Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0809
Vulnerability from certfr_avis - Published: 2026-06-26 - Updated: 2026-06-26
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-45842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45842"
},
{
"name": "CVE-2026-45845",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45845"
},
{
"name": "CVE-2025-22069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22069"
},
{
"name": "CVE-2026-46319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46319"
},
{
"name": "CVE-2026-31486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31486"
},
{
"name": "CVE-2026-23346",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23346"
},
{
"name": "CVE-2026-23247",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23247"
},
{
"name": "CVE-2026-46170",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46170"
},
{
"name": "CVE-2026-46117",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46117"
},
{
"name": "CVE-2025-71289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71289"
},
{
"name": "CVE-2026-31613",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31613"
},
{
"name": "CVE-2026-43331",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43331"
},
{
"name": "CVE-2026-46158",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46158"
},
{
"name": "CVE-2026-46320",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46320"
},
{
"name": "CVE-2026-46137",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46137"
},
{
"name": "CVE-2026-45841",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45841"
},
{
"name": "CVE-2026-46331",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46331"
},
{
"name": "CVE-2026-23469",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23469"
},
{
"name": "CVE-2026-31420",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31420"
},
{
"name": "CVE-2026-46203",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46203"
},
{
"name": "CVE-2026-31663",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31663"
},
{
"name": "CVE-2026-45846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45846"
},
{
"name": "CVE-2026-46323",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46323"
},
{
"name": "CVE-2025-68768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68768"
},
{
"name": "CVE-2026-46315",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46315"
},
{
"name": "CVE-2025-68251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68251"
},
{
"name": "CVE-2026-46321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46321"
},
{
"name": "CVE-2026-52908",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52908"
},
{
"name": "CVE-2026-45840",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45840"
},
{
"name": "CVE-2026-45844",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45844"
},
{
"name": "CVE-2026-52910",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52910"
},
{
"name": "CVE-2026-45930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45930"
},
{
"name": "CVE-2026-46274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46274"
},
{
"name": "CVE-2026-46244",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46244"
},
{
"name": "CVE-2026-31717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31717"
},
{
"name": "CVE-2026-52911",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52911"
},
{
"name": "CVE-2026-45843",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45843"
},
{
"name": "CVE-2026-46316",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46316"
},
{
"name": "CVE-2026-46160",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46160"
},
{
"name": "CVE-2026-43303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43303"
},
{
"name": "CVE-2026-43245",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43245"
},
{
"name": "CVE-2026-52909",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52909"
},
{
"name": "CVE-2026-23394",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23394"
},
{
"name": "CVE-2026-45838",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45838"
},
{
"name": "CVE-2026-23272",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23272"
},
{
"name": "CVE-2026-31560",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31560"
},
{
"name": "CVE-2026-46216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46216"
},
{
"name": "CVE-2026-46275",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46275"
},
{
"name": "CVE-2026-45850",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45850"
},
{
"name": "CVE-2026-43116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43116"
},
{
"name": "CVE-2026-46322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46322"
},
{
"name": "CVE-2026-45839",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45839"
},
{
"name": "CVE-2026-43219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43219"
}
],
"initial_release_date": "2026-06-26T00:00:00",
"last_revision_date": "2026-06-26T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0809",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian",
"vendor_advisories": [
{
"published_at": "2026-06-21",
"title": "Bulletin de s\u00e9curit\u00e9 Debian msg00266",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00266.html"
}
]
}
CVE-2025-71289 (GCVE-0-2025-71289)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:32 – Updated: 2026-06-01 16:05
VLAI?
EPSS
Title
fs/ntfs3: handle attr_set_size() errors when truncating files
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: handle attr_set_size() errors when truncating files
If attr_set_size() fails while truncating down, the error is silently
ignored and the inode may be left in an inconsistent state.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 3a718675d6af4992e34ffe86b8f36d471a5afe0e
(git)
Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < d73dcd1520d65a34420761641a36b951b14c8c53 (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 6dfea43d11513b7f2892529de55e8f0855108a2c (git) Affected: 4342306f0f0d5ff4315a204d315c1b51b914fca5 , < 576248a34b927e93b2fd3fff7df735ba73ad7d01 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a718675d6af4992e34ffe86b8f36d471a5afe0e",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "d73dcd1520d65a34420761641a36b951b14c8c53",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "6dfea43d11513b7f2892529de55e8f0855108a2c",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "576248a34b927e93b2fd3fff7df735ba73ad7d01",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle attr_set_size() errors when truncating files\n\nIf attr_set_size() fails while truncating down, the error is silently\nignored and the inode may be left in an inconsistent state."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:05:50.615Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a718675d6af4992e34ffe86b8f36d471a5afe0e"
},
{
"url": "https://git.kernel.org/stable/c/d73dcd1520d65a34420761641a36b951b14c8c53"
},
{
"url": "https://git.kernel.org/stable/c/6dfea43d11513b7f2892529de55e8f0855108a2c"
},
{
"url": "https://git.kernel.org/stable/c/576248a34b927e93b2fd3fff7df735ba73ad7d01"
}
],
"title": "fs/ntfs3: handle attr_set_size() errors when truncating files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71289",
"datePublished": "2026-05-06T11:32:21.715Z",
"dateReserved": "2026-05-06T11:31:45.509Z",
"dateUpdated": "2026-06-01T16:05:50.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46319 (GCVE-0-2026-46319)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-14 18:08
VLAI?
