af2bc5ffc92a2deb745627755aecd5db33 , < 1c82f863f090ab899085bdfade073313384b514b (git) Affected: 55cdd0af2bc5ffc92a2deb745627755aecd5db33 , < 9b4d9dda6a71ad3425c8109d27c4c6bfb9da97b8 (git) Affected: 55cdd0af2bc5ffc92a2deb745627755aecd5db33 , < 812b6a7cd3e7f3a3e8a24db85bc6313c26cb1098 (git) Affected: 55cdd0af2bc5ffc92a2deb745627755aecd5db33 , < b4737e26d4688b8aea88ad6ea4dbfeb6e78b0327 (git) Affected: 55cdd0af2bc5ffc92a2deb745627755aecd5db33 , < 9ee29d20aab228adfb02ca93f87fb53c56c2f3af (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e96c2354b170aaa53300c8e8fd59e41b133160f7",
"status": "affected",
"version": "55cdd0af2bc5ffc92a2deb745627755aecd5db33",
"versionType": "git"
},
{
"lessThan": "c360e9d0def4f4ae03254a67c683103908555b75",
"status": "affected",
"version": "55cdd0af2bc5ffc92a2deb745627755aecd5db33",
"versionType": "git"
},
{
"lessThan": "1c82f863f090ab899085bdfade073313384b514b",
"status": "affected",
"version": "55cdd0af2bc5ffc92a2deb745627755aecd5db33",
"versionType": "git"
},
{
"lessThan": "9b4d9dda6a71ad3425c8109d27c4c6bfb9da97b8",
"status": "affected",
"version": "55cdd0af2bc5ffc92a2deb745627755aecd5db33",
"versionType": "git"
},
{
"lessThan": "812b6a7cd3e7f3a3e8a24db85bc6313c26cb1098",
"status": "affected",
"version": "55cdd0af2bc5ffc92a2deb745627755aecd5db33",
"versionType": "git"
},
{
"lessThan": "b4737e26d4688b8aea88ad6ea4dbfeb6e78b0327",
"status": "affected",
"version": "55cdd0af2bc5ffc92a2deb745627755aecd5db33",
"versionType": "git"
},
{
"lessThan": "9ee29d20aab228adfb02ca93f87fb53c56c2f3af",
"status": "affected",
"version": "55cdd0af2bc5ffc92a2deb745627755aecd5db33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: always drain queued discard work in ext4_mb_release()\n\nWhile reviewing recent ext4 patch[1], Sashiko raised the following\nconcern[2]:\n\n\u003e If the filesystem is initially mounted with the discard option,\n\u003e deleting files will populate sbi-\u003es_discard_list and queue\n\u003e s_discard_work. If it is then remounted with nodiscard, the\n\u003e EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is\n\u003e neither cancelled nor flushed.\n\n[1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/\n[2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev\n\nThe concern was valid, but it had nothing to do with the patch[1].\nOne of the problems with Sashiko in its current (early) form is that\nit will detect pre-existing issues and report it as a problem with the\npatch that it is reviewing.\n\nIn practice, it would be hard to hit deliberately (unless you are a\nmalicious syzkaller fuzzer), since it would involve mounting the file\nsystem with -o discard, and then deleting a large number of files,\nremounting the file system with -o nodiscard, and then immediately\nunmounting the file system before the queued discard work has a change\nto drain on its own.\n\nFix it because it\u0027s a real bug, and to avoid Sashiko from raising this\nconcern when analyzing future patches to mballoc.c."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:17:02.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e96c2354b170aaa53300c8e8fd59e41b133160f7"
},
{
"url": "https://git.kernel.org/stable/c/c360e9d0def4f4ae03254a67c683103908555b75"
},
{
"url": "https://git.kernel.org/stable/c/1c82f863f090ab899085bdfade073313384b514b"
},
{
"url": "https://git.kernel.org/stable/c/9b4d9dda6a71ad3425c8109d27c4c6bfb9da97b8"
},
{
"url": "https://git.kernel.org/stable/c/812b6a7cd3e7f3a3e8a24db85bc6313c26cb1098"
},
{
"url": "https://git.kernel.org/stable/c/b4737e26d4688b8aea88ad6ea4dbfeb6e78b0327"
},
{
"url": "https://git.kernel.org/stable/c/9ee29d20aab228adfb02ca93f87fb53c56c2f3af"
}
],
"title": "ext4: always drain queued discard work in ext4_mb_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43065",
"datePublished": "2026-05-05T15:23:25.326Z",
"dateReserved": "2026-05-01T14:12:55.981Z",
"dateUpdated": "2026-05-11T22:17:02.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43023 (GCVE-0-2026-43023)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
Bluetooth: SCO: fix race conditions in sco_sock_connect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: fix race conditions in sco_sock_connect()
sco_sock_connect() checks sk_state and sk_type without holding
the socket lock. Two concurrent connect() syscalls on the same
socket can both pass the check and enter sco_connect(), leading
to use-after-free.
The buggy scenario involves three participants and was confirmed
with additional logging instrumentation:
Thread A (connect): HCI disconnect: Thread B (connect):
sco_sock_connect(sk) sco_sock_connect(sk)
sk_state==BT_OPEN sk_state==BT_OPEN
(pass, no lock) (pass, no lock)
sco_connect(sk): sco_connect(sk):
hci_dev_lock hci_dev_lock
hci_connect_sco <- blocked
-> hcon1
sco_conn_add->conn1
lock_sock(sk)
sco_chan_add:
conn1->sk = sk
sk->conn = conn1
sk_state=BT_CONNECT
release_sock
hci_dev_unlock
hci_dev_lock
sco_conn_del:
lock_sock(sk)
sco_chan_del:
sk->conn=NULL
conn1->sk=NULL
sk_state=
BT_CLOSED
SOCK_ZAPPED
release_sock
hci_dev_unlock
(unblocked)
hci_connect_sco
-> hcon2
sco_conn_add
-> conn2
lock_sock(sk)
sco_chan_add:
sk->conn=conn2
sk_state=
BT_CONNECT
// zombie sk!
release_sock
hci_dev_unlock
Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to
BT_CONNECT. Subsequent cleanup triggers double sock_put() and
use-after-free. Meanwhile conn1 is leaked as it was orphaned
when sco_conn_del() cleared the association.
Fix this by:
- Moving lock_sock() before the sk_state/sk_type checks in
sco_sock_connect() to serialize concurrent connect attempts
- Fixing the sk_type != SOCK_SEQPACKET check to actually
return the error instead of just assigning it
- Adding a state re-check in sco_connect() after lock_sock()
to catch state changes during the window between the locks
- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent
double-attach of a socket to multiple connections
- Adding hci_conn_drop() on sco_chan_add failure to prevent
HCI connection leaks
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
70a13b1e25fef37c87c8a1228ddb8900efbca7cf , < dabf22269242e2f2bf44c43fcdc2fa763df7f9cc
(git)
Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0 (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < 7e296ffdab5bdab718dff7c14288fdcb9154fa27 (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < 98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < d002bd11024bd231bcb606877e33951ffb7bed14 (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < 8a5b0135d4a5d9683203a3d9a12a711ccec5936b (git) Affected: 6.1.109 , < 6.1.168 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dabf22269242e2f2bf44c43fcdc2fa763df7f9cc",
"status": "affected",
"version": "70a13b1e25fef37c87c8a1228ddb8900efbca7cf",
"versionType": "git"
},
{
"lessThan": "adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "7e296ffdab5bdab718dff7c14288fdcb9154fa27",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "d002bd11024bd231bcb606877e33951ffb7bed14",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "8a5b0135d4a5d9683203a3d9a12a711ccec5936b",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "6.1.168",
"status": "affected",
"version": "6.1.109",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n Thread A (connect): HCI disconnect: Thread B (connect):\n\n sco_sock_connect(sk) sco_sock_connect(sk)\n sk_state==BT_OPEN sk_state==BT_OPEN\n (pass, no lock) (pass, no lock)\n sco_connect(sk): sco_connect(sk):\n hci_dev_lock hci_dev_lock\n hci_connect_sco \u003c- blocked\n -\u003e hcon1\n sco_conn_add-\u003econn1\n lock_sock(sk)\n sco_chan_add:\n conn1-\u003esk = sk\n sk-\u003econn = conn1\n sk_state=BT_CONNECT\n release_sock\n hci_dev_unlock\n hci_dev_lock\n sco_conn_del:\n lock_sock(sk)\n sco_chan_del:\n sk-\u003econn=NULL\n conn1-\u003esk=NULL\n sk_state=\n BT_CLOSED\n SOCK_ZAPPED\n release_sock\n hci_dev_unlock\n (unblocked)\n hci_connect_sco\n -\u003e hcon2\n sco_conn_add\n -\u003e conn2\n lock_sock(sk)\n sco_chan_add:\n sk-\u003econn=conn2\n sk_state=\n BT_CONNECT\n // zombie sk!\n release_sock\n hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n to catch state changes during the window between the locks\n- Adding sco_pi(sk)-\u003econn check in sco_chan_add() to prevent\n double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n HCI connection leaks"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:01.644Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"
},
{
"url": "https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"
},
{
"url": "https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27"
},
{
"url": "https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"
},
{
"url": "https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14"
},
{
"url": "https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b"
}
],
"title": "Bluetooth: SCO: fix race conditions in sco_sock_connect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43023",
"datePublished": "2026-05-01T14:15:25.736Z",
"dateReserved": "2026-05-01T14:12:55.975Z",
"dateUpdated": "2026-05-23T16:06:01.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46123 (GCVE-0-2026-46123)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-14 17:56
VLAI?
EPSS
Title
Bluetooth: virtio_bt: clamp rx length before skb_put
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: virtio_bt: clamp rx length before skb_put
virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().
Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.
The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.
Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().
Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.
Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.
Severity ?
7.7 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cf2719a21fdb9d4c8e9c834d279163609bef575d , < 4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a
(git)
Affected: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be , < fd91fa2678ab603dfb285416c1cf3843d7be1e41 (git) Affected: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be , < ed41c81d30b211a671667259c3b5feeba0e062d5 (git) Affected: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be , < 6c1730099a6fc18b183bd6c1adad3b54adcaeda9 (git) Affected: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be , < b40cdd1b1370d76e9e760af4490cb4a351cceead (git) Affected: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be , < e6b4296f170d949ebba937cf6a3f247ec9550d2c (git) Affected: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be , < 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 (git) Affected: 9b67438e315b925a699f0178f4a48baf3d2d6ef4 (git) Affected: 5.15.78 , < 5.15.209 (semver) Affected: 6.0.8 , < 6.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/virtio_bt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a",
"status": "affected",
"version": "cf2719a21fdb9d4c8e9c834d279163609bef575d",
"versionType": "git"
},
{
"lessThan": "fd91fa2678ab603dfb285416c1cf3843d7be1e41",
"status": "affected",
"version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
"versionType": "git"
},
{
"lessThan": "ed41c81d30b211a671667259c3b5feeba0e062d5",
"status": "affected",
"version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
"versionType": "git"
},
{
"lessThan": "6c1730099a6fc18b183bd6c1adad3b54adcaeda9",
"status": "affected",
"version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
"versionType": "git"
},
{
"lessThan": "b40cdd1b1370d76e9e760af4490cb4a351cceead",
"status": "affected",
"version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
"versionType": "git"
},
{
"lessThan": "e6b4296f170d949ebba937cf6a3f247ec9550d2c",
"status": "affected",
"version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
"versionType": "git"
},
{
"lessThan": "21bd244b6de5d2fe1063c23acc93fbdd2b20d112",
"status": "affected",
"version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
"versionType": "git"
},
{
"status": "affected",
"version": "9b67438e315b925a699f0178f4a48baf3d2d6ef4",
"versionType": "git"
},
{
"lessThan": "5.15.209",
"status": "affected",
"version": "5.15.78",
"versionType": "semver"
},
{
"lessThan": "6.1",
"status": "affected",
"version": "6.0.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/virtio_bt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.15.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: virtio_bt: clamp rx length before skb_put\n\nvirtbt_rx_work() calls skb_put(skb, len) where len comes directly\nfrom virtqueue_get_buf() with no validation against the buffer we\nposted to the device. The RX skb is allocated in virtbt_add_inbuf()\nand exposed to virtio as exactly 1000 bytes via sg_init_one().\n\nChecking len against skb_tailroom(skb) is not sufficient because\nalloc_skb() can leave more tailroom than the 1000 bytes actually\nhanded to the device. A malicious or buggy backend can therefore\nreport used.len between 1001 and skb_tailroom(skb), causing skb_put()\nto include uninitialized kernel heap bytes that were never written by\nthe device.\n\nThe same path also accepts len == 0, in which case skb_put(skb, 0)\nleaves the skb empty but virtbt_rx_handle() still reads the pkt_type\nbyte from skb-\u003edata, consuming uninitialized memory.\n\nDefine VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and\nsg_init_one(), and gate virtbt_rx_work() on that same constant so\nthe bound checked matches the buffer actually exposed to the device.\nReject used.len == 0 in the same gate so an empty completion can\nno longer reach virtbt_rx_handle().\n\nUse bt_dev_err_ratelimited() because the length value comes from an\nuntrusted backend that can otherwise flood the kernel log.\n\nSame class of bug as commit c04db81cd028 (\"net/9p: Fix buffer\noverflow in USB transport layer\"), which hardened the USB 9p\ntransport against unchecked device-reported length."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:56:08.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a"
},
{
"url": "https://git.kernel.org/stable/c/fd91fa2678ab603dfb285416c1cf3843d7be1e41"
},
{
"url": "https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5"
},
{
"url": "https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9"
},
{
"url": "https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead"
},
{
"url": "https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c"
},
{
"url": "https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112"
}
],
"title": "Bluetooth: virtio_bt: clamp rx length before skb_put",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46123",
"datePublished": "2026-05-28T09:35:38.003Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-14T17:56:08.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43470 (GCVE-0-2026-43470)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
EPSS
Title
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
If we found an alias through nfs3_do_create/nfs_add_or_obtain
/d_splice_alias which happens to be a dir dentry, we don't return
any error, and simply forget about this alias, but the original
dentry we were adding and passed as parameter remains negative.
This later causes an oops on nfs_atomic_open_v23/finish_open since we
supply a negative dentry to do_dentry_open.
This has been observed running lustre-racer, where dirs and files are
created/removed concurrently with the same name and O_EXCL is not
used to open files (frequent file redirection).
While d_splice_alias typically returns a directory alias or NULL, we
explicitly check d_is_dir() to ensure that we don't attempt to perform
file operations (like finish_open) on a directory inode, which triggers
the observed oops.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7c6c5249f061b64fc6b5b90bc147169a048691bf , < 7e2963773760a664684435201960dd2fb712f1b5
(git)
Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 203c792cb4315360d49973ae2e57feeb6d3dcf7e (git) Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 9ee1770fcb2f1b48354622b926e7dc10222805f5 (git) Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 410666a298c34ebd57256fde6b24c96bd23059a2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e2963773760a664684435201960dd2fb712f1b5",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "203c792cb4315360d49973ae2e57feeb6d3dcf7e",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "9ee1770fcb2f1b48354622b926e7dc10222805f5",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "410666a298c34ebd57256fde6b24c96bd23059a2",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: return EISDIR on nfs3_proc_create if d_alias is a dir\n\nIf we found an alias through nfs3_do_create/nfs_add_or_obtain\n/d_splice_alias which happens to be a dir dentry, we don\u0027t return\nany error, and simply forget about this alias, but the original\ndentry we were adding and passed as parameter remains negative.\n\nThis later causes an oops on nfs_atomic_open_v23/finish_open since we\nsupply a negative dentry to do_dentry_open.\n\nThis has been observed running lustre-racer, where dirs and files are\ncreated/removed concurrently with the same name and O_EXCL is not\nused to open files (frequent file redirection).\n\nWhile d_splice_alias typically returns a directory alias or NULL, we\nexplicitly check d_is_dir() to ensure that we don\u0027t attempt to perform\nfile operations (like finish_open) on a directory inode, which triggers\nthe observed oops."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:13.820Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5"
},
{
"url": "https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e"
},
{
"url": "https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5"
},
{
"url": "https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2"
}
],
"title": "nfs: return EISDIR on nfs3_proc_create if d_alias is a dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43470",
"datePublished": "2026-05-08T14:22:30.218Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:13.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46021 (GCVE-0-2026-46021)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-06-19 11:59
VLAI?
EPSS
Title
thermal: core: Fix thermal zone governor cleanup issues
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: core: Fix thermal zone governor cleanup issues
If thermal_zone_device_register_with_trips() fails after adding
a thermal governor to the thermal zone being registered, the
governor is not removed from it as appropriate which may lead to
a memory leak.
In turn, thermal_zone_device_unregister() calls thermal_set_governor()
without acquiring the thermal zone lock beforehand which may race with
a governor update via sysfs and may lead to a use-after-free in that
case.
Address these issues by adding two thermal_set_governor() calls, one to
thermal_release() to remove the governor from the given thermal zone,
and one to the thermal zone registration error path to cover failures
preceding the thermal zone device registration.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < a172fa18bc370b776ac1510abb0dcb50a7a35fac
(git)
Affected: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < 8e563d8db50f303171aceb79eec0807e7ba06951 (git) Affected: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < d4eb861adde5ce22e459fbd29366f47bb2167977 (git) Affected: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < 37a430a2d4e66ec8238da6c7f7e48809bf265e13 (git) Affected: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < f412e541d25a3dfaf3d53e012ade6ff03cae8a45 (git) Affected: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < 75f8f3c3e09122270986de9d7aa347d701676761 (git) Affected: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < 64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06 (git) Affected: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8 , < 41ff66baf81c6541f4f985dd7eac4494d03d9440 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a172fa18bc370b776ac1510abb0dcb50a7a35fac",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
},
{
"lessThan": "8e563d8db50f303171aceb79eec0807e7ba06951",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
},
{
"lessThan": "d4eb861adde5ce22e459fbd29366f47bb2167977",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
},
{
"lessThan": "37a430a2d4e66ec8238da6c7f7e48809bf265e13",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
},
{
"lessThan": "f412e541d25a3dfaf3d53e012ade6ff03cae8a45",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
},
{
"lessThan": "75f8f3c3e09122270986de9d7aa347d701676761",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
},
{
"lessThan": "64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
},
{
"lessThan": "41ff66baf81c6541f4f985dd7eac4494d03d9440",
"status": "affected",
"version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix thermal zone governor cleanup issues\n\nIf thermal_zone_device_register_with_trips() fails after adding\na thermal governor to the thermal zone being registered, the\ngovernor is not removed from it as appropriate which may lead to\na memory leak.\n\nIn turn, thermal_zone_device_unregister() calls thermal_set_governor()\nwithout acquiring the thermal zone lock beforehand which may race with\na governor update via sysfs and may lead to a use-after-free in that\ncase.\n\nAddress these issues by adding two thermal_set_governor() calls, one to\nthermal_release() to remove the governor from the given thermal zone,\nand one to the thermal zone registration error path to cover failures\npreceding the thermal zone device registration."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:02.097Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a172fa18bc370b776ac1510abb0dcb50a7a35fac"
},
{
"url": "https://git.kernel.org/stable/c/8e563d8db50f303171aceb79eec0807e7ba06951"
},
{
"url": "https://git.kernel.org/stable/c/d4eb861adde5ce22e459fbd29366f47bb2167977"
},
{
"url": "https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13"
},
{
"url": "https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45"
},
{
"url": "https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761"
},
{
"url": "https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06"
},
{
"url": "https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440"
}
],
"title": "thermal: core: Fix thermal zone governor cleanup issues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46021",
"datePublished": "2026-05-27T12:56:23.515Z",
"dateReserved": "2026-05-13T15:03:33.092Z",
"dateUpdated": "2026-06-19T11:59:02.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3150 (GCVE-0-2026-3150)
Vulnerability from cvelistv5 – Published: 2026-02-25 04:32 – Updated: 2026-02-25 14:49 X_Freeware
VLAI?