EPSS
Title
net/sched: act_ct: Only release RCU read lock after ct_ft
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: Only release RCU read lock after ct_ft
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
138470a9b2cc2e26e6018300394afc3858a54e6a , < ece578ca61e572df96cfc80456357ebfae0b4b9e
(git)
Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < a2e0c045c87aa252eb61412e67dd91f2c2b19f81 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 67c9ecc9f2575273ed1323e312881fc98ac83d6d (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f23424a0ddadb494d4bd57056a7ca703312d3a7b (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 17dfb67cb399b660105d9a8c6100851c0d0cdc70 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 4c727c6967a41b37efe0f26332ca9ec5b74785a3 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 3e20e1b3058e0b94638e7b931c138e840e266724 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f462dca0c8415bf0058d0ffa476354c4476d0f09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ece578ca61e572df96cfc80456357ebfae0b4b9e",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "a2e0c045c87aa252eb61412e67dd91f2c2b19f81",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "67c9ecc9f2575273ed1323e312881fc98ac83d6d",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f23424a0ddadb494d4bd57056a7ca703312d3a7b",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "17dfb67cb399b660105d9a8c6100851c0d0cdc70",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "4c727c6967a41b37efe0f26332ca9ec5b74785a3",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "3e20e1b3058e0b94638e7b931c138e840e266724",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f462dca0c8415bf0058d0ffa476354c4476d0f09",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: Only release RCU read lock after ct_ft\n\nWhen looking up a flow table in act_ct in tcf_ct_flow_table_get(),\nrhashtable_lookup_fast() internally opens and closes an RCU read critical\nsection before returning ct_ft.\nThe tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()\nis invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft\nobject. This vulnerability can lead to privilege escalation.\n\nAnalysis from zdi-disclosures@trendmicro.com:\nWhen initializing act_ct, tcf_ct_init() is called, which internally triggers\ntcf_ct_flow_table_get().\n\nstatic int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)\n\n{\n struct zones_ht_key key = { .net = net, .zone = params-\u003ezone };\n struct tcf_ct_flow_table *ct_ft;\n int err = -ENOMEM;\n\n mutex_lock(\u0026zones_mutex);\n ct_ft = rhashtable_lookup_fast(\u0026zones_ht, \u0026key, zones_params); // [1]\n if (ct_ft \u0026\u0026 refcount_inc_not_zero(\u0026ct_ft-\u003eref)) // [2]\n goto out_unlock;\n ...\n}\n\nstatic __always_inline void *rhashtable_lookup_fast(\n struct rhashtable *ht, const void *key,\n const struct rhashtable_params params)\n{\n void *obj;\n\n rcu_read_lock();\n obj = rhashtable_lookup(ht, key, params);\n rcu_read_unlock();\n\n return obj;\n}\n\nAt [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft\nfrom zones_ht . The lookup is performed within an RCU read critical section\nthrough rcu_read_lock() / rcu_read_unlock(), which prevents the object from\nbeing freed. However, at the point of function return, rcu_read_unlock() has\nalready been called, and there is nothing preventing ct_ft from being freed\nbefore reaching refcount_inc_not_zero(\u0026ct_ft-\u003eref) at [2]. This interval becomes\nthe race window, during which ct_ft can be freed.\n\nFree Process:\n\ntcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()\ntcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().\n\nstatic void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)\n{\n if (refcount_dec_and_test(\u0026ct_ft-\u003eref)) {\n rhashtable_remove_fast(\u0026zones_ht, \u0026ct_ft-\u003enode, zones_params);\n INIT_RCU_WORK(\u0026ct_ft-\u003erwork, tcf_ct_flow_table_cleanup_work); // [3]\n queue_rcu_work(act_ct_wq, \u0026ct_ft-\u003erwork);\n }\n}\n\nAt [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work\n\nstatic void tcf_ct_flow_table_cleanup_work(struct work_struct *work)\n\n{\n struct tcf_ct_flow_table *ct_ft;\n struct flow_block *block;\n\n ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,\n rwork);\n nf_flow_table_free(\u0026ct_ft-\u003enf_ft);\n block = \u0026ct_ft-\u003enf_ft.flow_block;\n down_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n WARN_ON(!list_empty(\u0026block-\u003ecb_list));\n up_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n kfree(ct_ft); // [4]\n\n module_put(THIS_MODULE);\n}\n\ntcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes\nbetween [1] and [2], UAF occurs.\n\nThis race condition has a very short race window, making it generally\ndifficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was\ninserted after[1]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:57.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ece578ca61e572df96cfc80456357ebfae0b4b9e"
},
{
"url": "https://git.kernel.org/stable/c/a2e0c045c87aa252eb61412e67dd91f2c2b19f81"
},
{
"url": "https://git.kernel.org/stable/c/67c9ecc9f2575273ed1323e312881fc98ac83d6d"
},
{
"url": "https://git.kernel.org/stable/c/f23424a0ddadb494d4bd57056a7ca703312d3a7b"
},
{
"url": "https://git.kernel.org/stable/c/17dfb67cb399b660105d9a8c6100851c0d0cdc70"
},
{
"url": "https://git.kernel.org/stable/c/4c727c6967a41b37efe0f26332ca9ec5b74785a3"
},
{
"url": "https://git.kernel.org/stable/c/3e20e1b3058e0b94638e7b931c138e840e266724"
},
{
"url": "https://git.kernel.org/stable/c/f462dca0c8415bf0058d0ffa476354c4476d0f09"
}
],
"title": "net/sched: act_ct: Only release RCU read lock after ct_ft",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46319",
"datePublished": "2026-06-09T12:11:12.128Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:08:57.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23394 (GCVE-0-2026-23394)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-06-01 16:11
VLAI?
EPSS
Title
af_unix: Give up GC if MSG_PEEK intervened.
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Give up GC if MSG_PEEK intervened.
Igor Ushakov reported that GC purged the receive queue of
an alive socket due to a race with MSG_PEEK with a nice repro.
This is the exact same issue previously fixed by commit
cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
After GC was replaced with the current algorithm, the cited
commit removed the locking dance in unix_peek_fds() and
reintroduced the same issue.
The problem is that MSG_PEEK bumps a file refcount without
interacting with GC.
Consider an SCC containing sk-A and sk-B, where sk-A is
close()d but can be recv()ed via sk-B.
The bad thing happens if sk-A is recv()ed with MSG_PEEK from
sk-B and sk-B is close()d while GC is checking unix_vertex_dead()
for sk-A and sk-B.
GC thread User thread
--------- -----------
unix_vertex_dead(sk-A)
-> true <------.
\
`------ recv(sk-B, MSG_PEEK)
invalidate !! -> sk-A's file refcount : 1 -> 2
close(sk-B)
-> sk-B's file refcount : 2 -> 1
unix_vertex_dead(sk-B)
-> true
Initially, sk-A's file refcount is 1 by the inflight fd in sk-B
recvq. GC thinks sk-A is dead because the file refcount is the
same as the number of its inflight fds.
However, sk-A's file refcount is bumped silently by MSG_PEEK,
which invalidates the previous evaluation.
At this moment, sk-B's file refcount is 2; one by the open fd,
and one by the inflight fd in sk-A. The subsequent close()
releases one refcount by the former.
Finally, GC incorrectly concludes that both sk-A and sk-B are dead.
One option is to restore the locking dance in unix_peek_fds(),
but we can resolve this more elegantly thanks to the new algorithm.
The point is that the issue does not occur without the subsequent
close() and we actually do not need to synchronise MSG_PEEK with
the dead SCC detection.
When the issue occurs, close() and GC touch the same file refcount.
If GC sees the refcount being decremented by close(), it can just
give up garbage-collecting the SCC.
Therefore, we only need to signal the race during MSG_PEEK with
a proper memory barrier to make it visible to the GC.
Let's use seqcount_t to notify GC when MSG_PEEK occurs and let
it defer the SCC to the next run.
This way no locking is needed on the MSG_PEEK side, and we can
avoid imposing a penalty on every MSG_PEEK unnecessarily.
Note that we can retry within unix_scc_dead() if MSG_PEEK is
detected, but we do not do so to avoid hung task splat from
abusive MSG_PEEK calls.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7b1ffbd3b22e755d481d49647dcb7c5cfbde5844 , < 3106f326f67c03dd9da4ca64663d11e40138cf40
(git)
Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202 (git) Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < 72cf49ad50c16270b52bc512d9c2df5743922968 (git) Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < 37dd7ab332396eb8dd80b2dc7ea4b61abf767436 (git) Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < e5b31d988a41549037b8d8721a3c3cae893d8670 (git) Affected: 61a75360dca93c945ef6bd757f8b8a96f39b77cb (git) Affected: 6.6.93 , < 6.6.142 (semver) Affected: 6.1.141 , < 6.2 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c",
"net/unix/af_unix.h",
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3106f326f67c03dd9da4ca64663d11e40138cf40",
"status": "affected",
"version": "7b1ffbd3b22e755d481d49647dcb7c5cfbde5844",
"versionType": "git"
},
{
"lessThan": "e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"lessThan": "72cf49ad50c16270b52bc512d9c2df5743922968",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"lessThan": "37dd7ab332396eb8dd80b2dc7ea4b61abf767436",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"lessThan": "e5b31d988a41549037b8d8721a3c3cae893d8670",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"status": "affected",
"version": "61a75360dca93c945ef6bd757f8b8a96f39b77cb",
"versionType": "git"
},
{
"lessThan": "6.6.142",
"status": "affected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.141",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c",
"net/unix/af_unix.h",
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.6.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.141",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Give up GC if MSG_PEEK intervened.\n\nIgor Ushakov reported that GC purged the receive queue of\nan alive socket due to a race with MSG_PEEK with a nice repro.\n\nThis is the exact same issue previously fixed by commit\ncbcf01128d0a (\"af_unix: fix garbage collect vs MSG_PEEK\").\n\nAfter GC was replaced with the current algorithm, the cited\ncommit removed the locking dance in unix_peek_fds() and\nreintroduced the same issue.\n\nThe problem is that MSG_PEEK bumps a file refcount without\ninteracting with GC.\n\nConsider an SCC containing sk-A and sk-B, where sk-A is\nclose()d but can be recv()ed via sk-B.\n\nThe bad thing happens if sk-A is recv()ed with MSG_PEEK from\nsk-B and sk-B is close()d while GC is checking unix_vertex_dead()\nfor sk-A and sk-B.\n\n GC thread User thread\n --------- -----------\n unix_vertex_dead(sk-A)\n -\u003e true \u003c------.\n \\\n `------ recv(sk-B, MSG_PEEK)\n invalidate !! -\u003e sk-A\u0027s file refcount : 1 -\u003e 2\n\n close(sk-B)\n -\u003e sk-B\u0027s file refcount : 2 -\u003e 1\n unix_vertex_dead(sk-B)\n -\u003e true\n\nInitially, sk-A\u0027s file refcount is 1 by the inflight fd in sk-B\nrecvq. GC thinks sk-A is dead because the file refcount is the\nsame as the number of its inflight fds.\n\nHowever, sk-A\u0027s file refcount is bumped silently by MSG_PEEK,\nwhich invalidates the previous evaluation.