EPSS
Title
itsourcecode College Management System display-teacher.php sql injection
Summary
A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| itsourcecode | College Management System |
Affected:
1.0
|
Credits
Zhangchao404 (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:48:59.060111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:49:09.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "College Management System",
"vendor": "itsourcecode",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Zhangchao404 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T04:32:08.455Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347658 | itsourcecode College Management System display-teacher.php sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347658"
},
{
"name": "VDB-347658 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347658"
},
{
"name": "Submit #758829 | itsourcecode College Management System V1.0 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.758829"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Zhangchao404/cve/issues/2"
},
{
"tags": [
"product"
],
"url": "https://itsourcecode.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-24T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-24T21:13:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "itsourcecode College Management System display-teacher.php sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3150",
"datePublished": "2026-02-25T04:32:08.455Z",
"dateReserved": "2026-02-24T20:08:09.987Z",
"dateUpdated": "2026-02-25T14:49:09.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46004 (GCVE-0-2026-46004)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-06-14 17:47
VLAI?
EPSS
Title
ALSA: caiaq: Handle probe errors properly
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: caiaq: Handle probe errors properly
The probe procedure of setup_card() in caiaq driver doesn't treat the
error cases gracefully, e.g. the error from snd_card_register() calls
snd_card_free() but continues. This would lead to a UAF for the
further calls like snd_usb_caiaq_control_init(), as Berk suggested in
another patch in the link below.
However, the problem is not only that; in general, this function drops
the all error handlings (as it's a void function) although its caller
can propagate an error to snd_probe(), which eventually calls
snd_card_free() as a proper error path. That said, we should treat
each error case in setup_card(), and just return the error code
promptly, which is then handled later as a fatal error in snd_probe().
This patch achieves it by changing the setup_card() to return an error
code. Also, the superfluous snd_card_free() call is removed, too.
Note that card->private_free can be set still safely at returning an
error. All called functions in card_free() have checks of the
unassigned resources or NULL checks.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < da938aa9fc7826901921dcea225948ab21a97e45
(git)
Affected: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < 09616e25f502080ba684fc7fcf959d1376ab756d (git) Affected: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < b956e48371f2ff72b76be9a829800ecec963bd45 (git) Affected: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < f537e3ad69609f6924a4db6b4a7f6561f5288bdd (git) Affected: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < 6251e3e256337a30160ef59ab1580dde4d1acd28 (git) Affected: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056 (git) Affected: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < 096dd8519cf2f768e9e14f224b627f7aaee1a9c5 (git) Affected: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8 , < 28abd224db4a49560b452115bca3672a20e45b2f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/caiaq/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da938aa9fc7826901921dcea225948ab21a97e45",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
},
{
"lessThan": "09616e25f502080ba684fc7fcf959d1376ab756d",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
},
{
"lessThan": "b956e48371f2ff72b76be9a829800ecec963bd45",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
},
{
"lessThan": "f537e3ad69609f6924a4db6b4a7f6561f5288bdd",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
},
{
"lessThan": "6251e3e256337a30160ef59ab1580dde4d1acd28",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
},
{
"lessThan": "e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
},
{
"lessThan": "096dd8519cf2f768e9e14f224b627f7aaee1a9c5",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
},
{
"lessThan": "28abd224db4a49560b452115bca3672a20e45b2f",
"status": "affected",
"version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/caiaq/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: Handle probe errors properly\n\nThe probe procedure of setup_card() in caiaq driver doesn\u0027t treat the\nerror cases gracefully, e.g. the error from snd_card_register() calls\nsnd_card_free() but continues. This would lead to a UAF for the\nfurther calls like snd_usb_caiaq_control_init(), as Berk suggested in\nanother patch in the link below.\n\nHowever, the problem is not only that; in general, this function drops\nthe all error handlings (as it\u0027s a void function) although its caller\ncan propagate an error to snd_probe(), which eventually calls\nsnd_card_free() as a proper error path. That said, we should treat\neach error case in setup_card(), and just return the error code\npromptly, which is then handled later as a fatal error in snd_probe().\n\nThis patch achieves it by changing the setup_card() to return an error\ncode. Also, the superfluous snd_card_free() call is removed, too.\n\nNote that card-\u003eprivate_free can be set still safely at returning an\nerror. All called functions in card_free() have checks of the\nunassigned resources or NULL checks."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:47:26.278Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da938aa9fc7826901921dcea225948ab21a97e45"
},
{
"url": "https://git.kernel.org/stable/c/09616e25f502080ba684fc7fcf959d1376ab756d"
},
{
"url": "https://git.kernel.org/stable/c/b956e48371f2ff72b76be9a829800ecec963bd45"
},
{
"url": "https://git.kernel.org/stable/c/f537e3ad69609f6924a4db6b4a7f6561f5288bdd"
},
{
"url": "https://git.kernel.org/stable/c/6251e3e256337a30160ef59ab1580dde4d1acd28"
},
{
"url": "https://git.kernel.org/stable/c/e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056"
},
{
"url": "https://git.kernel.org/stable/c/096dd8519cf2f768e9e14f224b627f7aaee1a9c5"
},
{
"url": "https://git.kernel.org/stable/c/28abd224db4a49560b452115bca3672a20e45b2f"
}
],
"title": "ALSA: caiaq: Handle probe errors properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46004",
"datePublished": "2026-05-27T12:56:01.851Z",
"dateReserved": "2026-05-13T15:03:33.091Z",
"dateUpdated": "2026-06-14T17:47:26.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43052 (GCVE-0-2026-43052)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
wifi: mac80211: check tdls flag in ieee80211_tdls_oper
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: check tdls flag in ieee80211_tdls_oper
When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
station exists but not whether it is actually a TDLS station. This
allows the operation to proceed for non-TDLS stations, causing
unintended side effects like modifying channel context and HT
protection before failing.
Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
any side effects occur, to ensure the operation is only allowed for
actual TDLS peers.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
941c93cd039852b7ab02c74f4698c99d82bd6cfe , < e602246235fc2ef06c39b2e9cf147d84d0896b73
(git)
Affected: 941c93cd039852b7ab02c74f4698c99d82bd6cfe , < 6813a8b1b240756dad4375f3e020ce10e4e3871b (git) Affected: 941c93cd039852b7ab02c74f4698c99d82bd6cfe , < 44839ea7e96b3659a1606f3d5267063135479b7c (git) Affected: 941c93cd039852b7ab02c74f4698c99d82bd6cfe , < ba5b43db126a5e7378553869e3f7954d9187349f (git) Affected: 941c93cd039852b7ab02c74f4698c99d82bd6cfe , < 8148c2fda4ebb17104a573649c9b699208ad10ee (git) Affected: 941c93cd039852b7ab02c74f4698c99d82bd6cfe , < be81f17151fcb8546a95f35ca8f4231b065985de (git) Affected: 941c93cd039852b7ab02c74f4698c99d82bd6cfe , < e77b2937aaa20264e4bd699d3244bdb50e7e3343 (git) Affected: 941c93cd039852b7ab02c74f4698c99d82bd6cfe , < 7d73872d949c488a1d7c308031d6a9d89b5e0a8b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e602246235fc2ef06c39b2e9cf147d84d0896b73",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
},
{
"lessThan": "6813a8b1b240756dad4375f3e020ce10e4e3871b",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
},
{
"lessThan": "44839ea7e96b3659a1606f3d5267063135479b7c",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
},
{
"lessThan": "ba5b43db126a5e7378553869e3f7954d9187349f",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
},
{
"lessThan": "8148c2fda4ebb17104a573649c9b699208ad10ee",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
},
{
"lessThan": "be81f17151fcb8546a95f35ca8f4231b065985de",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
},
{
"lessThan": "e77b2937aaa20264e4bd699d3244bdb50e7e3343",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
},
{
"lessThan": "7d73872d949c488a1d7c308031d6a9d89b5e0a8b",
"status": "affected",
"version": "941c93cd039852b7ab02c74f4698c99d82bd6cfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check tdls flag in ieee80211_tdls_oper\n\nWhen NL80211_TDLS_ENABLE_LINK is called, the code only checks if the\nstation exists but not whether it is actually a TDLS station. This\nallows the operation to proceed for non-TDLS stations, causing\nunintended side effects like modifying channel context and HT\nprotection before failing.\n\nAdd a check for sta-\u003esta.tdls early in the ENABLE_LINK case, before\nany side effects occur, to ensure the operation is only allowed for\nactual TDLS peers."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:09.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e602246235fc2ef06c39b2e9cf147d84d0896b73"
},
{
"url": "https://git.kernel.org/stable/c/6813a8b1b240756dad4375f3e020ce10e4e3871b"
},
{
"url": "https://git.kernel.org/stable/c/44839ea7e96b3659a1606f3d5267063135479b7c"
},
{
"url": "https://git.kernel.org/stable/c/ba5b43db126a5e7378553869e3f7954d9187349f"
},
{
"url": "https://git.kernel.org/stable/c/8148c2fda4ebb17104a573649c9b699208ad10ee"
},
{
"url": "https://git.kernel.org/stable/c/be81f17151fcb8546a95f35ca8f4231b065985de"
},
{
"url": "https://git.kernel.org/stable/c/e77b2937aaa20264e4bd699d3244bdb50e7e3343"
},
{
"url": "https://git.kernel.org/stable/c/7d73872d949c488a1d7c308031d6a9d89b5e0a8b"
}
],
"title": "wifi: mac80211: check tdls flag in ieee80211_tdls_oper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43052",
"datePublished": "2026-05-01T14:15:46.029Z",
"dateReserved": "2026-05-01T14:12:55.980Z",
"dateUpdated": "2026-06-19T11:58:09.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31464 (GCVE-0-2026-31464)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-11 22:09
VLAI?
EPSS
Title
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
A malicious or compromised VIO server can return a num_written value in the
discover targets MAD response that exceeds max_targets. This value is
stored directly in vhost->num_targets without validation, and is then used
as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which
is only allocated for max_targets entries. Indices at or beyond max_targets
access kernel memory outside the DMA-coherent allocation. The
out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI
MADs that are sent back to the VIO server, leaking kernel memory.
Fix by clamping num_written to max_targets before storing it.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < d842348f8a00d5b1d7358f207eb34ffcf5b16df3
(git)
Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < a007246cb6c9ebdc93dafbf63cc2d43d98f402cc (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 4ed727e35b0ab17d3eeeb1e8023768396e2be161 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < d1466bf991b2343cf2ba8336e440c8faf3cbb780 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 786f10b1966e485046839f992e89f2c18cbd1983 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < bae4df0a643fa7f84663473aa3082a9c2ed139db (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d842348f8a00d5b1d7358f207eb34ffcf5b16df3",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "a007246cb6c9ebdc93dafbf63cc2d43d98f402cc",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "4ed727e35b0ab17d3eeeb1e8023768396e2be161",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "d1466bf991b2343cf2ba8336e440c8faf3cbb780",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "786f10b1966e485046839f992e89f2c18cbd1983",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "bae4df0a643fa7f84663473aa3082a9c2ed139db",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()\n\nA malicious or compromised VIO server can return a num_written value in the\ndiscover targets MAD response that exceeds max_targets. This value is\nstored directly in vhost-\u003enum_targets without validation, and is then used\nas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which\nis only allocated for max_targets entries. Indices at or beyond max_targets\naccess kernel memory outside the DMA-coherent allocation. The\nout-of-bounds data is subsequently embedded in Implicit Logout and PLOGI\nMADs that are sent back to the VIO server, leaking kernel memory.\n\nFix by clamping num_written to max_targets before storing it."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:14.078Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3"
},
{
"url": "https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc"
},
{
"url": "https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89"
},
{
"url": "https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161"
},
{
"url": "https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780"
},
{
"url": "https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983"
},
{
"url": "https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db"
},
{
"url": "https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f"
}
],
"title": "scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31464",
"datePublished": "2026-04-22T13:53:54.970Z",
"dateReserved": "2026-03-09T15:48:24.097Z",
"dateUpdated": "2026-05-11T22:09:14.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31546 (GCVE-0-2026-31546)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-05-11 22:10
VLAI?
EPSS
Title
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
rlb_clear_slave intentionally keeps RLB hash-table entries on
the rx_hashtbl_used_head list with slave set to NULL when no
replacement slave is available. However, bond_debug_rlb_hash_show
visites client_info->slave without checking if it's NULL.
Other used-list iterators in bond_alb.c already handle this NULL-slave
state safely:
- rlb_update_client returns early on !client_info->slave
- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
compare slave values before visiting
- lb_req_update_subnet_clients continues if slave is NULL
The following NULL deref crash can be trigger in
bond_debug_rlb_hash_show:
[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
[ 1.295897] Call Trace:
[ 1.296134] seq_read_iter (fs/seq_file.c:231)
[ 1.296341] seq_read (fs/seq_file.c:164)
[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
[ 1.296658] vfs_read (fs/read_write.c:572)
[ 1.296981] ksys_read (fs/read_write.c:717)
[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Add a NULL check and print "(none)" for entries with no assigned slave.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 19f0fd87df0e5746b24f5caa465a66a8c6e6e241
(git)
Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < edacf1613f7b26423ebfa8b2892e7453c4235354 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 2ec2c777f357a83c3d503d8d9370c90b60f0ae63 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 0a3f8cd3f370247ded14d38d216b49dd30eade76 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 017d674cf6930e9586a29ee808c7ca09d1396d07 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 605b52497bf89b3b154674deb135da98f916e390 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19f0fd87df0e5746b24f5caa465a66a8c6e6e241",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "edacf1613f7b26423ebfa8b2892e7453c4235354",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "2ec2c777f357a83c3d503d8d9370c90b60f0ae63",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "0a3f8cd3f370247ded14d38d216b49dd30eade76",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "017d674cf6930e9586a29ee808c7ca09d1396d07",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "605b52497bf89b3b154674deb135da98f916e390",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL deref in bond_debug_rlb_hash_show\n\nrlb_clear_slave intentionally keeps RLB hash-table entries on\nthe rx_hashtbl_used_head list with slave set to NULL when no\nreplacement slave is available. However, bond_debug_rlb_hash_show\nvisites client_info-\u003eslave without checking if it\u0027s NULL.\n\nOther used-list iterators in bond_alb.c already handle this NULL-slave\nstate safely:\n\n- rlb_update_client returns early on !client_info-\u003eslave\n- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance\ncompare slave values before visiting\n- lb_req_update_subnet_clients continues if slave is NULL\n\nThe following NULL deref crash can be trigger in\nbond_debug_rlb_hash_show:\n\n[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)\n[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286\n[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204\n[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078\n[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000\n[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0\n[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8\n[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000\n[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0\n[ 1.295897] Call Trace:\n[ 1.296134] seq_read_iter (fs/seq_file.c:231)\n[ 1.296341] seq_read (fs/seq_file.c:164)\n[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))\n[ 1.296658] vfs_read (fs/read_write.c:572)\n[ 1.296981] ksys_read (fs/read_write.c:717)\n[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAdd a NULL check and print \"(none)\" for entries with no assigned slave."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:52.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19f0fd87df0e5746b24f5caa465a66a8c6e6e241"
},
{
"url": "https://git.kernel.org/stable/c/edacf1613f7b26423ebfa8b2892e7453c4235354"
},
{
"url": "https://git.kernel.org/stable/c/2ec2c777f357a83c3d503d8d9370c90b60f0ae63"
},
{
"url": "https://git.kernel.org/stable/c/0a3f8cd3f370247ded14d38d216b49dd30eade76"
},
{
"url": "https://git.kernel.org/stable/c/6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4"
},
{
"url": "https://git.kernel.org/stable/c/017d674cf6930e9586a29ee808c7ca09d1396d07"
},
{
"url": "https://git.kernel.org/stable/c/ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c"
},
{
"url": "https://git.kernel.org/stable/c/605b52497bf89b3b154674deb135da98f916e390"
}
],
"title": "net: bonding: fix NULL deref in bond_debug_rlb_hash_show",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31546",
"datePublished": "2026-04-24T14:33:14.572Z",
"dateReserved": "2026-03-09T15:48:24.114Z",
"dateUpdated": "2026-05-11T22:10:52.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45886 (GCVE-0-2026-45886)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:16 – Updated: 2026-05-27 12:16
VLAI?
EPSS
Title
bpf: Fix bpf_xdp_store_bytes proto for read-only arg
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix bpf_xdp_store_bytes proto for read-only arg
While making some maps in Cilium read-only from the BPF side, we noticed
that the bpf_xdp_store_bytes proto is incorrect. In particular, the
verifier was throwing the following error:
; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),
&nat->address, 4, 0);
635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx()
636: (b4) w2 = 26 ; R2=26
637: (b4) w4 = 4 ; R4=4
638: (b4) w5 = 0 ; R5=0
639: (85) call bpf_xdp_store_bytes#190
write into map forbidden, value_size=6 off=0 size=4
nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE.
The verifier checks the helper's memory access to R3 in
check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third
argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the
MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3.
Given R3 points to a read-only map, the check fails.
Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading
from uninitialized memory.
This patch simply fixes the expected argument type to match that of
bpf_skb_store_bytes.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3f364222d032eea6b245780e845ad213dab28cdd , < ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e
(git)
Affected: 3f364222d032eea6b245780e845ad213dab28cdd , < ddc34a1b85505c919026ddc82fafdada9a160b15 (git) Affected: 3f364222d032eea6b245780e845ad213dab28cdd , < 0db169a91381a473b7974021d1c02f8da72c5775 (git) Affected: 3f364222d032eea6b245780e845ad213dab28cdd , < d7b87adeb0eb539b9b824b101bb14fb01e41240b (git) Affected: 3f364222d032eea6b245780e845ad213dab28cdd , < 57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52 (git) Affected: 3f364222d032eea6b245780e845ad213dab28cdd , < 6557f1565d779851c4db9c488c49c05a47a6e72f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e",
"status": "affected",
"version": "3f364222d032eea6b245780e845ad213dab28cdd",
"versionType": "git"
},
{
"lessThan": "ddc34a1b85505c919026ddc82fafdada9a160b15",
"status": "affected",
"version": "3f364222d032eea6b245780e845ad213dab28cdd",
"versionType": "git"
},
{
"lessThan": "0db169a91381a473b7974021d1c02f8da72c5775",
"status": "affected",
"version": "3f364222d032eea6b245780e845ad213dab28cdd",
"versionType": "git"
},
{
"lessThan": "d7b87adeb0eb539b9b824b101bb14fb01e41240b",
"status": "affected",
"version": "3f364222d032eea6b245780e845ad213dab28cdd",
"versionType": "git"
},
{
"lessThan": "57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52",
"status": "affected",
"version": "3f364222d032eea6b245780e845ad213dab28cdd",
"versionType": "git"
},
{
"lessThan": "6557f1565d779851c4db9c488c49c05a47a6e72f",
"status": "affected",
"version": "3f364222d032eea6b245780e845ad213dab28cdd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_xdp_store_bytes proto for read-only arg\n\nWhile making some maps in Cilium read-only from the BPF side, we noticed\nthat the bpf_xdp_store_bytes proto is incorrect. In particular, the\nverifier was throwing the following error:\n\n ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),\n \u0026nat-\u003eaddress, 4, 0);\n 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx()\n 636: (b4) w2 = 26 ; R2=26\n 637: (b4) w4 = 4 ; R4=4\n 638: (b4) w5 = 0 ; R5=0\n 639: (85) call bpf_xdp_store_bytes#190\n write into map forbidden, value_size=6 off=0 size=4\n\nnat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE.\nThe verifier checks the helper\u0027s memory access to R3 in\ncheck_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third\nargument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the\nMEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3.\nGiven R3 points to a read-only map, the check fails.\n\nConversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading\nfrom uninitialized memory.\n\nThis patch simply fixes the expected argument type to match that of\nbpf_skb_store_bytes."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:16:58.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e"
},
{
"url": "https://git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15"
},
{
"url": "https://git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775"
},
{
"url": "https://git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240b"
},
{
"url": "https://git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52"
},
{
"url": "https://git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72f"
}
],
"title": "bpf: Fix bpf_xdp_store_bytes proto for read-only arg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45886",
"datePublished": "2026-05-27T12:16:58.000Z",
"dateReserved": "2026-05-13T15:03:33.082Z",
"dateUpdated": "2026-05-27T12:16:58.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43483 (GCVE-0-2026-43483)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
EPSS
Title
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Explicitly set/clear CR8 write interception when AVIC is (de)activated to
fix a bug where KVM leaves the interception enabled after AVIC is
activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8
will remain intercepted in perpetuity.