\n\nAt this moment, sk-B\u0027s file refcount is 2; one by the open fd,\nand one by the inflight fd in sk-A. The subsequent close()\nreleases one refcount by the former.\n\nFinally, GC incorrectly concludes that both sk-A and sk-B are dead.\n\nOne option is to restore the locking dance in unix_peek_fds(),\nbut we can resolve this more elegantly thanks to the new algorithm.\n\nThe point is that the issue does not occur without the subsequent\nclose() and we actually do not need to synchronise MSG_PEEK with\nthe dead SCC detection.\n\nWhen the issue occurs, close() and GC touch the same file refcount.\nIf GC sees the refcount being decremented by close(), it can just\ngive up garbage-collecting the SCC.\n\nTherefore, we only need to signal the race during MSG_PEEK with\na proper memory barrier to make it visible to the GC.\n\nLet\u0027s use seqcount_t to notify GC when MSG_PEEK occurs and let\nit defer the SCC to the next run.\n\nThis way no locking is needed on the MSG_PEEK side, and we can\navoid imposing a penalty on every MSG_PEEK unnecessarily.\n\nNote that we can retry within unix_scc_dead() if MSG_PEEK is\ndetected, but we do not do so to avoid hung task splat from\nabusive MSG_PEEK calls."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:07.633Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3106f326f67c03dd9da4ca64663d11e40138cf40"
},
{
"url": "https://git.kernel.org/stable/c/e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202"
},
{
"url": "https://git.kernel.org/stable/c/72cf49ad50c16270b52bc512d9c2df5743922968"
},
{
"url": "https://git.kernel.org/stable/c/37dd7ab332396eb8dd80b2dc7ea4b61abf767436"
},
{
"url": "https://git.kernel.org/stable/c/e5b31d988a41549037b8d8721a3c3cae893d8670"
}
],
"title": "af_unix: Give up GC if MSG_PEEK intervened.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23394",
"datePublished": "2026-03-25T10:33:18.180Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-06-01T16:11:07.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31560 (GCVE-0-2026-31560)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-06-01 16:11
VLAI?
EPSS
Title
spi: spi-dw-dma: fix print error log when wait finish transaction
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-dw-dma: fix print error log when wait finish transaction
If an error occurs, the device may not have a current message. In this
case, the system will crash.
In this case, it's better to use dev from the struct ctlr (struct spi_controller*).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bdbdf0f06337d3661b64c0288c291cb06624065e , < b8188ff3cfaa5621212b08473488cdbe41f86531
(git)
Affected: bdbdf0f06337d3661b64c0288c291cb06624065e , < aae4a47073b12c23eb1d2c5401bda442fbe27bd1 (git) Affected: bdbdf0f06337d3661b64c0288c291cb06624065e , < 184f5aaf72f1f1c73e66bae0b8d28e81c2f2a72f (git) Affected: bdbdf0f06337d3661b64c0288c291cb06624065e , < 3b46d61890632c8f8b117147b6923bff4b42ccb7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-dw-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8188ff3cfaa5621212b08473488cdbe41f86531",
"status": "affected",
"version": "bdbdf0f06337d3661b64c0288c291cb06624065e",
"versionType": "git"
},
{
"lessThan": "aae4a47073b12c23eb1d2c5401bda442fbe27bd1",
"status": "affected",
"version": "bdbdf0f06337d3661b64c0288c291cb06624065e",
"versionType": "git"
},
{
"lessThan": "184f5aaf72f1f1c73e66bae0b8d28e81c2f2a72f",
"status": "affected",
"version": "bdbdf0f06337d3661b64c0288c291cb06624065e",
"versionType": "git"
},
{
"lessThan": "3b46d61890632c8f8b117147b6923bff4b42ccb7",
"status": "affected",
"version": "bdbdf0f06337d3661b64c0288c291cb06624065e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-dw-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-dw-dma: fix print error log when wait finish transaction\n\nIf an error occurs, the device may not have a current message. In this\ncase, the system will crash.\n\nIn this case, it\u0027s better to use dev from the struct ctlr (struct spi_controller*)."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:44.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8188ff3cfaa5621212b08473488cdbe41f86531"
},
{
"url": "https://git.kernel.org/stable/c/aae4a47073b12c23eb1d2c5401bda442fbe27bd1"
},
{
"url": "https://git.kernel.org/stable/c/184f5aaf72f1f1c73e66bae0b8d28e81c2f2a72f"
},
{
"url": "https://git.kernel.org/stable/c/3b46d61890632c8f8b117147b6923bff4b42ccb7"
}
],
"title": "spi: spi-dw-dma: fix print error log when wait finish transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31560",
"datePublished": "2026-04-24T14:35:42.634Z",
"dateReserved": "2026-03-09T15:48:24.116Z",
"dateUpdated": "2026-06-01T16:11:44.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45844 (GCVE-0-2026-45844)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Weiming Shi says:
"arp_packet_match() unconditionally parses the ARP payload assuming two
hardware addresses are present (source and target). However,
IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address
field, and arp_hdr_len() already accounts for this by returning a
shorter length for ARPHRD_IEEE1394 devices.
As a result, on IEEE1394 interfaces arp_packet_match() advances past a
nonexistent target hardware address and reads the wrong bytes for both
the target device address comparison and the target IP address. This
causes arptables rules to match against garbage data, leading to
incorrect filtering decisions: packets that should be accepted may be
dropped and vice versa.
The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already
handles this correctly by skipping the target hardware address for
ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()."
Mangle the original patch to always return 0 (no match) in case user
matches on the target hardware address which is never present in
IEEE1394.
Note that this returns 0 (no match) for either normal and inverse match
because matching in the target hardware address in ARPHRD_IEEE1394 has
never been supported by arptables. This is intentional, matching on the
target hardware address should never evaluate true for ARPHRD_IEEE1394.
Moreover, adjust arpt_mangle to drop the packet too as AI suggests:
In arpt_mangle, the logic assumes a standard ARP layout. Because
IEEE1394 (FireWire) omits the target hardware address, the linear
pointer arithmetic miscalculates the offset for the target IP address.
This causes mangling operations to write to the wrong location, leading
to packet corruption. To ensure safety, this patch drops packets
(NF_DROP) when mangling is requested for these fields on IEEE1394
devices, as the current implementation cannot correctly map the FireWire
ARP payload.
This omits both mangling target hardware and IP address. Even if IP
address mangling should be possible in IEEE1394, this would require
to adjust arpt_mangle offset calculation, which has never been
supported.
Based on patch from Weiming Shi <bestswngs@gmail.com>.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 0f23a1457695f1a61f64367e39f0f9cfa29947d1
(git)
Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 1e285362ef7096eb12733370d59e033f4a1d294a (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 84e8536c981338d0d8cc6e712cf71a936a93e13f (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 03ea11dbefaa55c502735ee551c89ef773fe753b (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 1c55053f8ffdc060006df898fd3664e3d1bfac7b (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < ac698d81fd6619c7504cee913f1cab5285fba1b7 (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 1e8e3f449b1e73b73a843257635b9c50f0cc0f0a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/netfilter/arp_tables.c",
"net/ipv4/netfilter/arpt_mangle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f23a1457695f1a61f64367e39f0f9cfa29947d1",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "1e285362ef7096eb12733370d59e033f4a1d294a",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "84e8536c981338d0d8cc6e712cf71a936a93e13f",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "03ea11dbefaa55c502735ee551c89ef773fe753b",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "1c55053f8ffdc060006df898fd3664e3d1bfac7b",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "ac698d81fd6619c7504cee913f1cab5285fba1b7",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "1e8e3f449b1e73b73a843257635b9c50f0cc0f0a",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/netfilter/arp_tables.c",
"net/ipv4/netfilter/arpt_mangle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: arp_tables: fix IEEE1394 ARP payload parsing\n\nWeiming Shi says:\n\n\"arp_packet_match() unconditionally parses the ARP payload assuming two\nhardware addresses are present (source and target). However,\nIPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\nfield, and arp_hdr_len() already accounts for this by returning a\nshorter length for ARPHRD_IEEE1394 devices.\n\nAs a result, on IEEE1394 interfaces arp_packet_match() advances past a\nnonexistent target hardware address and reads the wrong bytes for both\nthe target device address comparison and the target IP address. This\ncauses arptables rules to match against garbage data, leading to\nincorrect filtering decisions: packets that should be accepted may be\ndropped and vice versa.\n\nThe ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\nhandles this correctly by skipping the target hardware address for\nARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"\n\nMangle the original patch to always return 0 (no match) in case user\nmatches on the target hardware address which is never present in\nIEEE1394.\n\nNote that this returns 0 (no match) for either normal and inverse match\nbecause matching in the target hardware address in ARPHRD_IEEE1394 has\nnever been supported by arptables. This is intentional, matching on the\ntarget hardware address should never evaluate true for ARPHRD_IEEE1394.\n\nMoreover, adjust arpt_mangle to drop the packet too as AI suggests:\n\nIn arpt_mangle, the logic assumes a standard ARP layout. Because\nIEEE1394 (FireWire) omits the target hardware address, the linear\npointer arithmetic miscalculates the offset for the target IP address.\nThis causes mangling operations to write to the wrong location, leading\nto packet corruption. To ensure safety, this patch drops packets\n(NF_DROP) when mangling is requested for these fields on IEEE1394\ndevices, as the current implementation cannot correctly map the FireWire\nARP payload.\n\nThis omits both mangling target hardware and IP address. Even if IP\naddress mangling should be possible in IEEE1394, this would require\nto adjust arpt_mangle offset calculation, which has never been\nsupported.\n\nBased on patch from Weiming Shi \u003cbestswngs@gmail.com\u003e."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:23.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f23a1457695f1a61f64367e39f0f9cfa29947d1"
},
{
"url": "https://git.kernel.org/stable/c/1e285362ef7096eb12733370d59e033f4a1d294a"
},
{
"url": "https://git.kernel.org/stable/c/84e8536c981338d0d8cc6e712cf71a936a93e13f"
},
{
"url": "https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b"
},
{
"url": "https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b"
},
{
"url": "https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b"
},
{
"url": "https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7"
},
{
"url": "https://git.kernel.org/stable/c/1e8e3f449b1e73b73a843257635b9c50f0cc0f0a"
}
],
"title": "netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45844",
"datePublished": "2026-05-27T09:24:47.041Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:23.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46137 (GCVE-0-2026-46137)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-19 11:59
VLAI?
EPSS
Title
mptcp: pm: ADD_ADDR rtx: fix potential data-race
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: ADD_ADDR rtx: fix potential data-race
This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().