On its own, the dangling CR8 intercept is "just" a performance issue, but
combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM:
Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging
intercept is fatal to Windows guests as the TPR seen by hardware gets
wildly out of sync with reality.
Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored
when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in
KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this
is firmly an SVM implementation flaw/detail.
WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should
never enter the guest with AVIC enabled and CR8 writes intercepted.
[Squash fix to avic_deactivate_vmcb. - Paolo]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3bbf3565f48ce3999b5a12cde946f81bd4475312 , < a4123fe5d9122eef9852e4921f7cc463420f30d4
(git)
Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 816fa1dfae4532e851b1fe6b2434c753ecbd86c7 (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 01651e7751edbbc0fb4598f8367a3dabcfc8c182 (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < ba3bca40f9f25c053f69413e5f4a41dd0fd762bf (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 737410b32bd615b321da4fbeda490351b9af5e8b (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 87d0f901a9bd8ae6be57249c737f20ac0cace93d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4123fe5d9122eef9852e4921f7cc463420f30d4",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "816fa1dfae4532e851b1fe6b2434c753ecbd86c7",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "01651e7751edbbc0fb4598f8367a3dabcfc8c182",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "ba3bca40f9f25c053f69413e5f4a41dd0fd762bf",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "737410b32bd615b321da4fbeda490351b9af5e8b",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "87d0f901a9bd8ae6be57249c737f20ac0cace93d",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated\n\nExplicitly set/clear CR8 write interception when AVIC is (de)activated to\nfix a bug where KVM leaves the interception enabled after AVIC is\nactivated. E.g. if KVM emulates INIT=\u003eWFS while AVIC is deactivated, CR8\nwill remain intercepted in perpetuity.\n\nOn its own, the dangling CR8 intercept is \"just\" a performance issue, but\ncombined with the TPR sync bug fixed by commit d02e48830e3f (\"KVM: SVM:\nSync TPR from LAPIC into VMCB::V_TPR even if AVIC is active\"), the danging\nintercept is fatal to Windows guests as the TPR seen by hardware gets\nwildly out of sync with reality.\n\nNote, VMX isn\u0027t affected by the bug as TPR_THRESHOLD is explicitly ignored\nwhen Virtual Interrupt Delivery is enabled, i.e. when APICv is active in\nKVM\u0027s world. I.e. there\u0027s no need to trigger update_cr8_intercept(), this\nis firmly an SVM implementation flaw/detail.\n\nWARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should\nnever enter the guest with AVIC enabled and CR8 writes intercepted.\n\n[Squash fix to avic_deactivate_vmcb. - Paolo]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:30.319Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4123fe5d9122eef9852e4921f7cc463420f30d4"
},
{
"url": "https://git.kernel.org/stable/c/816fa1dfae4532e851b1fe6b2434c753ecbd86c7"
},
{
"url": "https://git.kernel.org/stable/c/01651e7751edbbc0fb4598f8367a3dabcfc8c182"
},
{
"url": "https://git.kernel.org/stable/c/ba3bca40f9f25c053f69413e5f4a41dd0fd762bf"
},
{
"url": "https://git.kernel.org/stable/c/737410b32bd615b321da4fbeda490351b9af5e8b"
},
{
"url": "https://git.kernel.org/stable/c/87d0f901a9bd8ae6be57249c737f20ac0cace93d"
}
],
"title": "KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43483",
"datePublished": "2026-05-13T15:08:30.319Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:30.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45983 (GCVE-0-2026-45983)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:18 – Updated: 2026-05-27 12:18
VLAI?
EPSS
Title
nfsd: never defer requests during idmap lookup
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: never defer requests during idmap lookup
During v4 request compound arg decoding, some ops (e.g. SETATTR)
can trigger idmap lookup upcalls. When those upcall responses get
delayed beyond the allowed time limit, cache_check() will mark the
request for deferral and cause it to be dropped.
This prevents nfs4svc_encode_compoundres from being executed, and
thus the session slot flag NFSD4_SLOT_INUSE never gets cleared.
Subsequent client requests will fail with NFSERR_JUKEBOX, given
that the slot will be marked as in-use, making the SEQUENCE op
fail.
Fix this by making sure that the RQ_USEDEFERRAL flag is always
clear during nfs4svc_decode_compoundargs(), since no v4 request
should ever be deferred.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < b9abb760db20504240a7147f27934d900cd80b23
(git)
Affected: 2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < 3a72c7dedc99b321e0f267e4e999e5baf07c4593 (git) Affected: 2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < 99e17b20fddac19a228d213e00f6b9e1c10daff9 (git) Affected: 2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < 243f71ed873ff3feeb6f9b5cb145d63f7188b4c4 (git) Affected: 2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < 063a6f22478ef929625000a2caf54667725c1dfd (git) Affected: 2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < d75ec4504a4340b033b15cad0303988b3089dd93 (git) Affected: 2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < 8dff54fe88c0dcd4c55bff9fc2fa6ca968290826 (git) Affected: 2f425878b6a71571341dcd3f9e9d1a6f6355da9c , < f9c206cdc4266caad6a9a7f46341420a10f03ccb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4idmap.c",
"fs/nfsd/nfs4proc.c",
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9abb760db20504240a7147f27934d900cd80b23",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
},
{
"lessThan": "3a72c7dedc99b321e0f267e4e999e5baf07c4593",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
},
{
"lessThan": "99e17b20fddac19a228d213e00f6b9e1c10daff9",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
},
{
"lessThan": "243f71ed873ff3feeb6f9b5cb145d63f7188b4c4",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
},
{
"lessThan": "063a6f22478ef929625000a2caf54667725c1dfd",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
},
{
"lessThan": "d75ec4504a4340b033b15cad0303988b3089dd93",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
},
{
"lessThan": "8dff54fe88c0dcd4c55bff9fc2fa6ca968290826",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
},
{
"lessThan": "f9c206cdc4266caad6a9a7f46341420a10f03ccb",
"status": "affected",
"version": "2f425878b6a71571341dcd3f9e9d1a6f6355da9c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4idmap.c",
"fs/nfsd/nfs4proc.c",
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: never defer requests during idmap lookup\n\nDuring v4 request compound arg decoding, some ops (e.g. SETATTR)\ncan trigger idmap lookup upcalls. When those upcall responses get\ndelayed beyond the allowed time limit, cache_check() will mark the\nrequest for deferral and cause it to be dropped.\n\nThis prevents nfs4svc_encode_compoundres from being executed, and\nthus the session slot flag NFSD4_SLOT_INUSE never gets cleared.\nSubsequent client requests will fail with NFSERR_JUKEBOX, given\nthat the slot will be marked as in-use, making the SEQUENCE op\nfail.\n\nFix this by making sure that the RQ_USEDEFERRAL flag is always\nclear during nfs4svc_decode_compoundargs(), since no v4 request\nshould ever be deferred."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:18:41.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9abb760db20504240a7147f27934d900cd80b23"
},
{
"url": "https://git.kernel.org/stable/c/3a72c7dedc99b321e0f267e4e999e5baf07c4593"
},
{
"url": "https://git.kernel.org/stable/c/99e17b20fddac19a228d213e00f6b9e1c10daff9"
},
{
"url": "https://git.kernel.org/stable/c/243f71ed873ff3feeb6f9b5cb145d63f7188b4c4"
},
{
"url": "https://git.kernel.org/stable/c/063a6f22478ef929625000a2caf54667725c1dfd"
},
{
"url": "https://git.kernel.org/stable/c/d75ec4504a4340b033b15cad0303988b3089dd93"
},
{
"url": "https://git.kernel.org/stable/c/8dff54fe88c0dcd4c55bff9fc2fa6ca968290826"
},
{
"url": "https://git.kernel.org/stable/c/f9c206cdc4266caad6a9a7f46341420a10f03ccb"
}
],
"title": "nfsd: never defer requests during idmap lookup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45983",
"datePublished": "2026-05-27T12:18:41.619Z",
"dateReserved": "2026-05-13T15:03:33.090Z",
"dateUpdated": "2026-05-27T12:18:41.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43261 (GCVE-0-2026-43261)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
arm64: Add support for TSV110 Spectre-BHB mitigation
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: Add support for TSV110 Spectre-BHB mitigation
The TSV110 processor is vulnerable to the Spectre-BHB (Branch History
Buffer) attack, which can be exploited to leak information through
branch prediction side channels. This commit adds the MIDR of TSV110
to the list for software mitigation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e192c8baa69ac8a5585d61ac535aa1e5eb795e80 , < 598c11dd4f4a9de31d854fcb9702f54c1c70f0d0
(git)
Affected: 4bbfd0c280254b273c564767021bb9b0f945148e , < a8d0ad5d990b050a6db74218a34b5529085e16b8 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < cccf96c49f61e47d9332d6a4d1c7fe9a2df44440 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < fd7e360845d331f542854d552469544182e61134 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < 5dbe1f14359735fa50ba0dd4a496125b5bc7f422 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < fd51d47fcacec3ca027eb65d8c44853d3b6cea95 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < ad0c356cae164ed5dbd1f4cfd438e46faa5292cb (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < e3baa5d4b361276efeb87b20d8beced451a7dbd5 (git) Affected: 4dd8aae585a51a1d276911fe19096ad90144e9fe (git) Affected: 3e3904125fccd042fda24294624e8f66699fd06d (git) Affected: c20d551744797000c4af993f7d59ef8c69732949 (git) Affected: 9013fd4bc958b33c3b4d5a2eaf4ded9857600395 (git) Affected: 0b2bf1b37b5ebd90e69e30d8c2d6e1cd0c1f37b4 (git) Affected: 5.10.105 , < 5.10.252 (semver) Affected: 5.15.28 , < 5.15.202 (semver) Affected: 4.9.310 , < 4.10 (semver) Affected: 4.14.275 , < 4.15 (semver) Affected: 4.19.236 , < 4.20 (semver) Affected: 5.4.186 , < 5.5 (semver) Affected: 5.16.14 , < 5.17 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/proton-pack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "598c11dd4f4a9de31d854fcb9702f54c1c70f0d0",
"status": "affected",
"version": "e192c8baa69ac8a5585d61ac535aa1e5eb795e80",
"versionType": "git"
},
{
"lessThan": "a8d0ad5d990b050a6db74218a34b5529085e16b8",
"status": "affected",
"version": "4bbfd0c280254b273c564767021bb9b0f945148e",
"versionType": "git"
},
{
"lessThan": "cccf96c49f61e47d9332d6a4d1c7fe9a2df44440",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "fd7e360845d331f542854d552469544182e61134",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "5dbe1f14359735fa50ba0dd4a496125b5bc7f422",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "fd51d47fcacec3ca027eb65d8c44853d3b6cea95",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "ad0c356cae164ed5dbd1f4cfd438e46faa5292cb",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "e3baa5d4b361276efeb87b20d8beced451a7dbd5",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"status": "affected",
"version": "4dd8aae585a51a1d276911fe19096ad90144e9fe",
"versionType": "git"
},
{
"status": "affected",
"version": "3e3904125fccd042fda24294624e8f66699fd06d",
"versionType": "git"
},
{
"status": "affected",
"version": "c20d551744797000c4af993f7d59ef8c69732949",
"versionType": "git"
},
{
"status": "affected",
"version": "9013fd4bc958b33c3b4d5a2eaf4ded9857600395",
"versionType": "git"
},
{
"status": "affected",
"version": "0b2bf1b37b5ebd90e69e30d8c2d6e1cd0c1f37b4",
"versionType": "git"
},
{
"lessThan": "5.10.252",
"status": "affected",
"version": "5.10.105",
"versionType": "semver"
},
{
"lessThan": "5.15.202",
"status": "affected",
"version": "5.15.28",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.310",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.275",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.236",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.186",
"versionType": "semver"
},
{
"lessThan": "5.17",
"status": "affected",
"version": "5.16.14",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/proton-pack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.10.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.275",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.236",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Add support for TSV110 Spectre-BHB mitigation\n\nThe TSV110 processor is vulnerable to the Spectre-BHB (Branch History\nBuffer) attack, which can be exploited to leak information through\nbranch prediction side channels. This commit adds the MIDR of TSV110\nto the list for software mitigation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:36.101Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/598c11dd4f4a9de31d854fcb9702f54c1c70f0d0"
},
{
"url": "https://git.kernel.org/stable/c/a8d0ad5d990b050a6db74218a34b5529085e16b8"
},
{
"url": "https://git.kernel.org/stable/c/cccf96c49f61e47d9332d6a4d1c7fe9a2df44440"
},
{
"url": "https://git.kernel.org/stable/c/fd7e360845d331f542854d552469544182e61134"
},
{
"url": "https://git.kernel.org/stable/c/5dbe1f14359735fa50ba0dd4a496125b5bc7f422"
},
{
"url": "https://git.kernel.org/stable/c/fd51d47fcacec3ca027eb65d8c44853d3b6cea95"
},
{
"url": "https://git.kernel.org/stable/c/ad0c356cae164ed5dbd1f4cfd438e46faa5292cb"
},
{
"url": "https://git.kernel.org/stable/c/e3baa5d4b361276efeb87b20d8beced451a7dbd5"
}
],
"title": "arm64: Add support for TSV110 Spectre-BHB mitigation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43261",
"datePublished": "2026-05-06T11:28:48.823Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-23T16:06:36.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23444 (GCVE-0-2026-23444)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-06-01 16:11
VLAI?
EPSS
Title
wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
ieee80211_tx_prepare_skb() has three error paths, but only two of them
free the skb. The first error path (ieee80211_tx_prepare() returning
TX_DROP) does not free it, while invoke_tx_handlers() failure and the
fragmentation check both do.
Add kfree_skb() to the first error path so all three are consistent,
and remove the now-redundant frees in callers (ath9k, mt76,
mac80211_hwsim) to avoid double-free.
Document the skb ownership guarantee in the function's kdoc.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
06be6b149f7e406bcf16098567f5a6c9f042bced , < 905ef207d5ed99ca64adfe39fba9ac46e434327a
(git)
Affected: 06be6b149f7e406bcf16098567f5a6c9f042bced , < 5ef8ca1c164786da24169af155c1ca1ff1353cf8 (git) Affected: 06be6b149f7e406bcf16098567f5a6c9f042bced , < 9a779d1f480e83720b5384adf165604e7ee226bd (git) Affected: 06be6b149f7e406bcf16098567f5a6c9f042bced , < f77b51bcee7be2bb686b5f7a2d4a1921e4bdb9f4 (git) Affected: 06be6b149f7e406bcf16098567f5a6c9f042bced , < 3b4d27acafaeab478fd24f79ad6e593a892828b9 (git) Affected: 06be6b149f7e406bcf16098567f5a6c9f042bced , < 06e769dddcbeb3baf2ce346273b53dd61fdbecf4 (git) Affected: 06be6b149f7e406bcf16098567f5a6c9f042bced , < 50f1b690b4868923fbd242298def2fb88662f108 (git) Affected: 06be6b149f7e406bcf16098567f5a6c9f042bced , < d5ad6ab61cbd89afdb60881f6274f74328af3ee9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/channel.c",
"drivers/net/wireless/mediatek/mt76/scan.c",
"drivers/net/wireless/virtual/mac80211_hwsim.c",
"include/net/mac80211.h",
"net/mac80211/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "905ef207d5ed99ca64adfe39fba9ac46e434327a",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
},
{
"lessThan": "5ef8ca1c164786da24169af155c1ca1ff1353cf8",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
},
{
"lessThan": "9a779d1f480e83720b5384adf165604e7ee226bd",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
},
{
"lessThan": "f77b51bcee7be2bb686b5f7a2d4a1921e4bdb9f4",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
},
{
"lessThan": "3b4d27acafaeab478fd24f79ad6e593a892828b9",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
},
{
"lessThan": "06e769dddcbeb3baf2ce346273b53dd61fdbecf4",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
},
{
"lessThan": "50f1b690b4868923fbd242298def2fb88662f108",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
},
{
"lessThan": "d5ad6ab61cbd89afdb60881f6274f74328af3ee9",
"status": "affected",
"version": "06be6b149f7e406bcf16098567f5a6c9f042bced",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/channel.c",
"drivers/net/wireless/mediatek/mt76/scan.c",
"drivers/net/wireless/virtual/mac80211_hwsim.c",
"include/net/mac80211.h",
"net/mac80211/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n\nieee80211_tx_prepare_skb() has three error paths, but only two of them\nfree the skb. The first error path (ieee80211_tx_prepare() returning\nTX_DROP) does not free it, while invoke_tx_handlers() failure and the\nfragmentation check both do.\n\nAdd kfree_skb() to the first error path so all three are consistent,\nand remove the now-redundant frees in callers (ath9k, mt76,\nmac80211_hwsim) to avoid double-free.\n\nDocument the skb ownership guarantee in the function\u0027s kdoc."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:13.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/905ef207d5ed99ca64adfe39fba9ac46e434327a"
},
{
"url": "https://git.kernel.org/stable/c/5ef8ca1c164786da24169af155c1ca1ff1353cf8"
},
{
"url": "https://git.kernel.org/stable/c/9a779d1f480e83720b5384adf165604e7ee226bd"
},
{
"url": "https://git.kernel.org/stable/c/f77b51bcee7be2bb686b5f7a2d4a1921e4bdb9f4"
},
{
"url": "https://git.kernel.org/stable/c/3b4d27acafaeab478fd24f79ad6e593a892828b9"
},
{
"url": "https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4"
},
{
"url": "https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108"
},
{
"url": "https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9"
}
],
"title": "wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23444",
"datePublished": "2026-04-03T15:15:28.464Z",
"dateReserved": "2026-01-13T15:37:46.019Z",
"dateUpdated": "2026-06-01T16:11:13.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46323 (GCVE-0-2026-46323)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
net: gro: don't merge zcopy skbs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gro: don't merge zcopy skbs
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
Severity ?