If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < d9b272a85fe6b8f993e37915311e4038c814a533
(git)
Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 23079e0b7742ec114d3507c3e3aad01b7b69e4af (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < b35605e1f1e877038c8c9d499babbc891cdd234f (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 013dcdc1961543b9a3433466bc8c79a2f4ca75b5 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 2ad56e434199ca24a812bb353667aa1c3860f513 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < cc3c0399361efaaf7ae64262eb3f70829b1189c6 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 5cd6e0ad79d2615264f63929f8b457ad97ae550d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9b272a85fe6b8f993e37915311e4038c814a533",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "23079e0b7742ec114d3507c3e3aad01b7b69e4af",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "b35605e1f1e877038c8c9d499babbc891cdd234f",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "013dcdc1961543b9a3433466bc8c79a2f4ca75b5",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "2ad56e434199ca24a812bb353667aa1c3860f513",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "cc3c0399361efaaf7ae64262eb3f70829b1189c6",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "5cd6e0ad79d2615264f63929f8b457ad97ae550d",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: ADD_ADDR rtx: fix potential data-race\n\nThis mptcp_pm_add_timer() helper is executed as a timer callback in\nsoftirq context. To avoid any data races, the socket lock needs to be\nheld with bh_lock_sock().\n\nIf the socket is in use, retry again soon after, similar to what is done\nwith the keepalive timer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:39.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9b272a85fe6b8f993e37915311e4038c814a533"
},
{
"url": "https://git.kernel.org/stable/c/23079e0b7742ec114d3507c3e3aad01b7b69e4af"
},
{
"url": "https://git.kernel.org/stable/c/b35605e1f1e877038c8c9d499babbc891cdd234f"
},
{
"url": "https://git.kernel.org/stable/c/013dcdc1961543b9a3433466bc8c79a2f4ca75b5"
},
{
"url": "https://git.kernel.org/stable/c/6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3"
},
{
"url": "https://git.kernel.org/stable/c/2ad56e434199ca24a812bb353667aa1c3860f513"
},
{
"url": "https://git.kernel.org/stable/c/cc3c0399361efaaf7ae64262eb3f70829b1189c6"
},
{
"url": "https://git.kernel.org/stable/c/5cd6e0ad79d2615264f63929f8b457ad97ae550d"
}
],
"title": "mptcp: pm: ADD_ADDR rtx: fix potential data-race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46137",
"datePublished": "2026-05-28T09:35:53.628Z",
"dateReserved": "2026-05-13T15:03:33.100Z",
"dateUpdated": "2026-06-19T11:59:39.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45842 (GCVE-0-2026-45842)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
slip: reject VJ receive packets on instances with no rstate array
Summary
In the Linux kernel, the following vulnerability has been resolved:
slip: reject VJ receive packets on instances with no rstate array
slhc_init() accepts rslots == 0 as a valid configuration, with the
documented meaning of 'no receive compression'. In that case the
allocation loop in slhc_init() is skipped, so comp->rstate stays
NULL and comp->rslot_limit stays 0 (from the kzalloc of struct
slcompress).
The receive helpers do not defend against that configuration.
slhc_uncompress() dereferences comp->rstate[x] when the VJ header
carries an explicit connection ID, and slhc_remember() later assigns
cs = &comp->rstate[...] after only comparing the packet's slot number
to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the
range check, and the code dereferences a NULL rstate.
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID
stores its argument in a signed int, and (val >> 16) uses arithmetic
shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1
is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because
/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path
is reachable from an unprivileged user namespace. Once the malformed
VJ state is installed, any inbound VJ-compressed or VJ-uncompressed
frame that selects slot 0 crashes the kernel in softirq context:
Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)
Call Trace:
<TASK>
ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)
ppp_input (drivers/net/ppp/ppp_generic.c:2359)
ppp_async_process (drivers/net/ppp/ppp_async.c:492)
tasklet_action_common (kernel/softirq.c:926)
handle_softirqs (kernel/softirq.c:623)
run_ksoftirqd (kernel/softirq.c:1055)
smpboot_thread_fn (kernel/smpboot.c:160)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:164)
</TASK>
Reject the receive side on such instances instead of touching rstate.
slhc_uncompress() falls through to its existing 'bad' label, which
bumps sls_i_error and enters the toss state. slhc_remember() mirrors
that with an explicit sls_i_error increment followed by slhc_toss();
the sls_i_runt counter is not used here because a missing rstate is
an internal configuration state, not a runt packet.