7.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d
(git)
Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 1f9c828556416fbe3f49386708ce999fc4d4da06 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 479084ae0e1d9cb7929cb4298d35623de189f80a (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < e334cbf3388fd9334503a778a82d9e9f14dd2f71 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 44bea2032af0425e4ce6d26a8af0ede79db49ec1 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 4db79a322db8c97f7b73b8a347395ef4d685eb40 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux for NVIDIA 26",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Generic Receive Offload (GRO) networking subsystem. This vulnerability occurs when `skb_gro_receive()` attempts to merge zerocopy socket buffers (skbs) without properly managing page reference counts, specifically when the `SKBFL_MANAGED_FRAG_REFS` flag is set. An attacker could potentially exploit this to trigger a Use-After-Free (UAF) condition, which is a memory corruption vulnerability that can lead to system instability or potentially arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:06.631Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46323"
},
{
"name": "RHBZ#2479832",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479832"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46323.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T11:49:44.372Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "1f9c828556416fbe3f49386708ce999fc4d4da06",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "479084ae0e1d9cb7929cb4298d35623de189f80a",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "e334cbf3388fd9334503a778a82d9e9f14dd2f71",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "44bea2032af0425e4ce6d26a8af0ede79db49ec1",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "4db79a322db8c97f7b73b8a347395ef4d685eb40",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: don\u0027t merge zcopy skbs\n\nskb_gro_receive() can currently copy frags between the source and GRO\nskb, without checking the zerocopy status, and in particular the\nSKBFL_MANAGED_FRAG_REFS flag.\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, the skb doesn\u0027t hold a reference\non the pages in shinfo-\u003efrags. Appending those frags to another skb\u0027s\nfrags without fixing up the page refcount can lead to UAF.\n\nWhen either the last skb in the GRO chain (the one we would append\nfrags to) or the source skb is zerocopy, don\u0027t merge the skbs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:26.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d"
},
{
"url": "https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06"
},
{
"url": "https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a"
},
{
"url": "https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71"
},
{
"url": "https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1"
},
{
"url": "https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40"
}
],
"title": "net: gro: don\u0027t merge zcopy skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46323",
"datePublished": "2026-06-09T12:11:15.562Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-30T12:10:06.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43501 (GCVE-0-2026-43501)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:17 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).
pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:
skb_set_mac_header(skb, -skb->mac_len);
will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.
A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.
Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
Severity ?
9.8 (Critical)
CWE
- CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < bde199c72d319a4e207f88daabc888317504e2fb
(git)
Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402 (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 8e8be63465a5e80394c70324603dfea1bfdad48f (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 4babc2d9fda2df43823b85d08a0180b68f1b0854 (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < c261d07a80576dc8ccf394ef8f074f8c67a06b37 (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 7398ebefbfd4f8a31d4f665a4213302fa995494b (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 9e6bf146b55999a095bb14f73a843942456d1adc (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel. A local attacker can exploit an out-of-bounds write vulnerability when the kernel recomputes an IPv6 Source Routing Header (SRH). This issue occurs because insufficient headroom is reserved during the recompression process, leading to memory corruption. Successful exploitation could result in a denial of service or potentially arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:28.257Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43501"
},
{
"name": "RHBZ#2480457",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480457"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43501.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25191"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34095"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27713"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25217"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33900"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:25191: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34095: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27713: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:25217: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33900: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-21T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, disable IPv6 Source Routing by setting the `accept_source_route` sysctl parameter to 0 for all IPv6 interfaces. This can prevent the kernel from processing IPv6 Source Routing Headers, thereby avoiding the vulnerable code path.\n\nTo disable IPv6 Source Routing:\n`sysctl -w net.ipv6.conf.all.accept_source_route=0`\n`sysctl -w net.ipv6.conf.default.accept_source_route=0`\n\nTo make this change persistent across reboots, add the following lines to `/etc/sysctl.d/99-disable-ipv6-srh.conf`:\n`net.ipv6.conf.all.accept_source_route = 0`\n`net.ipv6.conf.default.accept_source_route = 0`\n\nThen, apply the changes with:\n`sysctl --system`\n\nDisabling IPv6 Source Routing may impact network configurations that rely on this feature."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bde199c72d319a4e207f88daabc888317504e2fb",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "8e8be63465a5e80394c70324603dfea1bfdad48f",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "4babc2d9fda2df43823b85d08a0180b68f1b0854",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "c261d07a80576dc8ccf394ef8f074f8c67a06b37",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "7398ebefbfd4f8a31d4f665a4213302fa995494b",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "9e6bf146b55999a095bb14f73a843942456d1adc",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: rpl: reserve mac_len headroom when recompressed SRH grows\n\nipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps\nthe next segment into ipv6_hdr-\u003edaddr, recompresses, then pulls the old\nheader and pushes the new one plus the IPv6 header back. The\nrecompressed header can be larger than the received one when the swap\nreduces the common-prefix length the segments share with daddr (CmprI=0,\nCmprE\u003e0, seg[0][0] != daddr[0] gives the maximum +8 bytes).\n\npskb_expand_head() was gated on segments_left == 0, so on earlier\nsegments the push consumed unchecked headroom. Once skb_push() leaves\nfewer than skb-\u003emac_len bytes in front of data,\nskb_mac_header_rebuild()\u0027s call to:\n\n\tskb_set_mac_header(skb, -skb-\u003emac_len);\n\nwill store (data - head) - mac_len into the u16 mac_header field, which\nwraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB\npast skb-\u003ehead.\n\nA single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two\nsegment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one\npass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.\n\nFix this by expanding the head whenever the remaining room is less than\nthe push size plus mac_len, and request that much extra so the rebuilt\nMAC header fits afterwards."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:45:41.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bde199c72d319a4e207f88daabc888317504e2fb"
},
{
"url": "https://git.kernel.org/stable/c/be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e"
},
{
"url": "https://git.kernel.org/stable/c/0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402"
},
{
"url": "https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f"
},
{
"url": "https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854"
},
{
"url": "https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37"
},
{
"url": "https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b"
},
{
"url": "https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc"
}
],
"title": "ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43501",
"datePublished": "2026-05-21T12:17:49.885Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-07-02T12:05:28.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43030 (GCVE-0-2026-43030)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
bpf: Fix regsafe() for pointers to packet
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix regsafe() for pointers to packet
In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N
regsafe() may return true which may lead to current state with
valid packet range not being explored. Fix the bug.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95b6ec733752b31bfd166c4609d2c1b5cdde9b47 , < b52f6d0ef7b308f9d05bbddb78749852f28e8e40
(git)
Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 37db6b9726d0bcf91cbdf9d63b558c50da49f968 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 015a74476dc1ab6923d89f1ee009aaf43faa7185 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < b99d82706bd1511bb875e3de7154698fd9215c99 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 7241da033fdc507b920e092dab1f97b945cb0370 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 8aebe18069394f4a79d2d82080a0f806da449996 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < ca995b1462ec6db1e869100ba1fb7356bd3f22f0 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < a8502a79e832b861e99218cbd2d8f4312d62e225 (git) Affected: 5.10.155 , < 5.10.253 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b52f6d0ef7b308f9d05bbddb78749852f28e8e40",
"status": "affected",
"version": "95b6ec733752b31bfd166c4609d2c1b5cdde9b47",
"versionType": "git"
},
{
"lessThan": "37db6b9726d0bcf91cbdf9d63b558c50da49f968",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "015a74476dc1ab6923d89f1ee009aaf43faa7185",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "b99d82706bd1511bb875e3de7154698fd9215c99",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "7241da033fdc507b920e092dab1f97b945cb0370",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "8aebe18069394f4a79d2d82080a0f806da449996",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "ca995b1462ec6db1e869100ba1fb7356bd3f22f0",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "a8502a79e832b861e99218cbd2d8f4312d62e225",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "5.10.253",
"status": "affected",
"version": "5.10.155",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix regsafe() for pointers to packet\n\nIn case rold-\u003ereg-\u003erange == BEYOND_PKT_END \u0026\u0026 rcur-\u003ereg-\u003erange == N\nregsafe() may return true which may lead to current state with\nvalid packet range not being explored. Fix the bug."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:05.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b52f6d0ef7b308f9d05bbddb78749852f28e8e40"
},
{
"url": "https://git.kernel.org/stable/c/37db6b9726d0bcf91cbdf9d63b558c50da49f968"
},
{
"url": "https://git.kernel.org/stable/c/015a74476dc1ab6923d89f1ee009aaf43faa7185"
},
{
"url": "https://git.kernel.org/stable/c/b99d82706bd1511bb875e3de7154698fd9215c99"
},
{
"url": "https://git.kernel.org/stable/c/7241da033fdc507b920e092dab1f97b945cb0370"
},
{
"url": "https://git.kernel.org/stable/c/8aebe18069394f4a79d2d82080a0f806da449996"
},
{
"url": "https://git.kernel.org/stable/c/ca995b1462ec6db1e869100ba1fb7356bd3f22f0"
},
{
"url": "https://git.kernel.org/stable/c/a8502a79e832b861e99218cbd2d8f4312d62e225"
}
],
"title": "bpf: Fix regsafe() for pointers to packet",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43030",
"datePublished": "2026-05-01T14:15:30.564Z",
"dateReserved": "2026-05-01T14:12:55.977Z",
"dateUpdated": "2026-05-23T16:06:05.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45932 (GCVE-0-2026-45932)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-30 10:45
VLAI?
EPSS
Title
bpf: Fix tcx/netkit detach permissions when prog fd isn't given
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix tcx/netkit detach permissions when prog fd isn't given
This commit fixes a security issue where BPF_PROG_DETACH on tcx or
netkit devices could be executed by any user when no program fd was
provided, bypassing permission checks. The fix adds a capability
check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.
Severity ?
7.3 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e420bed025071a623d2720a92bc2245c84757ecb , < 4e0772cded109c238411f2fac36ac39302758b81
(git)
Affected: e420bed025071a623d2720a92bc2245c84757ecb , < 3f04cc1e5374da4c5e791ae010a06cfea7bacbe6 (git) Affected: e420bed025071a623d2720a92bc2245c84757ecb , < ae23bc81ddf7c17b663c4ed1b21e35527b0a7131 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"include/linux/bpf_mprog.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e0772cded109c238411f2fac36ac39302758b81",
"status": "affected",
"version": "e420bed025071a623d2720a92bc2245c84757ecb",
"versionType": "git"
},
{
"lessThan": "3f04cc1e5374da4c5e791ae010a06cfea7bacbe6",
"status": "affected",
"version": "e420bed025071a623d2720a92bc2245c84757ecb",
"versionType": "git"
},
{
"lessThan": "ae23bc81ddf7c17b663c4ed1b21e35527b0a7131",
"status": "affected",
"version": "e420bed025071a623d2720a92bc2245c84757ecb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"include/linux/bpf_mprog.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix tcx/netkit detach permissions when prog fd isn\u0027t given\n\nThis commit fixes a security issue where BPF_PROG_DETACH on tcx or\nnetkit devices could be executed by any user when no program fd was\nprovided, bypassing permission checks. The fix adds a capability\ncheck for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T10:45:59.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e0772cded109c238411f2fac36ac39302758b81"
},
{
"url": "https://git.kernel.org/stable/c/3f04cc1e5374da4c5e791ae010a06cfea7bacbe6"
},
{
"url": "https://git.kernel.org/stable/c/ae23bc81ddf7c17b663c4ed1b21e35527b0a7131"
}
],
"title": "bpf: Fix tcx/netkit detach permissions when prog fd isn\u0027t given",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45932",
"datePublished": "2026-05-27T12:17:50.353Z",
"dateReserved": "2026-05-13T15:03:33.086Z",
"dateUpdated": "2026-05-30T10:45:59.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31504 (GCVE-0-2026-31504)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:10
VLAI?
EPSS
Title
net: fix fanout UAF in packet_release() via NETDEV_UP race
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix fanout UAF in packet_release() via NETDEV_UP race
`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.
The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.
This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < ee642b1962caa9aa231c01abbd58bc453ae6b66e
(git)
Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 42cfd7898eeed290c9fb73f732af1f7d6b0a703e (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 1b4c03f8892d955385c202009af7485364731bb9 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 654386baef228c2992dbf604c819e4c7c35fc71b (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 75fe6db23705a1d55160081f7b37db9665b1880b (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < ceccbfc6de720ad633519a226715989cfb065af1 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 42156f93d123436f2a27c468f18c966b7e5db796 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee642b1962caa9aa231c01abbd58bc453ae6b66e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42cfd7898eeed290c9fb73f732af1f7d6b0a703e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "1b4c03f8892d955385c202009af7485364731bb9",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "654386baef228c2992dbf604c819e4c7c35fc71b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "75fe6db23705a1d55160081f7b37db9665b1880b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "ceccbfc6de720ad633519a226715989cfb065af1",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42156f93d123436f2a27c468f18c966b7e5db796",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group\u0027s `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po-\u003enum` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po-\u003enum` is still non-zero and `po-\u003eifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f-\u003earr[]` and increments `f-\u003enum_members`,\nbut does NOT increment `f-\u003esk_ref`.\n\nThe fix sets `po-\u003enum` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:01.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"
},
{
"url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"
},
{
"url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"
},
{
"url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"
},
{
"url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"
},
{
"url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"
},
{
"url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"
},
{
"url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"
}
],
"title": "net: fix fanout UAF in packet_release() via NETDEV_UP race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31504",
"datePublished": "2026-04-22T13:54:23.862Z",
"dateReserved": "2026-03-09T15:48:24.105Z",
"dateUpdated": "2026-05-11T22:10:01.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45898 (GCVE-0-2026-45898)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
RDMA/iwcm: Fix workqueue list corruption by removing work_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix workqueue list corruption by removing work_list
The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()")
changed the work submission logic to unconditionally call
queue_work() with the expectation that queue_work() would
have no effect if work was already pending. The problem is
that a free list of struct iwcm_work is used (for which
struct work_struct is embedded), so each call to queue_work()
is basically unique and therefore does indeed queue the work.
This causes a problem in the work handler which walks the work_list
until it's empty to process entries. This means that a single
run of the work handler could process item N+1 and release it
back to the free list while the actual workqueue entry is still
queued. It could then get reused (INIT_WORK...) and lead to
list corruption in the workqueue logic.
Fix this by just removing the work_list. The workqueue already
does this for us.
This fixes the following error that was observed when stress
testing with ucmatose on an Intel E830 in iWARP mode:
[ 151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08)
[ 151.466639] ------------[ cut here ]------------
[ 151.466986] kernel BUG at lib/list_debug.c:67!
[ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary)
[ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 151.469192] Workqueue: 0x0 (iw_cm_wq)
[ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100
[ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90
[ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046
[ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027
[ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600
[ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff
[ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68
[ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000
[ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000
[ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0
[ 151.475895] PKRU: 55555554
[ 151.476118] Call Trace:
[ 151.476331] <TASK>
[ 151.476497] move_linked_works+0x49/0xa0
[ 151.476792] __pwq_activate_work.isra.46+0x2f/0xa0
[ 151.477151] pwq_dec_nr_in_flight+0x1e0/0x2f0
[ 151.477479] process_scheduled_works+0x1c8/0x410
[ 151.477823] worker_thread+0x125/0x260
[ 151.478108] ? __pfx_worker_thread+0x10/0x10
[ 151.478430] kthread+0xfe/0x240
[ 151.478671] ? __pfx_kthread+0x10/0x10
[ 151.478955] ? __pfx_kthread+0x10/0x10
[ 151.479240] ret_from_fork+0x208/0x270
[ 151.479523] ? __pfx_kthread+0x10/0x10
[ 151.479806] ret_from_fork_asm+0x1a/0x30
[ 151.480103] </TASK>
Severity ?
9.8 (Critical)
CWE
- CWE-1341 - Multiple Releases of Same Resource or Handle
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e1168f09b3314992f1c5251f3793102035da7237 , < 38c5b49fffa1b760959af74f11806eeb3ef4706d
(git)
Affected: e1168f09b3314992f1c5251f3793102035da7237 , < eb715133e0ae12514bba4d2d5ce1dee774476056 (git) Affected: e1168f09b3314992f1c5251f3793102035da7237 , < a6b9e793e74e372daa266fd0d58b751305877897 (git) Affected: e1168f09b3314992f1c5251f3793102035da7237 , < 7874eeacfa42177565c01d5198726671acf7adf2 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Remote Direct Memory Access (RDMA) Internet Wide Area RDMA Protocol (iWARP) subsystem. Incorrect work submission logic in the `iwcm` component can lead to multiple queueing of work items. This allows a work item to be processed and freed while still present in the workqueue, causing list corruption. A successful exploitation of this vulnerability can result in a kernel bug and system crash, leading to a Denial of Service (DoS)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1341",
"description": "Multiple Releases of Same Resource or Handle",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:16.525Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-45898"
},
{
"name": "RHBZ#2482031",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482031"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45898.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30848"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:30129: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:30848: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: RDMA/iwcm: Fix workqueue list corruption by removing work_list",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iwcm.c",
"drivers/infiniband/core/iwcm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38c5b49fffa1b760959af74f11806eeb3ef4706d",
"status": "affected",
"version": "e1168f09b3314992f1c5251f3793102035da7237",
"versionType": "git"
},
{
"lessThan": "eb715133e0ae12514bba4d2d5ce1dee774476056",
"status": "affected",
"version": "e1168f09b3314992f1c5251f3793102035da7237",
"versionType": "git"
},
{
"lessThan": "a6b9e793e74e372daa266fd0d58b751305877897",
"status": "affected",
"version": "e1168f09b3314992f1c5251f3793102035da7237",
"versionType": "git"
},
{
"lessThan": "7874eeacfa42177565c01d5198726671acf7adf2",
"status": "affected",
"version": "e1168f09b3314992f1c5251f3793102035da7237",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iwcm.c",
"drivers/infiniband/core/iwcm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix workqueue list corruption by removing work_list\n\nThe commit e1168f0 (\"RDMA/iwcm: Simplify cm_event_handler()\")\nchanged the work submission logic to unconditionally call\nqueue_work() with the expectation that queue_work() would\nhave no effect if work was already pending. The problem is\nthat a free list of struct iwcm_work is used (for which\nstruct work_struct is embedded), so each call to queue_work()\nis basically unique and therefore does indeed queue the work.\n\nThis causes a problem in the work handler which walks the work_list\nuntil it\u0027s empty to process entries. This means that a single\nrun of the work handler could process item N+1 and release it\nback to the free list while the actual workqueue entry is still\nqueued. It could then get reused (INIT_WORK...) and lead to\nlist corruption in the workqueue logic.\n\nFix this by just removing the work_list. The workqueue already\ndoes this for us.\n\nThis fixes the following error that was observed when stress\ntesting with ucmatose on an Intel E830 in iWARP mode:\n\n[ 151.465780] list_del corruption. next-\u003eprev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08)\n[ 151.466639] ------------[ cut here ]------------\n[ 151.466986] kernel BUG at lib/list_debug.c:67!\n[ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary)\n[ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 151.469192] Workqueue: 0x0 (iw_cm_wq)\n[ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100\n[ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff \u003c0f\u003e 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90\n[ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046\n[ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027\n[ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600\n[ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff\n[ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68\n[ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000\n[ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000\n[ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0\n[ 151.475895] PKRU: 55555554\n[ 151.476118] Call Trace:\n[ 151.476331] \u003cTASK\u003e\n[ 151.476497] move_linked_works+0x49/0xa0\n[ 151.476792] __pwq_activate_work.isra.46+0x2f/0xa0\n[ 151.477151] pwq_dec_nr_in_flight+0x1e0/0x2f0\n[ 151.477479] process_scheduled_works+0x1c8/0x410\n[ 151.477823] worker_thread+0x125/0x260\n[ 151.478108] ? __pfx_worker_thread+0x10/0x10\n[ 151.478430] kthread+0xfe/0x240\n[ 151.478671] ? __pfx_kthread+0x10/0x10\n[ 151.478955] ? __pfx_kthread+0x10/0x10\n[ 151.479240] ret_from_fork+0x208/0x270\n[ 151.479523] ? __pfx_kthread+0x10/0x10\n[ 151.479806] ret_from_fork_asm+0x1a/0x30\n[ 151.480103] \u003c/TASK\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T10:45:49.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38c5b49fffa1b760959af74f11806eeb3ef4706d"
},
{
"url": "https://git.kernel.org/stable/c/eb715133e0ae12514bba4d2d5ce1dee774476056"
},
{
"url": "https://git.kernel.org/stable/c/a6b9e793e74e372daa266fd0d58b751305877897"
},
{
"url": "https://git.kernel.org/stable/c/7874eeacfa42177565c01d5198726671acf7adf2"
}
],
"title": "RDMA/iwcm: Fix workqueue list corruption by removing work_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45898",
"datePublished": "2026-05-27T12:17:07.737Z",
"dateReserved": "2026-05-13T15:03:33.083Z",
"dateUpdated": "2026-06-30T12:10:16.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43040 (GCVE-0-2026-43040)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16
VLAI?
EPSS
Title
net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak
When processing Router Advertisements with user options the kernel
builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct
has three padding fields that are never zeroed and can leak kernel data
The fix is simple, just zeroes the padding fields.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
31910575a9de61e78065e93846e8e7a4894a18bf , < 1da9023f6b071a38e5430ffbce4b70b2b1ac4f9c
(git)
Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 2fe4d0ba690a69ad6ae9f7ab9bdc96e02610b648 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 11d7fe97421cfc81549940c20ed5ac9472d6db05 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 7f56d87e527bb5a13c3e8b0d5840cb6332822f6d (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 4f810c686fde509d1cdaa706322d9d2531f8f1a4 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < b485eef3d97b7aae55ce669b6de555ec81f3d21c (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < ef3645606e4a635d5062a492f22b7f490852ee67 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < ae05340ccaa9d347fe85415609e075545bec589f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1da9023f6b071a38e5430ffbce4b70b2b1ac4f9c",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "2fe4d0ba690a69ad6ae9f7ab9bdc96e02610b648",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "11d7fe97421cfc81549940c20ed5ac9472d6db05",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "7f56d87e527bb5a13c3e8b0d5840cb6332822f6d",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "4f810c686fde509d1cdaa706322d9d2531f8f1a4",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "b485eef3d97b7aae55ce669b6de555ec81f3d21c",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "ef3645606e4a635d5062a492f22b7f490852ee67",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "ae05340ccaa9d347fe85415609e075545bec589f",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak\n\nWhen processing Router Advertisements with user options the kernel\nbuilds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct\nhas three padding fields that are never zeroed and can leak kernel data\n\nThe fix is simple, just zeroes the padding fields."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:33.369Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1da9023f6b071a38e5430ffbce4b70b2b1ac4f9c"
},
{
"url": "https://git.kernel.org/stable/c/2fe4d0ba690a69ad6ae9f7ab9bdc96e02610b648"
},
{
"url": "https://git.kernel.org/stable/c/11d7fe97421cfc81549940c20ed5ac9472d6db05"
},
{
"url": "https://git.kernel.org/stable/c/7f56d87e527bb5a13c3e8b0d5840cb6332822f6d"
},
{
"url": "https://git.kernel.org/stable/c/4f810c686fde509d1cdaa706322d9d2531f8f1a4"
},
{
"url": "https://git.kernel.org/stable/c/b485eef3d97b7aae55ce669b6de555ec81f3d21c"
},
{
"url": "https://git.kernel.org/stable/c/ef3645606e4a635d5062a492f22b7f490852ee67"
},
{
"url": "https://git.kernel.org/stable/c/ae05340ccaa9d347fe85415609e075545bec589f"
}
],
"title": "net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43040",
"datePublished": "2026-05-01T14:15:37.364Z",
"dateReserved": "2026-05-01T14:12:55.978Z",
"dateUpdated": "2026-05-11T22:16:33.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43059 (GCVE-0-2026-43059)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:17 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced
mgmt_pending_valid(), which not only validates the pending command but
also unlinks it from the pending list if it is valid. This change in
semantics requires updates to several completion handlers to avoid list
corruption and memory safety issues.
This patch addresses two left-over issues from the aforementioned rework:
1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()
is replaced with mgmt_pending_free() in the success path. Since
mgmt_pending_valid() already unlinks the command at the beginning of
the function, calling mgmt_pending_remove() leads to a double list_del()
and subsequent list corruption/kernel panic.
2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error
path is removed. Since the current command is already unlinked by
mgmt_pending_valid(), this foreach loop would incorrectly target other
pending mesh commands, potentially freeing them while they are still being
processed concurrently (leading to UAFs). The redundant mgmt_cmd_status()
is also simplified to use cmd->opcode directly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d71b98f253b079cbadc83266383f26fe7e9e103b , < 695b45b2262fcb5e71bed1175aad59c72f92aa78
(git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77 (git) Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 02023ff760cc104a5d86a82ef5b8dd89098ad78d (git) Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef (git) Affected: 0b60eb04b8524e1b4b3f07fea0d16fda9a677d9a (git) Affected: 87a1f16f07c6c43771754075e08f45b41d237421 (git) Affected: 6.12.59 , < 6.12.78 (semver) Affected: 6.6.140 , < 6.7 (semver) Affected: 6.16.10 , < 6.17 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "695b45b2262fcb5e71bed1175aad59c72f92aa78",
"status": "affected",
"version": "d71b98f253b079cbadc83266383f26fe7e9e103b",
"versionType": "git"
},
{
"lessThan": "b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"lessThan": "02023ff760cc104a5d86a82ef5b8dd89098ad78d",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"lessThan": "17f89341cb4281d1da0e2fb0de5406ab7c4e25ef",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"status": "affected",
"version": "0b60eb04b8524e1b4b3f07fea0d16fda9a677d9a",
"versionType": "git"
},
{
"status": "affected",
"version": "87a1f16f07c6c43771754075e08f45b41d237421",
"versionType": "git"
},
{
"lessThan": "6.12.78",
"status": "affected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThan": "6.7",
"status": "affected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThan": "6.17",
"status": "affected",
"version": "6.16.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd-\u003eopcode directly."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:09.898Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78"
},
{
"url": "https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77"
},
{
"url": "https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d"
},
{
"url": "https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef"
}
],
"title": "Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43059",
"datePublished": "2026-05-05T15:17:25.727Z",
"dateReserved": "2026-05-01T14:12:55.981Z",
"dateUpdated": "2026-05-23T16:06:09.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31455 (GCVE-0-2026-31455)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-11 22:09
VLAI?
EPSS
Title
xfs: stop reclaim before pushing AIL during unmount
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: stop reclaim before pushing AIL during unmount
The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while
background reclaim and inodegc are still running. This is broken
independently of any use-after-free issues - background reclaim and
inodegc should not be running while the AIL is being pushed during
unmount, as inodegc can dirty and insert inodes into the AIL during the
flush, and background reclaim can race to abort and free dirty inodes.
Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background
reclaim before pushing the AIL. Stop inodegc before cancelling
m_reclaim_work because the inodegc worker can re-queue m_reclaim_work
via xfs_inodegc_set_reclaimable.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90c60e16401248a4900f3f9387f563d0178dcf34 , < e6cc490048f78b009259a5f032acead9f789c34c
(git)
Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 239d734c00644072862fa833805c4471573b1445 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < bda27fc0b4eb3a425d9a18475c4cb94fbe862c60 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < d38135af04a3ad8a585c899d176efc8e97853115 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < a89434a6188d8430ea31120da96e3e4cefb58686 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 8147e304d7d32fd5c3e943babc296ce2873dc279 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 558e3275d8a3b101be18a7fe7d1634053e9d9b07 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 4f24a767e3d64a5f58c595b5c29b6063a201f1e3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_mount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6cc490048f78b009259a5f032acead9f789c34c",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "239d734c00644072862fa833805c4471573b1445",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "bda27fc0b4eb3a425d9a18475c4cb94fbe862c60",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "d38135af04a3ad8a585c899d176efc8e97853115",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "a89434a6188d8430ea31120da96e3e4cefb58686",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "8147e304d7d32fd5c3e943babc296ce2873dc279",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "558e3275d8a3b101be18a7fe7d1634053e9d9b07",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "4f24a767e3d64a5f58c595b5c29b6063a201f1e3",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_mount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: stop reclaim before pushing AIL during unmount\n\nThe unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while\nbackground reclaim and inodegc are still running. This is broken\nindependently of any use-after-free issues - background reclaim and\ninodegc should not be running while the AIL is being pushed during\nunmount, as inodegc can dirty and insert inodes into the AIL during the\nflush, and background reclaim can race to abort and free dirty inodes.\n\nReorder xfs_unmount_flush_inodes() to stop inodegc and cancel background\nreclaim before pushing the AIL. Stop inodegc before cancelling\nm_reclaim_work because the inodegc worker can re-queue m_reclaim_work\nvia xfs_inodegc_set_reclaimable."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:03.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6cc490048f78b009259a5f032acead9f789c34c"
},
{
"url": "https://git.kernel.org/stable/c/239d734c00644072862fa833805c4471573b1445"
},
{
"url": "https://git.kernel.org/stable/c/bda27fc0b4eb3a425d9a18475c4cb94fbe862c60"
},
{
"url": "https://git.kernel.org/stable/c/d38135af04a3ad8a585c899d176efc8e97853115"
},
{
"url": "https://git.kernel.org/stable/c/a89434a6188d8430ea31120da96e3e4cefb58686"
},
{
"url": "https://git.kernel.org/stable/c/8147e304d7d32fd5c3e943babc296ce2873dc279"
},
{
"url": "https://git.kernel.org/stable/c/558e3275d8a3b101be18a7fe7d1634053e9d9b07"
},
{
"url": "https://git.kernel.org/stable/c/4f24a767e3d64a5f58c595b5c29b6063a201f1e3"
}
],
"title": "xfs: stop reclaim before pushing AIL during unmount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31455",
"datePublished": "2026-04-22T13:53:48.914Z",
"dateReserved": "2026-03-09T15:48:24.092Z",
"dateUpdated": "2026-05-11T22:09:03.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31596 (GCVE-0-2026-31596)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-14 17:42
VLAI?
EPSS
Title
ocfs2: handle invalid dinode in ocfs2_group_extend
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: handle invalid dinode in ocfs2_group_extend
[BUG]
kernel BUG at fs/ocfs2/resize.c:308!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308
Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe
Call Trace:
...
ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
[CAUSE]
ocfs2_group_extend() assumes that the global bitmap inode block
returned from ocfs2_inode_lock() has already been validated and
BUG_ONs when the signature is not a dinode. That assumption is too
strong for crafted filesystems because the JBD2-managed buffer path
can bypass structural validation and return an invalid dinode to the
resize ioctl.
[FIX]
Validate the dinode explicitly in ocfs2_group_extend(). If the global
bitmap buffer does not contain a valid dinode, report filesystem
corruption with ocfs2_error() and fail the resize operation instead of
crashing the kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
10995aa2451afa20b721cc7de856cae1a13dba57 , < 7eafcf507fbd68f3276c00f6c02ef155ad69f79b
(git)
Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < fabfa6b81bd386154d7e59f8cd8f760f9e68b48c (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < b328d8e7c437d0f026ba2c13788af6eae77700f1 (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 6575f9fbf084502b7118a628425bf7866666498d (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 911b557dd7817460881fd51a03069b539c674d0e (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < e384a850a3370d89a7a446cdeccd964bfba2a302 (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 10fb72c47aac446f12a4ccd962c7daa60cc890a1 (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 41c6e9bc3a09539deab43957a3211d902a4818f0 (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7eafcf507fbd68f3276c00f6c02ef155ad69f79b",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "fabfa6b81bd386154d7e59f8cd8f760f9e68b48c",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "b328d8e7c437d0f026ba2c13788af6eae77700f1",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "6575f9fbf084502b7118a628425bf7866666498d",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "911b557dd7817460881fd51a03069b539c674d0e",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "e384a850a3370d89a7a446cdeccd964bfba2a302",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "10fb72c47aac446f12a4ccd962c7daa60cc890a1",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "41c6e9bc3a09539deab43957a3211d902a4818f0",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: handle invalid dinode in ocfs2_group_extend\n\n[BUG]\nkernel BUG at fs/ocfs2/resize.c:308!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308\nCode: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe\nCall Trace:\n ...\n ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583\n x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n\n[CAUSE]\nocfs2_group_extend() assumes that the global bitmap inode block\nreturned from ocfs2_inode_lock() has already been validated and\nBUG_ONs when the signature is not a dinode. That assumption is too\nstrong for crafted filesystems because the JBD2-managed buffer path\ncan bypass structural validation and return an invalid dinode to the\nresize ioctl.\n\n[FIX]\nValidate the dinode explicitly in ocfs2_group_extend(). If the global\nbitmap buffer does not contain a valid dinode, report filesystem\ncorruption with ocfs2_error() and fail the resize operation instead of\ncrashing the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:42:37.033Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7eafcf507fbd68f3276c00f6c02ef155ad69f79b"
},
{
"url": "https://git.kernel.org/stable/c/fabfa6b81bd386154d7e59f8cd8f760f9e68b48c"
},
{
"url": "https://git.kernel.org/stable/c/b328d8e7c437d0f026ba2c13788af6eae77700f1"
},
{
"url": "https://git.kernel.org/stable/c/6575f9fbf084502b7118a628425bf7866666498d"
},
{
"url": "https://git.kernel.org/stable/c/911b557dd7817460881fd51a03069b539c674d0e"
},
{
"url": "https://git.kernel.org/stable/c/e384a850a3370d89a7a446cdeccd964bfba2a302"
},
{
"url": "https://git.kernel.org/stable/c/10fb72c47aac446f12a4ccd962c7daa60cc890a1"
},
{
"url": "https://git.kernel.org/stable/c/41c6e9bc3a09539deab43957a3211d902a4818f0"
},
{
"url": "https://git.kernel.org/stable/c/4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f"
}
],
"title": "ocfs2: handle invalid dinode in ocfs2_group_extend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31596",
"datePublished": "2026-04-24T14:42:22.003Z",
"dateReserved": "2026-03-09T15:48:24.121Z",
"dateUpdated": "2026-06-14T17:42:37.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31771 (GCVE-0-2026-31771)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-11 22:15
VLAI?
EPSS
Title
Bluetooth: hci_event: move wake reason storage into validated event handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: move wake reason storage into validated event handlers
hci_store_wake_reason() is called from hci_event_packet() immediately
after stripping the HCI event header but before hci_event_func()
enforces the per-event minimum payload length from hci_ev_table.
This means a short HCI event frame can reach bacpy() before any bounds
check runs.
Rather than duplicating skb parsing and per-event length checks inside
hci_store_wake_reason(), move wake-address storage into the individual
event handlers after their existing event-length validation has
succeeded. Convert hci_store_wake_reason() into a small helper that only
stores an already-validated bdaddr while the caller holds hci_dev_lock().
Use the same helper after hci_event_func() with a NULL address to
preserve the existing unexpected-wake fallback semantics when no
validated event handler records a wake address.
Annotate the helper with __must_hold(&hdev->lock) and add
lockdep_assert_held(&hdev->lock) so future call paths keep the lock
contract explicit.
Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(),
hci_sync_conn_complete_evt(), le_conn_complete_evt(),
hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),
hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and
hci_le_past_received_evt().
Severity ?
8.1 (High)
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86c8d07a64d553c41e213b52650020010f9ef23e",
"status": "affected",
"version": "2f20216c1d6fe17c1a224f658be0dc6fab2269c7",
"versionType": "git"
},
{
"lessThan": "2b2bf47cd75518c36fa2d41380e4a40641cc89cd",
"status": "affected",
"version": "2f20216c1d6fe17c1a224f658be0dc6fab2269c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: move wake reason storage into validated event handlers\n\nhci_store_wake_reason() is called from hci_event_packet() immediately\nafter stripping the HCI event header but before hci_event_func()\nenforces the per-event minimum payload length from hci_ev_table.\nThis means a short HCI event frame can reach bacpy() before any bounds\ncheck runs.\n\nRather than duplicating skb parsing and per-event length checks inside\nhci_store_wake_reason(), move wake-address storage into the individual\nevent handlers after their existing event-length validation has\nsucceeded. Convert hci_store_wake_reason() into a small helper that only\nstores an already-validated bdaddr while the caller holds hci_dev_lock().\nUse the same helper after hci_event_func() with a NULL address to\npreserve the existing unexpected-wake fallback semantics when no\nvalidated event handler records a wake address.\n\nAnnotate the helper with __must_hold(\u0026hdev-\u003elock) and add\nlockdep_assert_held(\u0026hdev-\u003elock) so future call paths keep the lock\ncontract explicit.\n\nCall the helper from hci_conn_request_evt(), hci_conn_complete_evt(),\nhci_sync_conn_complete_evt(), le_conn_complete_evt(),\nhci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),\nhci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and\nhci_le_past_received_evt()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:15:29.721Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86c8d07a64d553c41e213b52650020010f9ef23e"
},
{
"url": "https://git.kernel.org/stable/c/2b2bf47cd75518c36fa2d41380e4a40641cc89cd"
}
],
"title": "Bluetooth: hci_event: move wake reason storage into validated event handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31771",
"datePublished": "2026-05-01T14:14:59.918Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-11T22:15:29.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46110 (GCVE-0-2026-46110)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-19 11:59
VLAI?
EPSS
Title
net: stmmac: Prevent NULL deref when RX memory exhausted
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Prevent NULL deref when RX memory exhausted
The CPU receives frames from the MAC through conventional DMA: the CPU
allocates buffers for the MAC, then the MAC fills them and returns
ownership to the CPU. For each hardware RX queue, the CPU and MAC
coordinate through a shared ring array of DMA descriptors: one
descriptor per DMA buffer. Each descriptor includes the buffer's
physical address and a status flag ("OWN") indicating which side owns
the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set
the flag and the MAC is only allowed to clear it, and both must move
through the ring in sequence: thus the ring is used for both
"submissions" and "completions."
In the stmmac driver, stmmac_rx() bookmarks its position in the ring
with the `cur_rx` index. The main receive loop in that function checks
for rx_descs[cur_rx].own=0, gives the corresponding buffer to the
network stack (NULLing the pointer), and increments `cur_rx` modulo the
ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its
position with `dirty_rx`, allocates fresh buffers and rearms the
descriptors (setting OWN=1). If it fails any allocation, it simply stops
early (leaving OWN=0) and will retry where it left off when next called.
This means descriptors have a three-stage lifecycle (terms my own):
- `empty` (OWN=1, buffer valid)
- `full` (OWN=0, buffer valid and populated)
- `dirty` (OWN=0, buffer NULL)
But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In
the past (see 'Fixes:'), there was a bug where the loop could cycle
`cur_rx` all the way back to the first descriptor it dirtied, resulting
in a NULL dereference when mistaken for `full`. The aforementioned
commit resolved that *specific* failure by capping the loop's iteration
limit at `dma_rx_size - 1`, but this is only a partial fix: if the
previous stmmac_rx_refill() didn't complete, then there are leftover
`dirty` descriptors that the loop might encounter without needing to
cycle fully around. The current code therefore panics (see 'Closes:')
when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to
catch up to `dirty_rx`.
Fix this by explicitly checking, before advancing `cur_rx`, if the next
entry is dirty; exit the loop if so. This prevents processing of the
final, used descriptor until stmmac_rx_refill() succeeds, but
fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix
intended: so remove the clamp as well. Since stmmac_rx_zc() is a
copy-paste-and-tweak of stmmac_rx() and the code structure is identical,
any fix to stmmac_rx() will also need a corresponding fix for
stmmac_rx_zc(). Therefore, apply the same check there.
In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the
MAC sets OWN=0 on the final descriptor, it will be unable to send any
further DMA-complete IRQs until it's given more `empty` descriptors.