The transmit path is unaffected: the only in-tree caller that picks
rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and
slip.c always calls slhc_init(16, 16), so comp->tstate remains valid
and slhc_compress() continues to work.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 3d71c961febddd855d3ae9a519eeb96c8023f430
(git)
Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 72304fec672e8aac9ee7b9c475db96b37cca8d8d (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 4aa9eca6fda2919027dfd7a7cc69334982d89586 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < c6980e8b1a86288167f34966fa5219031999b6f1 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < de42f86e2cf5028a97e74c25869d1a962b13c301 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 9e1ff0eead073c4f46d874ad2526b7dda5465faf (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 7b0d9e878ec2b21d99ae8051b3dda59cdb66c152 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < e76607442d5b73e1ba6768f501ef815bb58c2c0e (git) Affected: 42fc512469e78939c1e419d3310c47de55bdcbb8 (git) Affected: df085f1cb3acd3d75408ff94f366983873bce7d2 (git) Affected: a1c3860d3c5fc62bd35f089bcb03f18a37242de9 (git) Affected: f82699de104eaf8a7ffc2849a566a94818dd8a3c (git) Affected: 354b254af5c1350de9586af75fe5a821b35bfb33 (git) Affected: 5148857f5d4c812cc918cf4627f7880521e987eb (git) Affected: 82185755d90c8047c6f4b589c39998ff3d4ca3ad (git) Affected: a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d (git) Affected: 6b4fa561e26526c62636414d267342c945084f44 (git) Affected: 2.6.32.70 , < 2.6.33 (semver) Affected: 3.2.75 , < 3.3 (semver) Affected: 3.4.111 , < 3.5 (semver) Affected: 3.10.96 , < 3.11 (semver) Affected: 3.12.53 , < 3.13 (semver) Affected: 3.14.60 , < 3.15 (semver) Affected: 3.18.27 , < 3.19 (semver) Affected: 4.1.17 , < 4.2 (semver) Affected: 4.3.5 , < 4.4 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d71c961febddd855d3ae9a519eeb96c8023f430",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "72304fec672e8aac9ee7b9c475db96b37cca8d8d",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "4aa9eca6fda2919027dfd7a7cc69334982d89586",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "c6980e8b1a86288167f34966fa5219031999b6f1",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "de42f86e2cf5028a97e74c25869d1a962b13c301",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "9e1ff0eead073c4f46d874ad2526b7dda5465faf",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "7b0d9e878ec2b21d99ae8051b3dda59cdb66c152",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "e76607442d5b73e1ba6768f501ef815bb58c2c0e",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"status": "affected",
"version": "42fc512469e78939c1e419d3310c47de55bdcbb8",
"versionType": "git"
},
{
"status": "affected",
"version": "df085f1cb3acd3d75408ff94f366983873bce7d2",
"versionType": "git"
},
{
"status": "affected",
"version": "a1c3860d3c5fc62bd35f089bcb03f18a37242de9",
"versionType": "git"
},
{
"status": "affected",
"version": "f82699de104eaf8a7ffc2849a566a94818dd8a3c",
"versionType": "git"
},
{
"status": "affected",
"version": "354b254af5c1350de9586af75fe5a821b35bfb33",
"versionType": "git"
},
{
"status": "affected",
"version": "5148857f5d4c812cc918cf4627f7880521e987eb",
"versionType": "git"
},
{
"status": "affected",
"version": "82185755d90c8047c6f4b589c39998ff3d4ca3ad",
"versionType": "git"
},
{
"status": "affected",
"version": "a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d",
"versionType": "git"
},
{
"status": "affected",
"version": "6b4fa561e26526c62636414d267342c945084f44",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.70",
"versionType": "semver"
},
{
"lessThan": "3.3",
"status": "affected",
"version": "3.2.75",
"versionType": "semver"
},
{
"lessThan": "3.5",
"status": "affected",
"version": "3.4.111",
"versionType": "semver"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.96",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.53",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.60",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.27",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.17",
"versionType": "semver"
},
{
"lessThan": "4.4",
"status": "affected",
"version": "4.3.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n \u003cTASK\u003e\n ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n tasklet_action_common (kernel/softirq.c:926)\n handle_softirqs (kernel/softirq.c:623)\n run_ksoftirqd (kernel/softirq.c:1055)\n smpboot_thread_fn (kernel/smpboot.c:160)\n kthread (kernel/kthread.c:436)\n ret_from_fork (arch/x86/kernel/process.c:164)\n \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:17.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430"
},
{
"url": "https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d"
},
{
"url": "https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586"
},
{
"url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
},
{
"url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
},
{
"url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
},
{
"url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
},
{
"url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
}
],
"title": "slip: reject VJ receive packets on instances with no rstate array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45842",
"datePublished": "2026-05-27T09:24:42.637Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:17.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52909 (GCVE-0-2026-52909)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:43 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
ip6_vti: set netns_immutable on the fallback device.
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: set netns_immutable on the fallback device.
john1988 and Noam Rathaus reported that vti6_init_net() does not set the
netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).
Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)
correctly set this flag during their fallback device initialization to
prevent them from being moved to another network namespace.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
61220ab349485d911083d0b7990ccd3db6c63297 , < ecf8904067dcba0dad86ece80874841e60317885
(git)
Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < dcdce3bc9f08026ff3739ee7339e1bef526fc5f3 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < d289d5307762d1838aaece22c6b6fcad9e8865f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecf8904067dcba0dad86ece80874841e60317885",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "dcdce3bc9f08026ff3739ee7339e1bef526fc5f3",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "d289d5307762d1838aaece22c6b6fcad9e8865f9",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: set netns_immutable on the fallback device.\n\njohn1988 and Noam Rathaus reported that vti6_init_net() does not set the\nnetns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).\n\nOther similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)\ncorrectly set this flag during their fallback device initialization to\nprevent them from being moved to another network namespace."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:26.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecf8904067dcba0dad86ece80874841e60317885"
},
{
"url": "https://git.kernel.org/stable/c/dcdce3bc9f08026ff3739ee7339e1bef526fc5f3"
},
{
"url": "https://git.kernel.org/stable/c/d289d5307762d1838aaece22c6b6fcad9e8865f9"
}
],
"title": "ip6_vti: set netns_immutable on the fallback device.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52909",
"datePublished": "2026-06-19T14:43:33.214Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-28T06:36:26.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52910 (GCVE-0-2026-52910)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:43 – Updated: 2026-06-30 12:09
VLAI?
EPSS
Title
bpf: Free reuseport cBPF prog after RCU grace period.
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Free reuseport cBPF prog after RCU grace period.
Eulgyu Kim reported the splat below with a repro. [0]
The repro sets up a UDP reuseport group with a cBPF prog and
replaces it with a new one while another thread is sending
a UDP packet to the group.
The reuseport prog is freed by sk_reuseport_prog_free().
bpf_prog_put() is called for "e"BPF prog to destruct through
multiple stages while cBPF prog is freed immediately by
bpf_release_orig_filter() and bpf_prog_free().