Currently, the driver simply *hopes* that the next stmmac_rx_refill()
succeeds, risking an indefinite stall of the receive process if not. But
this is not a regression, so it can be addressed in a future change.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7414a28de1b3b028714859078c00a874f9feff52 , < fdeb95b1fc7de25c9362990efb9996a8d761055c
(git)
Affected: 779334e59850f863bf34665e0ff0b6faf126873b , < e1c50b273298c7cd9b08b113e7a7598b531a02f5 (git) Affected: b6cb4541853c7ee512111b0e7ddf3cb66c99c137 , < 5c910f7708e3c507b037ca91ca5b09f8cfe71e65 (git) Affected: b6cb4541853c7ee512111b0e7ddf3cb66c99c137 , < 4af2e62cbcda575a174acd230c3f3a208135e16d (git) Affected: b6cb4541853c7ee512111b0e7ddf3cb66c99c137 , < 950cb436165aad0f8f2cd49da3cd07677465bcde (git) Affected: b6cb4541853c7ee512111b0e7ddf3cb66c99c137 , < 0bb05e6adfa99a2ea1fee1125cc0953409f83ed8 (git) Affected: b435b4573240b5530830a1a60e005c6fcfd928a0 (git) Affected: 6.1.64 , < 6.1.176 (semver) Affected: 6.6.3 , < 6.6.140 (semver) Affected: 6.5.13 , < 6.6 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fdeb95b1fc7de25c9362990efb9996a8d761055c",
"status": "affected",
"version": "7414a28de1b3b028714859078c00a874f9feff52",
"versionType": "git"
},
{
"lessThan": "e1c50b273298c7cd9b08b113e7a7598b531a02f5",
"status": "affected",
"version": "779334e59850f863bf34665e0ff0b6faf126873b",
"versionType": "git"
},
{
"lessThan": "5c910f7708e3c507b037ca91ca5b09f8cfe71e65",
"status": "affected",
"version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
"versionType": "git"
},
{
"lessThan": "4af2e62cbcda575a174acd230c3f3a208135e16d",
"status": "affected",
"version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
"versionType": "git"
},
{
"lessThan": "950cb436165aad0f8f2cd49da3cd07677465bcde",
"status": "affected",
"version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
"versionType": "git"
},
{
"lessThan": "0bb05e6adfa99a2ea1fee1125cc0953409f83ed8",
"status": "affected",
"version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
"versionType": "git"
},
{
"status": "affected",
"version": "b435b4573240b5530830a1a60e005c6fcfd928a0",
"versionType": "git"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.64",
"versionType": "semver"
},
{
"lessThan": "6.6.140",
"status": "affected",
"version": "6.6.3",
"versionType": "semver"
},
{
"lessThan": "6.6",
"status": "affected",
"version": "6.5.13",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Prevent NULL deref when RX memory exhausted\n\nThe CPU receives frames from the MAC through conventional DMA: the CPU\nallocates buffers for the MAC, then the MAC fills them and returns\nownership to the CPU. For each hardware RX queue, the CPU and MAC\ncoordinate through a shared ring array of DMA descriptors: one\ndescriptor per DMA buffer. Each descriptor includes the buffer\u0027s\nphysical address and a status flag (\"OWN\") indicating which side owns\nthe buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set\nthe flag and the MAC is only allowed to clear it, and both must move\nthrough the ring in sequence: thus the ring is used for both\n\"submissions\" and \"completions.\"\n\nIn the stmmac driver, stmmac_rx() bookmarks its position in the ring\nwith the `cur_rx` index. The main receive loop in that function checks\nfor rx_descs[cur_rx].own=0, gives the corresponding buffer to the\nnetwork stack (NULLing the pointer), and increments `cur_rx` modulo the\nring size. After the loop exits, stmmac_rx_refill(), which bookmarks its\nposition with `dirty_rx`, allocates fresh buffers and rearms the\ndescriptors (setting OWN=1). If it fails any allocation, it simply stops\nearly (leaving OWN=0) and will retry where it left off when next called.\n\nThis means descriptors have a three-stage lifecycle (terms my own):\n- `empty` (OWN=1, buffer valid)\n- `full` (OWN=0, buffer valid and populated)\n- `dirty` (OWN=0, buffer NULL)\n\nBut because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In\nthe past (see \u0027Fixes:\u0027), there was a bug where the loop could cycle\n`cur_rx` all the way back to the first descriptor it dirtied, resulting\nin a NULL dereference when mistaken for `full`. The aforementioned\ncommit resolved that *specific* failure by capping the loop\u0027s iteration\nlimit at `dma_rx_size - 1`, but this is only a partial fix: if the\nprevious stmmac_rx_refill() didn\u0027t complete, then there are leftover\n`dirty` descriptors that the loop might encounter without needing to\ncycle fully around. The current code therefore panics (see \u0027Closes:\u0027)\nwhen stmmac_rx_refill() is memory-starved long enough for `cur_rx` to\ncatch up to `dirty_rx`.\n\nFix this by explicitly checking, before advancing `cur_rx`, if the next\nentry is dirty; exit the loop if so. This prevents processing of the\nfinal, used descriptor until stmmac_rx_refill() succeeds, but\nfully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix\nintended: so remove the clamp as well. Since stmmac_rx_zc() is a\ncopy-paste-and-tweak of stmmac_rx() and the code structure is identical,\nany fix to stmmac_rx() will also need a corresponding fix for\nstmmac_rx_zc(). Therefore, apply the same check there.\n\nIn stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the\nMAC sets OWN=0 on the final descriptor, it will be unable to send any\nfurther DMA-complete IRQs until it\u0027s given more `empty` descriptors.\nCurrently, the driver simply *hopes* that the next stmmac_rx_refill()\nsucceeds, risking an indefinite stall of the receive process if not. But\nthis is not a regression, so it can be addressed in a future change."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:33.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fdeb95b1fc7de25c9362990efb9996a8d761055c"
},
{
"url": "https://git.kernel.org/stable/c/e1c50b273298c7cd9b08b113e7a7598b531a02f5"
},
{
"url": "https://git.kernel.org/stable/c/5c910f7708e3c507b037ca91ca5b09f8cfe71e65"
},
{
"url": "https://git.kernel.org/stable/c/4af2e62cbcda575a174acd230c3f3a208135e16d"
},
{
"url": "https://git.kernel.org/stable/c/950cb436165aad0f8f2cd49da3cd07677465bcde"
},
{
"url": "https://git.kernel.org/stable/c/0bb05e6adfa99a2ea1fee1125cc0953409f83ed8"
}
],
"title": "net: stmmac: Prevent NULL deref when RX memory exhausted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46110",
"datePublished": "2026-05-28T09:35:18.359Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-19T11:59:33.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31694 (GCVE-0-2026-31694)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:53 – Updated: 2026-07-02 13:44
VLAI?
EPSS
Title
fuse: reject oversized dirents in page cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: reject oversized dirents in page cache
fuse_add_dirent_to_cache() computes a serialized dirent size from the
server-controlled namelen field and copies the dirent into a single
page-cache page. The existing logic only checks whether the dirent fits
in the remaining space of the current page and advances to a fresh page
if not. It never checks whether the dirent itself exceeds PAGE_SIZE.
As a result, a malicious FUSE server can return a dirent with
namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB
page systems this causes memcpy() to overflow the cache page by 24 bytes
into the following kernel page.
Reject dirents that cannot fit in a single page before copying them into
the readdir cache.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
27992ef80770d61a57f6c3a551735b08cefdffa3 , < 7de93abfaae1b2dc94da8a07a36421bd073f1d8f
(git)
Affected: 27992ef80770d61a57f6c3a551735b08cefdffa3 , < 474ce83c96a55f2eeb14dee2be375eeadfdacdf5 (git) Affected: 27992ef80770d61a57f6c3a551735b08cefdffa3 , < 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7de93abfaae1b2dc94da8a07a36421bd073f1d8f",
"status": "affected",
"version": "27992ef80770d61a57f6c3a551735b08cefdffa3",
"versionType": "git"
},
{
"lessThan": "474ce83c96a55f2eeb14dee2be375eeadfdacdf5",
"status": "affected",
"version": "27992ef80770d61a57f6c3a551735b08cefdffa3",
"versionType": "git"
},
{
"lessThan": "51a8de6c50bf947c8f534cd73da4c8f0a13e7bed",
"status": "affected",
"version": "27992ef80770d61a57f6c3a551735b08cefdffa3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: reject oversized dirents in page cache\n\nfuse_add_dirent_to_cache() computes a serialized dirent size from the\nserver-controlled namelen field and copies the dirent into a single\npage-cache page. The existing logic only checks whether the dirent fits\nin the remaining space of the current page and advances to a fresh page\nif not. It never checks whether the dirent itself exceeds PAGE_SIZE.\n\nAs a result, a malicious FUSE server can return a dirent with\nnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB\npage systems this causes memcpy() to overflow the cache page by 24 bytes\ninto the following kernel page.\n\nReject dirents that cannot fit in a single page before copying them into\nthe readdir cache."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T13:44:23.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f"
},
{
"url": "https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5"
},
{
"url": "https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed"
}
],
"title": "fuse: reject oversized dirents in page cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31694",
"datePublished": "2026-05-01T13:53:36.048Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-07-02T13:44:23.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46227 (GCVE-0-2026-46227)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().
While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu(). The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.
sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp. After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).
Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.
Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns. @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.
The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
safely") was added for.
Severity ?
7.8 (High)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4910280503f3af2857d5aa77e35b22d93a8960a8 , < f3a3f0b406b4b7eb3cea35a23fa2bf170848b104
(git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 0dbc8cde64280fc37cdd678cced34eaf96cfb197 (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 0c7b55974f97b78d1109025eadf084e74cbf330f (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078 (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 6187a172d6ed57d6b2c327836e4407c6456e639d (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < c9dadb31f36045a8cb65df4bd75e7237ef21a4b5 (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < bf0f40d8107e2ce827521968dc6926f3e13728ae (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < abb5f36771cc4c05899b34000829a787572a8817 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Stream Control Transmission Protocol (SCTP) implementation. A race condition exists in the `SCTP_SENDALL` path where a cached list entry is not properly revalidated after the socket lock is temporarily released. This allows a local attacker or a remote attacker (via a network abort) to trigger a use-after-free or type confusion vulnerability. Successful exploitation can lead to a controlled indirect call, potentially resulting in arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:27.645Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46227"
},
{
"name": "RHBZ#2482564",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482564"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46227.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33899"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:26515: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26535: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:33899: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26563: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:26462: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3a3f0b406b4b7eb3cea35a23fa2bf170848b104",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "0dbc8cde64280fc37cdd678cced34eaf96cfb197",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "0c7b55974f97b78d1109025eadf084e74cbf330f",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "6187a172d6ed57d6b2c327836e4407c6456e639d",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "c9dadb31f36045a8cb65df4bd75e7237ef21a4b5",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "bf0f40d8107e2ce827521968dc6926f3e13728ae",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "abb5f36771cc4c05899b34000829a787572a8817",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs. The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu(). The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp. After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns. @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:04:07.453Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104"
},
{
"url": "https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197"
},
{
"url": "https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f"
},
{
"url": "https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
},
{
"url": "https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d"
},
{
"url": "https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
},
{
"url": "https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae"
},
{
"url": "https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817"
}
],
"title": "sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46227",
"datePublished": "2026-05-28T09:40:47.518Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-07-02T12:05:27.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43362 (GCVE-0-2026-43362)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
smb: client: fix in-place encryption corruption in SMB2_write()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix in-place encryption corruption in SMB2_write()
SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.
The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.
This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.
Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 438e77435aee2894d5edf90be5c87004a57f6258
(git)
Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 52327268224fb9ccc7ecfbbdfdfff54b6e93c518 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 92e64f1852f455f57d0850989e57c30d7fac7d95 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < aea5e37388a080361110ab5790f57ae0af383650 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < d78840a6a38d312dc1a51a65317bb67e46f0b929 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "438e77435aee2894d5edf90be5c87004a57f6258",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "52327268224fb9ccc7ecfbbdfdfff54b6e93c518",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "92e64f1852f455f57d0850989e57c30d7fac7d95",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "aea5e37388a080361110ab5790f57ae0af383650",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "d78840a6a38d312dc1a51a65317bb67e46f0b929",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix in-place encryption corruption in SMB2_write()\n\nSMB2_write() places write payload in iov[1..n] as part of rq_iov.\nsmb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()\nencrypts iov[1] in-place, replacing the original plaintext with\nciphertext. On a replayable error, the retry sends the same iov[1]\nwhich now contains ciphertext instead of the original data,\nresulting in corruption.\n\nThe corruption is most likely to be observed when connections are\nunstable, as reconnects trigger write retries that re-send the\nalready-encrypted data.\n\nThis affects SFU mknod, MF symlinks, etc. On kernels before\n6.10 (prior to the netfs conversion), sync writes also used\nthis path and were similarly affected. The async write path\nwasn\u0027t unaffected as it uses rq_iter which gets deep-copied.\n\nFix by moving the write payload into rq_iter via iov_iter_kvec(),\nso smb3_init_transform_rq() deep-copies it before encryption."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:07.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258"
},
{
"url": "https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518"
},
{
"url": "https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95"
},
{
"url": "https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650"
},
{
"url": "https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929"
}
],
"title": "smb: client: fix in-place encryption corruption in SMB2_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43362",
"datePublished": "2026-05-08T14:21:16.358Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:07.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43361 (GCVE-0-2026-43361)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
btrfs: fix transaction abort when snapshotting received subvolumes
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort when snapshotting received subvolumes
Currently a user can trigger a transaction abort by snapshotting a
previously received snapshot a bunch of times until we reach a
BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
can store in a leaf). This is very likely not common in practice, but
if it happens, it turns the filesystem into RO mode. The snapshot, send
and set_received_subvol and subvol_setflags (used by receive) don't
require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
could use this to turn a filesystem into RO mode and disrupt a system.
Reproducer script:
$ cat test.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# Create a subvolume and set it to RO so that it can be used for send.
btrfs subvolume create $MNT/sv
touch $MNT/sv/foo
btrfs property set $MNT/sv ro true
# Send and receive the subvolume into snaps/sv.
mkdir $MNT/snaps
btrfs send $MNT/sv | btrfs receive $MNT/snaps
# Now snapshot the received subvolume, which has a received_uuid, a
# lot of times to trigger the leaf overflow.
total=500
for ((i = 1; i <= $total; i++)); do
echo -ne "\rCreating snapshot $i/$total"
btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
done
echo
umount $MNT
When running the test:
$ ./test.sh
(...)
Create subvolume '/mnt/sdi/sv'
At subvol /mnt/sdi/sv
At subvol sv
Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
And in dmesg/syslog:
$ dmesg
(...)
[251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
[251067.629212] ------------[ cut here ]------------
[251067.630033] BTRFS: Transaction aborted (error -75)
[251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
[251067.632851] Modules linked in: btrfs dm_zero (...)
[251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[251067.646165] Tainted: [W]=WARN
[251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
[251067.649984] Code: f0 48 0f (...)
[251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
[251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
[251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
[251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
[251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
[251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
[251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
[251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
[251067.661972] Call Trace:
[251067.662292] <TASK>
[251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
[251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
[251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
[251067.665238] ? _raw_spin_unlock+0x15/0x30
[251067.665837] ? record_root_
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 9a9227b488ffb7cdbb5d930a01fc6956c05ba61a
(git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 6bce705b699cba9afccb996c77d194fe003dfa2a (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < e3d8efc157bc590457d3e31da403af1a221643d6 (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < bac55dde8efa457e769c934fd88a63f2141ba238 (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 770af8e465c2c3de528f85e840eab462dd41542b (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < e1b18b959025e6b5dbad668f391f65d34b39595a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a9227b488ffb7cdbb5d930a01fc6956c05ba61a",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "6bce705b699cba9afccb996c77d194fe003dfa2a",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "e3d8efc157bc590457d3e31da403af1a221643d6",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "bac55dde8efa457e769c934fd88a63f2141ba238",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "770af8e465c2c3de528f85e840eab462dd41542b",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "e1b18b959025e6b5dbad668f391f65d34b39595a",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don\u0027t\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # Create a subvolume and set it to RO so that it can be used for send.\n btrfs subvolume create $MNT/sv\n touch $MNT/sv/foo\n btrfs property set $MNT/sv ro true\n\n # Send and receive the subvolume into snaps/sv.\n mkdir $MNT/snaps\n btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n # Now snapshot the received subvolume, which has a received_uuid, a\n # lot of times to trigger the leaf overflow.\n total=500\n for ((i = 1; i \u003c= $total; i++)); do\n echo -ne \"\\rCreating snapshot $i/$total\"\n btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i \u003e /dev/null\n done\n echo\n\n umount $MNT\n\nWhen running the test:\n\n $ ./test.sh\n (...)\n Create subvolume \u0027/mnt/sdi/sv\u0027\n At subvol /mnt/sdi/sv\n At subvol sv\n Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n $ dmesg\n (...)\n [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n [251067.629212] ------------[ cut here ]------------\n [251067.630033] BTRFS: Transaction aborted (error -75)\n [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n [251067.632851] Modules linked in: btrfs dm_zero (...)\n [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [251067.646165] Tainted: [W]=WARN\n [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n [251067.649984] Code: f0 48 0f (...)\n [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n [251067.661972] Call Trace:\n [251067.662292] \u003cTASK\u003e\n [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]\n [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n [251067.665238] ? _raw_spin_unlock+0x15/0x30\n [251067.665837] ? record_root_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:05.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a"
},
{
"url": "https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a"
},
{
"url": "https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6"
},
{
"url": "https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238"
},
{
"url": "https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b"
},
{
"url": "https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a"
}
],
"title": "btrfs: fix transaction abort when snapshotting received subvolumes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43361",
"datePublished": "2026-05-08T14:21:15.683Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:05.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43252 (GCVE-0-2026-43252)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
mptcp: pm: in-kernel: always set ID as avail when rm endp
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: in-kernel: always set ID as avail when rm endp
Syzkaller managed to find a combination of actions that was generating
this warning:
WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535
WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535
WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535
WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535
Modules linked in:
CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline]
RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline]
RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline]
RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538
Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89
RSP: 0018:ffffc9001535b820 EFLAGS: 00010287
netdevsim0: tun_chr_ioctl cmd 1074025677
RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7
netdevsim0: linktype set to 823
RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff
R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800
FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000
netlink: 'syz.3.50': attribute type 5 has an invalid length.
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50'.
CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0
Call Trace:
<TASK>
mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline]
mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282
genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0xc9/0xf0 net/socket.c:733
____sys_sendmsg+0x272/0x3b0 net/socket.c:2608
___sys_sendmsg+0x2de/0x320 net/socket.c:2662
__sys_sendmsg net/socket.c:2694 [inline]
__do_sys_sendmsg net/socket.c:2699 [inline]
__se_sys_sendmsg net/socket.c:2697 [inline]
__x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc6adb66f6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d
RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
027cca7029bee685a5ca5c4849be5a2c446ce046 , < d90d73ad183566c81320d453a223f610a280f210
(git)
Affected: cb24bdcdecba1c60169efb74d88900888df59907 , < 1b3ff4d88b508b73e2bbddb59356311efb7ba192 (git) Affected: e255683c06df572ead96db5efb5d21be30c0efaa , < 7c1d221e475e3d8eb8ed4702392d43f8c5134d1f (git) Affected: e255683c06df572ead96db5efb5d21be30c0efaa , < 7e4d88e36e5d0b8ffda637999cbca64c81701a81 (git) Affected: e255683c06df572ead96db5efb5d21be30c0efaa , < 4d480efd98e290c445f4ba476e4dcda5624b1aab (git) Affected: e255683c06df572ead96db5efb5d21be30c0efaa , < d191101dee25567c2af3b28565f45346c33d65f5 (git) Affected: 47a049b38f567a2fbec76bc211ad7ad735519607 (git) Affected: 6.1.107 , < 6.1.167 (semver) Affected: 6.6.48 , < 6.6.130 (semver) Affected: 6.10.7 , < 6.11 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d90d73ad183566c81320d453a223f610a280f210",
"status": "affected",
"version": "027cca7029bee685a5ca5c4849be5a2c446ce046",
"versionType": "git"
},
{
"lessThan": "1b3ff4d88b508b73e2bbddb59356311efb7ba192",
"status": "affected",
"version": "cb24bdcdecba1c60169efb74d88900888df59907",
"versionType": "git"
},
{
"lessThan": "7c1d221e475e3d8eb8ed4702392d43f8c5134d1f",
"status": "affected",
"version": "e255683c06df572ead96db5efb5d21be30c0efaa",
"versionType": "git"
},
{
"lessThan": "7e4d88e36e5d0b8ffda637999cbca64c81701a81",
"status": "affected",
"version": "e255683c06df572ead96db5efb5d21be30c0efaa",
"versionType": "git"
},
{
"lessThan": "4d480efd98e290c445f4ba476e4dcda5624b1aab",
"status": "affected",
"version": "e255683c06df572ead96db5efb5d21be30c0efaa",
"versionType": "git"
},
{
"lessThan": "d191101dee25567c2af3b28565f45346c33d65f5",
"status": "affected",
"version": "e255683c06df572ead96db5efb5d21be30c0efaa",
"versionType": "git"
},
{
"status": "affected",
"version": "47a049b38f567a2fbec76bc211ad7ad735519607",
"versionType": "git"
},
{
"lessThan": "6.1.167",
"status": "affected",
"version": "6.1.107",
"versionType": "semver"
},
{
"lessThan": "6.6.130",
"status": "affected",
"version": "6.6.48",
"versionType": "semver"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always set ID as avail when rm endp\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535\n WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535\n WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535\n WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535\n Modules linked in:\n CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary)\n Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline]\n RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538\n Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 \u003c0f\u003e 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89\n RSP: 0018:ffffc9001535b820 EFLAGS: 00010287\n netdevsim0: tun_chr_ioctl cmd 1074025677\n RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000\n RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7\n netdevsim0: linktype set to 823\n RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff\n R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800\n FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000\n netlink: \u0027syz.3.50\u0027: attribute type 5 has an invalid length.\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50\u0027.\n CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline]\n mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282\n genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0xc9/0xf0 net/socket.c:733\n ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608\n ___sys_sendmsg+0x2de/0x320 net/socket.c:2662\n __sys_sendmsg net/socket.c:2694 [inline]\n __do_sys_sendmsg net/socket.c:2699 [inline]\n __se_sys_sendmsg net/socket.c:2697 [inline]\n __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fc6adb66f6d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d\n RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:35.049Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d90d73ad183566c81320d453a223f610a280f210"
},
{
"url": "https://git.kernel.org/stable/c/1b3ff4d88b508b73e2bbddb59356311efb7ba192"
},
{
"url": "https://git.kernel.org/stable/c/7c1d221e475e3d8eb8ed4702392d43f8c5134d1f"
},
{
"url": "https://git.kernel.org/stable/c/7e4d88e36e5d0b8ffda637999cbca64c81701a81"
},
{
"url": "https://git.kernel.org/stable/c/4d480efd98e290c445f4ba476e4dcda5624b1aab"
},
{
"url": "https://git.kernel.org/stable/c/d191101dee25567c2af3b28565f45346c33d65f5"
}
],
"title": "mptcp: pm: in-kernel: always set ID as avail when rm endp",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43252",
"datePublished": "2026-05-06T11:28:42.512Z",
"dateReserved": "2026-05-01T14:12:55.996Z",
"dateUpdated": "2026-05-23T16:06:35.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45878 (GCVE-0-2026-45878)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:16 – Updated: 2026-05-30 10:45
VLAI?
EPSS
Title
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
The address watch clear code receives watch_id as an unsigned value
(u32), but some helper functions were using a signed int and checked
bits by shifting with watch_id.
If a very large watch_id is passed from userspace, it can be converted
to a negative value. This can cause invalid shifts and may access
memory outside the watch_points array.
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before
using it. Also use BIT(watch_id) to test and clear bits safely.
This keeps the behavior unchanged for valid watch IDs and avoids
undefined behavior for invalid ones.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448
kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow
'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped
drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c
433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,
434 uint32_t watch_id)
435 {
436 int r;
437
438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))
kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if
watch_id is larger than INT_MAX it leads to a buffer overflow.
(Negative shifts are undefined).
439 return -EINVAL;
440
441 if (!pdd->dev->kfd->shared_resources.enable_mes) {
442 r = debug_lock_and_unmap(pdd->dev->dqm);
443 if (r)
444 return r;
445 }
446
447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false);
--> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch(
449 pdd->dev->adev,
450 watch_id);
v2: (as per, Jonathan Kim)
- Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to
match the clear path.
- Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e0f85f4690d089cc1a60337decafb1acf7eec45e , < 971bf8e61e9b4abaacf9b35eaf76ec222758f9d6
(git)
Affected: e0f85f4690d089cc1a60337decafb1acf7eec45e , < a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488 (git) Affected: e0f85f4690d089cc1a60337decafb1acf7eec45e , < 2b36c0c1bcbbe15f6cfa9652084b3124c835a150 (git) Affected: e0f85f4690d089cc1a60337decafb1acf7eec45e , < 3c38a0f07aa2bfef2b219b1f045534ad93f85afd (git) Affected: e0f85f4690d089cc1a60337decafb1acf7eec45e , < 5a19302cab5cec7ae7f1a60c619951e6c17d8742 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "971bf8e61e9b4abaacf9b35eaf76ec222758f9d6",
"status": "affected",
"version": "e0f85f4690d089cc1a60337decafb1acf7eec45e",
"versionType": "git"
},
{
"lessThan": "a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488",
"status": "affected",
"version": "e0f85f4690d089cc1a60337decafb1acf7eec45e",
"versionType": "git"
},
{
"lessThan": "2b36c0c1bcbbe15f6cfa9652084b3124c835a150",
"status": "affected",
"version": "e0f85f4690d089cc1a60337decafb1acf7eec45e",
"versionType": "git"
},
{
"lessThan": "3c38a0f07aa2bfef2b219b1f045534ad93f85afd",
"status": "affected",
"version": "e0f85f4690d089cc1a60337decafb1acf7eec45e",
"versionType": "git"
},
{
"lessThan": "5a19302cab5cec7ae7f1a60c619951e6c17d8742",
"status": "affected",
"version": "e0f85f4690d089cc1a60337decafb1acf7eec45e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix watch_id bounds checking in debug address watch v2\n\nThe address watch clear code receives watch_id as an unsigned value\n(u32), but some helper functions were using a signed int and checked\nbits by shifting with watch_id.\n\nIf a very large watch_id is passed from userspace, it can be converted\nto a negative value. This can cause invalid shifts and may access\nmemory outside the watch_points array.\n\ndrm/amdkfd: Fix watch_id bounds checking in debug address watch v2\n\nFix this by checking that watch_id is within MAX_WATCH_ADDRESSES before\nusing it. Also use BIT(watch_id) to test and clear bits safely.\n\nThis keeps the behavior unchanged for valid watch IDs and avoids\nundefined behavior for invalid ones.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448\nkfd_dbg_trap_clear_dev_address_watch() error: buffer overflow\n\u0027pdd-\u003ewatch_points\u0027 4 \u003c= u32max user_rl=\u00270-3,2147483648-u32max\u0027 uncapped\n\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c\n 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,\n 434 uint32_t watch_id)\n 435 {\n 436 int r;\n 437\n 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))\n\nkfd_dbg_owns_dev_watch_id() doesn\u0027t check for negative values so if\nwatch_id is larger than INT_MAX it leads to a buffer overflow.\n(Negative shifts are undefined).\n\n 439 return -EINVAL;\n 440\n 441 if (!pdd-\u003edev-\u003ekfd-\u003eshared_resources.enable_mes) {\n 442 r = debug_lock_and_unmap(pdd-\u003edev-\u003edqm);\n 443 if (r)\n 444 return r;\n 445 }\n 446\n 447 amdgpu_gfx_off_ctrl(pdd-\u003edev-\u003eadev, false);\n--\u003e 448 pdd-\u003ewatch_points[watch_id] = pdd-\u003edev-\u003ekfd2kgd-\u003eclear_address_watch(\n 449 pdd-\u003edev-\u003eadev,\n 450 watch_id);\n\nv2: (as per, Jonathan Kim)\n - Add early watch_id \u003e= MAX_WATCH_ADDRESSES validation in the set path to\n match the clear path.\n - Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T10:45:44.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/971bf8e61e9b4abaacf9b35eaf76ec222758f9d6"
},
{
"url": "https://git.kernel.org/stable/c/a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488"
},
{
"url": "https://git.kernel.org/stable/c/2b36c0c1bcbbe15f6cfa9652084b3124c835a150"
},
{
"url": "https://git.kernel.org/stable/c/3c38a0f07aa2bfef2b219b1f045534ad93f85afd"
},
{
"url": "https://git.kernel.org/stable/c/5a19302cab5cec7ae7f1a60c619951e6c17d8742"
}
],
"title": "drm/amdkfd: Fix watch_id bounds checking in debug address watch v2",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45878",
"datePublished": "2026-05-27T12:16:49.108Z",
"dateReserved": "2026-05-13T15:03:33.081Z",
"dateUpdated": "2026-05-30T10:45:44.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43249 (GCVE-0-2026-43249)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-23 16:06
VLAI?
EPSS
Title
9p/xen: protect xen_9pfs_front_free against concurrent calls
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p/xen: protect xen_9pfs_front_free against concurrent calls
The xenwatch thread can race with other back-end change notifications
and call xen_9pfs_front_free() twice, hitting the observed general
protection fault due to a double-free. Guard the teardown path so only
one caller can release the front-end state at a time, preventing the
crash.
This is a fix for the following double-free:
[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)
[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150
[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42
[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246
[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000
[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000
[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000
[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68
[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040
[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000
[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660
[ 27.052418] Call Trace:
[ 27.052420] <TASK>
[ 27.052422] xen_9pfs_front_changed+0x5d5/0x720
[ 27.052426] ? xenbus_otherend_changed+0x72/0x140
[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10
[ 27.052434] xenwatch_thread+0x94/0x1c0
[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10
[ 27.052442] kthread+0xf8/0x240
[ 27.052445] ? __pfx_kthread+0x10/0x10
[ 27.052449] ? __pfx_kthread+0x10/0x10
[ 27.052452] ret_from_fork+0x16b/0x1a0
[ 27.052456] ? __pfx_kthread+0x10/0x10
[ 27.052459] ret_from_fork_asm+0x1a/0x30
[ 27.052463] </TASK>
[ 27.052465] Modules linked in:
[ 27.052471] ---[ end trace 0000000000000000 ]---
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c15fe55d14b3b4ded5af2a3260877460a6ffb8ad , < a5d00dff97118a32fcf5fec7a4c3f864c4620c4e
(git)
Affected: c15fe55d14b3b4ded5af2a3260877460a6ffb8ad , < 59e7707492576bdbfa8c1dbe7d90791df31e4773 (git) Affected: c15fe55d14b3b4ded5af2a3260877460a6ffb8ad , < bf841d43f7a33d75675ba7f4e214ac1c67913065 (git) Affected: c15fe55d14b3b4ded5af2a3260877460a6ffb8ad , < ce8ded2e61f47747e31eeefb44dc24a2160a7e32 (git) Affected: be03c4fe72384366fd4077a70966bd3b8fc49013 (git) Affected: 1ab4de11232e83b875b071aa44d1155634ca8a1e (git) Affected: 7cc9dbae8a5f73bd555130384ea256018d28f283 (git) Affected: 3e0359f151ac151abe3fa71040e450ed69cb824b (git) Affected: 8d3fc907d060c4fb33203e616a395a22083b6566 (git) Affected: 4f0e9244770f5b75a16d8c0929063cd336926764 (git) Affected: 5f6a8974e9ef317fe63f88bab1f33070195dd147 (git) Affected: 4.14.308 , < 4.15 (semver) Affected: 4.19.276 , < 4.20 (semver) Affected: 5.4.235 , < 5.5 (semver) Affected: 5.10.173 , < 5.11 (semver) Affected: 5.15.100 , < 5.16 (semver) Affected: 6.1.18 , < 6.2 (semver) Affected: 6.2.5 , < 6.3 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/9p/trans_xen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5d00dff97118a32fcf5fec7a4c3f864c4620c4e",
"status": "affected",
"version": "c15fe55d14b3b4ded5af2a3260877460a6ffb8ad",
"versionType": "git"
},
{
"lessThan": "59e7707492576bdbfa8c1dbe7d90791df31e4773",
"status": "affected",
"version": "c15fe55d14b3b4ded5af2a3260877460a6ffb8ad",
"versionType": "git"
},
{
"lessThan": "bf841d43f7a33d75675ba7f4e214ac1c67913065",
"status": "affected",
"version": "c15fe55d14b3b4ded5af2a3260877460a6ffb8ad",
"versionType": "git"
},
{
"lessThan": "ce8ded2e61f47747e31eeefb44dc24a2160a7e32",
"status": "affected",
"version": "c15fe55d14b3b4ded5af2a3260877460a6ffb8ad",
"versionType": "git"
},
{
"status": "affected",
"version": "be03c4fe72384366fd4077a70966bd3b8fc49013",
"versionType": "git"
},
{
"status": "affected",
"version": "1ab4de11232e83b875b071aa44d1155634ca8a1e",
"versionType": "git"
},
{
"status": "affected",
"version": "7cc9dbae8a5f73bd555130384ea256018d28f283",
"versionType": "git"
},
{
"status": "affected",
"version": "3e0359f151ac151abe3fa71040e450ed69cb824b",
"versionType": "git"
},
{
"status": "affected",
"version": "8d3fc907d060c4fb33203e616a395a22083b6566",
"versionType": "git"
},
{
"status": "affected",
"version": "4f0e9244770f5b75a16d8c0929063cd336926764",
"versionType": "git"
},
{
"status": "affected",
"version": "5f6a8974e9ef317fe63f88bab1f33070195dd147",
"versionType": "git"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThan": "6.3",
"status": "affected",
"version": "6.2.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/9p/trans_xen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: protect xen_9pfs_front_free against concurrent calls\n\nThe xenwatch thread can race with other back-end change notifications\nand call xen_9pfs_front_free() twice, hitting the observed general\nprotection fault due to a double-free. Guard the teardown path so only\none caller can release the front-end state at a time, preventing the\ncrash.\n\nThis is a fix for the following double-free:\n\n[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)\n[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150\n[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 \u003c48\u003e 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42\n[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246\n[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000\n[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000\n[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000\n[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68\n[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040\n[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000\n[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660\n[ 27.052418] Call Trace:\n[ 27.052420] \u003cTASK\u003e\n[ 27.052422] xen_9pfs_front_changed+0x5d5/0x720\n[ 27.052426] ? xenbus_otherend_changed+0x72/0x140\n[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10\n[ 27.052434] xenwatch_thread+0x94/0x1c0\n[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10\n[ 27.052442] kthread+0xf8/0x240\n[ 27.052445] ? __pfx_kthread+0x10/0x10\n[ 27.052449] ? __pfx_kthread+0x10/0x10\n[ 27.052452] ret_from_fork+0x16b/0x1a0\n[ 27.052456] ? __pfx_kthread+0x10/0x10\n[ 27.052459] ret_from_fork_asm+0x1a/0x30\n[ 27.052463] \u003c/TASK\u003e\n[ 27.052465] Modules linked in:\n[ 27.052471] ---[ end trace 0000000000000000 ]---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:33.972Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e"
},
{
"url": "https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773"
},
{
"url": "https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065"
},
{
"url": "https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32"
}
],
"title": "9p/xen: protect xen_9pfs_front_free against concurrent calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43249",
"datePublished": "2026-05-06T11:28:40.290Z",
"dateReserved": "2026-05-01T14:12:55.996Z",
"dateUpdated": "2026-05-23T16:06:33.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46181 (GCVE-0-2026-46181)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will crash if an event is delivered before
the srq object is finished initializing.
Use the spinlock since it isn't easy to make RCU work, use
refcount_inc_not_zero() to protect against partially initialized objects,
and order the refcount_set() to be after the srq is fully initialized.
Severity ?
7.8 (High)
CWE
- CWE-366 - Race Condition within a Thread
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
30353bfc43a1602c020f31d95cf27182ffd23824 , < 1e2a44875b6afb4add1115f7f3351dcbeb6f273d
(git)
Affected: 30353bfc43a1602c020f31d95cf27182ffd23824 , < 8b7833f3bce35cb0d01c1503781523c099c675f0 (git) Affected: 30353bfc43a1602c020f31d95cf27182ffd23824 , < c9341307ea16b9395c2e4c9c94d8499d91fe31d0 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s RDMA/mlx4 component. This vulnerability arises from the incorrect use of Read-Copy Update (RCU) in the `mlx4_srq_event()` function. An attacker could potentially trigger an event before the `srq` object is fully initialized, leading to a system crash. This could result in a Denial of Service (DoS) for the affected system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-366",
"description": "Race Condition within a Thread",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:03.421Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46181"
},
{
"name": "RHBZ#2482532",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482532"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46181.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34095"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34443"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25217"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25121"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33900"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34095: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:34443: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:25217: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25121: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:25120: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33900: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx4/srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e2a44875b6afb4add1115f7f3351dcbeb6f273d",
"status": "affected",
"version": "30353bfc43a1602c020f31d95cf27182ffd23824",
"versionType": "git"
},
{
"lessThan": "8b7833f3bce35cb0d01c1503781523c099c675f0",
"status": "affected",
"version": "30353bfc43a1602c020f31d95cf27182ffd23824",
"versionType": "git"
},
{
"lessThan": "c9341307ea16b9395c2e4c9c94d8499d91fe31d0",
"status": "affected",
"version": "30353bfc43a1602c020f31d95cf27182ffd23824",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx4/srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()\n\nSashiko points out the radix_tree itself is RCU safe, but nothing ever\nfrees the mlx4_srq struct with RCU, and it isn\u0027t even accessed within the\nRCU critical section. It also will crash if an event is delivered before\nthe srq object is finished initializing.\n\nUse the spinlock since it isn\u0027t easy to make RCU work, use\nrefcount_inc_not_zero() to protect against partially initialized objects,\nand order the refcount_set() to be after the srq is fully initialized."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:00:45.599Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e2a44875b6afb4add1115f7f3351dcbeb6f273d"
},
{
"url": "https://git.kernel.org/stable/c/8b7833f3bce35cb0d01c1503781523c099c675f0"
},
{
"url": "https://git.kernel.org/stable/c/c9341307ea16b9395c2e4c9c94d8499d91fe31d0"
}
],
"title": "RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46181",
"datePublished": "2026-05-28T09:36:34.706Z",
"dateReserved": "2026-05-13T15:03:33.103Z",
"dateUpdated": "2026-07-02T12:05:03.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43413 (GCVE-0-2026-43413)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:24
VLAI?
EPSS
Title
scsi: hisi_sas: Fix NULL pointer exception during user_scan()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: hisi_sas: Fix NULL pointer exception during user_scan()
user_scan() invokes updated sas_user_scan() for channel 0, and if
successful, iteratively scans remaining channels (1 to shost->max_channel)
via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix
sas_user_scan() to handle wildcard and multi-channel scans"). However,
hisi_sas supports only one channel, and the current value of max_channel is
1. sas_user_scan() for channel 1 will trigger the following NULL pointer
exception:
[ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0
[ 441.554699] Mem abort info:
[ 441.554710] ESR = 0x0000000096000004
[ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits
[ 441.554723] SET = 0, FnV = 0
[ 441.554726] EA = 0, S1PTW = 0
[ 441.554730] FSC = 0x04: level 0 translation fault
[ 441.554735] Data abort info:
[ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000
[ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000
[ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP
[ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod
[ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT
[ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118
[ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118
[ 441.707502] sp : ffff80009abbba40
[ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08
[ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00
[ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000
[ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020
[ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff
[ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a
[ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4
[ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030
[ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000
[ 441.782053] Call trace:
[ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P)
[ 441.789095] sas_target_alloc+0x24/0xb0
[ 441.792920] scsi_alloc_target+0x290/0x330
[ 441.797010] __scsi_scan_target+0x88/0x258
[ 441.801096] scsi_scan_channel+0x74/0xb8
[ 441.805008] scsi_scan_host_selected+0x170/0x188
[ 441.809615] sas_user_scan+0xfc/0x148
[ 441.813267] store_scan+0x10c/0x180
[ 441.816743] dev_attr_store+0x20/0x40
[ 441.820398] sysfs_kf_write+0x84/0xa8
[ 441.824054] kernfs_fop_write_iter+0x130/0x1c8
[ 441.828487] vfs_write+0x2c0/0x370
[ 441.831880] ksys_write+0x74/0x118
[ 441.835271] __arm64_sys_write+0x24/0x38
[ 441.839182] invoke_syscall+0x50/0x120
[ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0
[ 441.847611] do_el0_svc+0x24/0x38
[ 441.850913] el0_svc+0x38/0x158
[ 441.854043] el0t_64_sync_handler+0xa0/0xe8
[ 441.858214] el0t_64_sync+0x1ac/0x1b0
[ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)
[ 441.867946] ---[ end trace 0000000000000000 ]---
Therefore
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e21fe3a52692f554efd67957c772c702de627a3a , < 70c78429ef383e35f9c58848994aeeac8083ae35
(git)
Affected: e21fe3a52692f554efd67957c772c702de627a3a , < 40119a21d9769bf8fdab5c93c6c878296e628abf (git) Affected: e21fe3a52692f554efd67957c772c702de627a3a , < 21a13db8d449b9c7eda4471da7f12417602dbbc7 (git) Affected: e21fe3a52692f554efd67957c772c702de627a3a , < beadac156610a4f3bb15cb7bb4b07b6ac06f6567 (git) Affected: e21fe3a52692f554efd67957c772c702de627a3a , < 8ddc0c26916574395447ebf4cff684314f6873a9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas_main.c",
"drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70c78429ef383e35f9c58848994aeeac8083ae35",
"status": "affected",
"version": "e21fe3a52692f554efd67957c772c702de627a3a",
"versionType": "git"
},
{
"lessThan": "40119a21d9769bf8fdab5c93c6c878296e628abf",
"status": "affected",
"version": "e21fe3a52692f554efd67957c772c702de627a3a",
"versionType": "git"
},
{
"lessThan": "21a13db8d449b9c7eda4471da7f12417602dbbc7",
"status": "affected",
"version": "e21fe3a52692f554efd67957c772c702de627a3a",
"versionType": "git"
},
{
"lessThan": "beadac156610a4f3bb15cb7bb4b07b6ac06f6567",
"status": "affected",
"version": "e21fe3a52692f554efd67957c772c702de627a3a",
"versionType": "git"
},
{
"lessThan": "8ddc0c26916574395447ebf4cff684314f6873a9",
"status": "affected",
"version": "e21fe3a52692f554efd67957c772c702de627a3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas_main.c",
"drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Fix NULL pointer exception during user_scan()\n\nuser_scan() invokes updated sas_user_scan() for channel 0, and if\nsuccessful, iteratively scans remaining channels (1 to shost-\u003emax_channel)\nvia scsi_scan_host_selected() in commit 37c4e72b0651 (\"scsi: Fix\nsas_user_scan() to handle wildcard and multi-channel scans\"). However,\nhisi_sas supports only one channel, and the current value of max_channel is\n1. sas_user_scan() for channel 1 will trigger the following NULL pointer\nexception:\n\n[ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0\n[ 441.554699] Mem abort info:\n[ 441.554710] ESR = 0x0000000096000004\n[ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 441.554723] SET = 0, FnV = 0\n[ 441.554726] EA = 0, S1PTW = 0\n[ 441.554730] FSC = 0x04: level 0 translation fault\n[ 441.554735] Data abort info:\n[ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000\n[ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000\n[ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod\n[ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT\n[ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118\n[ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118\n[ 441.707502] sp : ffff80009abbba40\n[ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08\n[ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00\n[ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000\n[ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020\n[ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff\n[ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a\n[ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4\n[ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030\n[ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000\n[ 441.782053] Call trace:\n[ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P)\n[ 441.789095] sas_target_alloc+0x24/0xb0\n[ 441.792920] scsi_alloc_target+0x290/0x330\n[ 441.797010] __scsi_scan_target+0x88/0x258\n[ 441.801096] scsi_scan_channel+0x74/0xb8\n[ 441.805008] scsi_scan_host_selected+0x170/0x188\n[ 441.809615] sas_user_scan+0xfc/0x148\n[ 441.813267] store_scan+0x10c/0x180\n[ 441.816743] dev_attr_store+0x20/0x40\n[ 441.820398] sysfs_kf_write+0x84/0xa8\n[ 441.824054] kernfs_fop_write_iter+0x130/0x1c8\n[ 441.828487] vfs_write+0x2c0/0x370\n[ 441.831880] ksys_write+0x74/0x118\n[ 441.835271] __arm64_sys_write+0x24/0x38\n[ 441.839182] invoke_syscall+0x50/0x120\n[ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0\n[ 441.847611] do_el0_svc+0x24/0x38\n[ 441.850913] el0_svc+0x38/0x158\n[ 441.854043] el0t_64_sync_handler+0xa0/0xe8\n[ 441.858214] el0t_64_sync+0x1ac/0x1b0\n[ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)\n[ 441.867946] ---[ end trace 0000000000000000 ]---\n\nTherefore\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:06.649Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70c78429ef383e35f9c58848994aeeac8083ae35"
},
{
"url": "https://git.kernel.org/stable/c/40119a21d9769bf8fdab5c93c6c878296e628abf"
},
{
"url": "https://git.kernel.org/stable/c/21a13db8d449b9c7eda4471da7f12417602dbbc7"
},
{
"url": "https://git.kernel.org/stable/c/beadac156610a4f3bb15cb7bb4b07b6ac06f6567"
},
{
"url": "https://git.kernel.org/stable/c/8ddc0c26916574395447ebf4cff684314f6873a9"
}
],
"title": "scsi: hisi_sas: Fix NULL pointer exception during user_scan()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43413",
"datePublished": "2026-05-08T14:21:50.923Z",
"dateReserved": "2026-05-01T14:12:56.008Z",
"dateUpdated": "2026-05-11T22:24:06.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46090 (GCVE-0-2026-46090)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:58 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
ALSA: aloop: Fix peer runtime UAF during format-change stop
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix peer runtime UAF during format-change stop
loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.
A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.
Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.
Severity ?
7.8 (High)
CWE
- CWE-364 - Signal Handler Race Condition
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
597603d615d2b19a9e451d8cfac24372856a522d , < 83bd62fa9620ac98d5d694bde14c50f98c8e7189
(git)
Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 345c24b2bcf0923dfae1ab41497351c68214ff76 (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 03f52a9c170431e8f10e156b9dc0dae80b3e9198 (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 5d45e34bf001344e2966dabca1897561bbc9e913 (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s ALSA (Advanced Linux Sound Architecture) aloop driver. This Use-After-Free (UAF) vulnerability occurs when loopback_check_format() stops the capture side during a format change, while a concurrent close operation detaches or frees the runtime. An attacker could potentially exploit this to cause a system crash or achieve arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-364",
"description": "Signal Handler Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:03.741Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46090"
},
{
"name": "RHBZ#2481980",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481980"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46090.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33215"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33685"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34095"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34443"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30848"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27353"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33899"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27354"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33900"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33215: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:33685: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34095: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:34443: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:30848: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:27353: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33899: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:27354: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33900: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83bd62fa9620ac98d5d694bde14c50f98c8e7189",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "345c24b2bcf0923dfae1ab41497351c68214ff76",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "03f52a9c170431e8f10e156b9dc0dae80b3e9198",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "5d45e34bf001344e2966dabca1897561bbc9e913",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix peer runtime UAF during format-change stop\n\nloopback_check_format() may stop the capture side when playback starts\nwith parameters that no longer match a running capture stream. Commit\n826af7fa62e3 (\"ALSA: aloop: Fix racy access at PCM trigger\") moved\nthe peer lookup under cable-\u003elock, but the actual snd_pcm_stop() still\nruns after dropping that lock.\n\nA concurrent close can clear the capture entry from cable-\u003estreams[] and\ndetach or free its runtime while the playback trigger path still holds a\nstale peer substream pointer.\n\nKeep a per-cable count of in-flight peer stops before dropping\ncable-\u003elock, and make free_cable() wait for those stops before\ndetaching the runtime. This preserves the existing behavior while\nmaking the peer runtime lifetime explicit."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:25.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83bd62fa9620ac98d5d694bde14c50f98c8e7189"
},
{
"url": "https://git.kernel.org/stable/c/345c24b2bcf0923dfae1ab41497351c68214ff76"
},
{
"url": "https://git.kernel.org/stable/c/03f52a9c170431e8f10e156b9dc0dae80b3e9198"
},
{
"url": "https://git.kernel.org/stable/c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c"
},
{
"url": "https://git.kernel.org/stable/c/5d45e34bf001344e2966dabca1897561bbc9e913"
},
{
"url": "https://git.kernel.org/stable/c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff"
}
],
"title": "ALSA: aloop: Fix peer runtime UAF during format-change stop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46090",
"datePublished": "2026-05-27T12:58:34.428Z",
"dateReserved": "2026-05-13T15:03:33.097Z",
"dateUpdated": "2026-07-02T12:05:03.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43407 (GCVE-0-2026-43407)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
This patch fixes an out-of-bounds access in ceph_handle_auth_reply()
that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In
ceph_handle_auth_reply(), the value of the payload_len field of such a
message is stored in a variable of type int. A value greater than
INT_MAX leads to an integer overflow and is interpreted as a negative
value. This leads to decrementing the pointer address by this value and
subsequently accessing it because ceph_decode_need() only checks that
the memory access does not exceed the end address of the allocation.
This patch fixes the issue by changing the data type of payload_len to
u32. Additionally, the data type of result_msg_len is changed to u32,
as it is also a variable holding a non-negative length.
Also, an additional layer of sanity checks is introduced, ensuring that
directly after reading it from the message, payload_len and
result_msg_len are not greater than the overall segment length.
BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]
Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262
CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: ceph-msgr ceph_con_workfn [libceph]
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
print_report+0xd1/0x620
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? kasan_complete_mode_report_info+0x72/0x210
kasan_report+0xe7/0x130
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
__asan_report_load_n_noabort+0xf/0x20
ceph_handle_auth_reply+0x642/0x7a0 [libceph]
mon_dispatch+0x973/0x23d0 [libceph]
? apparmor_socket_recvmsg+0x6b/0xa0
? __pfx_mon_dispatch+0x10/0x10 [libceph]
? __kasan_check_write+0x14/0x30i
? mutex_unlock+0x7f/0xd0
? __pfx_mutex_unlock+0x10/0x10
? __pfx_do_recvmsg+0x10/0x10 [libceph]
ceph_con_process_message+0x1f1/0x650 [libceph]
process_message+0x1e/0x450 [libceph]
ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]
? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]
? save_fpregs_to_fpstate+0xb0/0x230
? raw_spin_rq_unlock+0x17/0xa0
? finish_task_switch.isra.0+0x13b/0x760
? __switch_to+0x385/0xda0
? __kasan_check_write+0x14/0x30
? mutex_lock+0x8d/0xe0
? __pfx_mutex_lock+0x10/0x10
ceph_con_workfn+0x248/0x10c0 [libceph]
process_one_work+0x629/0xf80
? __kasan_check_write+0x14/0x30
worker_thread+0x87f/0x1570
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? __pfx_try_to_wake_up+0x10/0x10
? kasan_print_address_stack_frame+0x1f7/0x280
? __pfx_worker_thread+0x10/0x10
kthread+0x396/0x830
? __pfx__raw_spin_lock_irq+0x10/0x10
? __pfx_kthread+0x10/0x10
? __kasan_check_write+0x14/0x30
? recalc_sigpending+0x180/0x210
? __pfx_kthread+0x10/0x10
ret_from_fork+0x3f7/0x610
? __pfx_ret_from_fork+0x10/0x10
? __switch_to+0x385/0xda0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
[ idryomov: replace if statements with ceph_decode_need() for
payload_len and result_msg_len ]
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < ea080b21092590122c3f971cf588932cdbf47847
(git)
Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < edc678e5cd11730a2834b43071d8923f05bc334d (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 6cee34d6669fe176b4259131adb1a145c939b472 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 8bb87547e92dcf0928ed763c60e0ac8d733c3656 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < ed024d2f4c79c0eb2464df0fb640610ac301f9a0 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < f9da5c1bbac5c8e33259fe00ed7347438fffa969 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < 9f9e2297f45fc2d2524eb104c289d69ddef95665 (git) Affected: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc , < b282c43ed156ae15ea76748fc15cd5c39dc9ab72 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea080b21092590122c3f971cf588932cdbf47847",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "edc678e5cd11730a2834b43071d8923f05bc334d",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "6cee34d6669fe176b4259131adb1a145c939b472",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "8bb87547e92dcf0928ed763c60e0ac8d733c3656",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "ed024d2f4c79c0eb2464df0fb640610ac301f9a0",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "f9da5c1bbac5c8e33259fe00ed7347438fffa969",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "9f9e2297f45fc2d2524eb104c289d69ddef95665",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
},
{
"lessThan": "b282c43ed156ae15ea76748fc15cd5c39dc9ab72",
"status": "affected",
"version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()\n\nThis patch fixes an out-of-bounds access in ceph_handle_auth_reply()\nthat can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In\nceph_handle_auth_reply(), the value of the payload_len field of such a\nmessage is stored in a variable of type int. A value greater than\nINT_MAX leads to an integer overflow and is interpreted as a negative\nvalue. This leads to decrementing the pointer address by this value and\nsubsequently accessing it because ceph_decode_need() only checks that\nthe memory access does not exceed the end address of the allocation.\n\nThis patch fixes the issue by changing the data type of payload_len to\nu32. Additionally, the data type of result_msg_len is changed to u32,\nas it is also a variable holding a non-negative length.\n\nAlso, an additional layer of sanity checks is introduced, ensuring that\ndirectly after reading it from the message, payload_len and\nresult_msg_len are not greater than the overall segment length.\n\nBUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]\nRead of size 4 at addr ffff88811404df14 by task kworker/20:1/262\n\nCPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nWorkqueue: ceph-msgr ceph_con_workfn [libceph]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x76/0xa0\n print_report+0xd1/0x620\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? kasan_complete_mode_report_info+0x72/0x210\n kasan_report+0xe7/0x130\n ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]\n ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]\n __asan_report_load_n_noabort+0xf/0x20\n ceph_handle_auth_reply+0x642/0x7a0 [libceph]\n mon_dispatch+0x973/0x23d0 [libceph]\n ? apparmor_socket_recvmsg+0x6b/0xa0\n ? __pfx_mon_dispatch+0x10/0x10 [libceph]\n ? __kasan_check_write+0x14/0x30i\n ? mutex_unlock+0x7f/0xd0\n ? __pfx_mutex_unlock+0x10/0x10\n ? __pfx_do_recvmsg+0x10/0x10 [libceph]\n ceph_con_process_message+0x1f1/0x650 [libceph]\n process_message+0x1e/0x450 [libceph]\n ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]\n ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]\n ? save_fpregs_to_fpstate+0xb0/0x230\n ? raw_spin_rq_unlock+0x17/0xa0\n ? finish_task_switch.isra.0+0x13b/0x760\n ? __switch_to+0x385/0xda0\n ? __kasan_check_write+0x14/0x30\n ? mutex_lock+0x8d/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n ceph_con_workfn+0x248/0x10c0 [libceph]\n process_one_work+0x629/0xf80\n ? __kasan_check_write+0x14/0x30\n worker_thread+0x87f/0x1570\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? __pfx_try_to_wake_up+0x10/0x10\n ? kasan_print_address_stack_frame+0x1f7/0x280\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x396/0x830\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ? __kasan_check_write+0x14/0x30\n ? recalc_sigpending+0x180/0x210\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x3f7/0x610\n ? __pfx_ret_from_fork+0x10/0x10\n ? __switch_to+0x385/0xda0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n[ idryomov: replace if statements with ceph_decode_need() for\n payload_len and result_msg_len ]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:59.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea080b21092590122c3f971cf588932cdbf47847"
},
{
"url": "https://git.kernel.org/stable/c/edc678e5cd11730a2834b43071d8923f05bc334d"
},
{
"url": "https://git.kernel.org/stable/c/6cee34d6669fe176b4259131adb1a145c939b472"
},
{
"url": "https://git.kernel.org/stable/c/8bb87547e92dcf0928ed763c60e0ac8d733c3656"
},
{
"url": "https://git.kernel.org/stable/c/ed024d2f4c79c0eb2464df0fb640610ac301f9a0"
},
{
"url": "https://git.kernel.org/stable/c/f9da5c1bbac5c8e33259fe00ed7347438fffa969"
},
{
"url": "https://git.kernel.org/stable/c/9f9e2297f45fc2d2524eb104c289d69ddef95665"
},
{
"url": "https://git.kernel.org/stable/c/b282c43ed156ae15ea76748fc15cd5c39dc9ab72"
}
],
"title": "libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43407",
"datePublished": "2026-05-08T14:21:46.927Z",
"dateReserved": "2026-05-01T14:12:56.008Z",
"dateUpdated": "2026-05-11T22:23:59.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43455 (GCVE-0-2026-43455)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
EPSS
Title
mctp: route: hold key->lock in mctp_flow_prepare_output()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mctp: route: hold key->lock in mctp_flow_prepare_output()
mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.
mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.
Example interleaving:
CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB
Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.
Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 47893166bc5611ee9a20de6b8d2933b2320fb772
(git)
Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 86f5334fcb48a5b611c33364ab52ca684d0f6d91 (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 0695712f3a6f1a48915f95767cfb42077683dcdc (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 8d27d9b260dd19c1b519e1a13de6448f9984e30e (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mctp/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47893166bc5611ee9a20de6b8d2933b2320fb772",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "86f5334fcb48a5b611c33364ab52ca684d0f6d91",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "0695712f3a6f1a48915f95767cfb42077683dcdc",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "8d27d9b260dd19c1b519e1a13de6448f9984e30e",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "7d86aa41c073c4e7eb75fd2e674f1fd8f289728a",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mctp/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: route: hold key-\u003elock in mctp_flow_prepare_output()\n\nmctp_flow_prepare_output() checks key-\u003edev and may call\nmctp_dev_set_key(), but it does not hold key-\u003elock while doing so.\n\nmctp_dev_set_key() and mctp_dev_release_key() are annotated with\n__must_hold(\u0026key-\u003elock), so key-\u003edev access is intended to be\nserialized by key-\u003elock. The mctp_sendmsg() transmit path reaches\nmctp_flow_prepare_output() via mctp_local_output() -\u003e mctp_dst_output()\nwithout holding key-\u003elock, so the check-and-set sequence is racy.\n\nExample interleaving:\n\n CPU0 CPU1\n ---- ----\n mctp_flow_prepare_output(key, devA)\n if (!key-\u003edev) // sees NULL\n mctp_flow_prepare_output(\n key, devB)\n if (!key-\u003edev) // still NULL\n mctp_dev_set_key(devB, key)\n mctp_dev_hold(devB)\n key-\u003edev = devB\n mctp_dev_set_key(devA, key)\n mctp_dev_hold(devA)\n key-\u003edev = devA // overwrites devB\n\nNow both devA and devB references were acquired, but only the final\nkey-\u003edev value is tracked for release. One reference can be lost,\ncausing a resource leak as mctp_dev_release_key() would only decrease\nthe reference on one dev.\n\nFix by taking key-\u003elock around the key-\u003edev check and\nmctp_dev_set_key() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:55.256Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772"
},
{
"url": "https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91"
},
{
"url": "https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc"
},
{
"url": "https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f"
},
{
"url": "https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e"
},
{
"url": "https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a"
}
],
"title": "mctp: route: hold key-\u003elock in mctp_flow_prepare_output()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43455",
"datePublished": "2026-05-08T14:22:19.375Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:55.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…