If a reuseport prog is detached from the setsockopt() path
(reuseport_attach_prog() or reuseport_detach_prog()),
sk_reuseport_prog_free() is called without waiting for RCU
readers to complete, resulting in various bugs.
Let's defer freeing the reuseport cBPF prog after one RCU
grace period.
Note "e"BPF prog is safe as is unless the fast path starts
to touch fields destroyed in bpf_prog_put_deferred() and
__bpf_prog_put_noref().
[0]:
BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
Read of size 4 at addr ffffc9000051e004 by task slowme/10208
CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
__udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
__udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
__udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6181 [inline]
__netif_receive_skb net/core/dev.c:6294 [inline]
process_backlog+0xaa4/0x1960 net/core/dev.c:6645
__napi_poll+0xae/0x340 net/core/dev.c:7709
napi_poll net/core/dev.c:7772 [inline]
net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
handle_softirqs+0x22b/0x870 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
__dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x554/0x680 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x415a2d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
R10: 0000000000000000 R11:
---truncated---
Severity ?
7.8 (High)
CWE
- CWE-364 - Signal Handler Race Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 08264d5bba0bdd3a79bc2984fee09286aba0c4eb
(git)
Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < fec41484e7c2aa7ded44c541bba98872be937754 (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < c3e3fddda6b5d9ba505d218b4055e7d8a282ac57 (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < f8b8f1d4bb76098e87b8269a0631019648330e6d (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 298db6167f81e9c470a57cf652e4e47757b4293e (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 87dfb977bdb6eaa47e9993a34e18f44970f88b1f (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 90e47dc5c572d1c73971ac51c7428803f42b78eb (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 18fc650ccd7fe3376eca89203668cfb8268f60df (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Berkeley Packet Filter (BPF) reuseport mechanism. When a cBPF program is detached from a reuseport group, it is freed immediately without waiting for Read-Copy-Update (RCU) readers to complete. This can lead to a use-after-free condition, resulting in memory corruption (specifically, an out-of-bounds read) if another thread is simultaneously sending UDP packets to the reuseport group. This vulnerability can cause system instability and various other bugs."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-364",
"description": "Signal Handler Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:47.476Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-52910"
},
{
"name": "RHBZ#2490779",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490779"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52910.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-19T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-19T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: bpf: Free reuseport cBPF prog after RCU grace period",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08264d5bba0bdd3a79bc2984fee09286aba0c4eb",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "fec41484e7c2aa7ded44c541bba98872be937754",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "c3e3fddda6b5d9ba505d218b4055e7d8a282ac57",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "f8b8f1d4bb76098e87b8269a0631019648330e6d",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "298db6167f81e9c470a57cf652e4e47757b4293e",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "87dfb977bdb6eaa47e9993a34e18f44970f88b1f",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "90e47dc5c572d1c73971ac51c7428803f42b78eb",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "18fc650ccd7fe3376eca89203668cfb8268f60df",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free reuseport cBPF prog after RCU grace period.\n\nEulgyu Kim reported the splat below with a repro. [0]\n\nThe repro sets up a UDP reuseport group with a cBPF prog and\nreplaces it with a new one while another thread is sending\na UDP packet to the group.\n\nThe reuseport prog is freed by sk_reuseport_prog_free().\nbpf_prog_put() is called for \"e\"BPF prog to destruct through\nmultiple stages while cBPF prog is freed immediately by\nbpf_release_orig_filter() and bpf_prog_free().\n\nIf a reuseport prog is detached from the setsockopt() path\n(reuseport_attach_prog() or reuseport_detach_prog()),\nsk_reuseport_prog_free() is called without waiting for RCU\nreaders to complete, resulting in various bugs.\n\nLet\u0027s defer freeing the reuseport cBPF prog after one RCU\ngrace period.\n\nNote \"e\"BPF prog is safe as is unless the fast path starts\nto touch fields destroyed in bpf_prog_put_deferred() and\n__bpf_prog_put_noref().\n\n[0]:\nBUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596\nRead of size 4 at addr ffffc9000051e004 by task slowme/10208\nCPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)\nHardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596\n udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495\n __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723\n __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752\n __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752\n ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6181 [inline]\n __netif_receive_skb net/core/dev.c:6294 [inline]\n process_backlog+0xaa4/0x1960 net/core/dev.c:6645\n __napi_poll+0xae/0x340 net/core/dev.c:7709\n napi_poll net/core/dev.c:7772 [inline]\n net_rx_action+0x5d7/0xf50 net/core/dev.c:7929\n handle_softirqs+0x22b/0x870 kernel/softirq.c:622\n do_softirq+0x76/0xd0 kernel/softirq.c:523\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]\n __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890\n neigh_output include/net/neighbour.h:556 [inline]\n ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip_output+0x29f/0x450 net/ipv4/ip_output.c:438\n ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508\n udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195\n udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n __sys_sendto+0x554/0x680 net/socket.c:2206\n __do_sys_sendto net/socket.c:2213 [inline]\n __se_sys_sendto net/socket.c:2209 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2209\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x415a2d\nCode: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d\nRDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003\nRBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010\nR10: 0000000000000000 R11: \n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:27.818Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08264d5bba0bdd3a79bc2984fee09286aba0c4eb"
},
{
"url": "https://git.kernel.org/stable/c/fec41484e7c2aa7ded44c541bba98872be937754"
},
{
"url": "https://git.kernel.org/stable/c/c3e3fddda6b5d9ba505d218b4055e7d8a282ac57"
},
{
"url": "https://git.kernel.org/stable/c/f8b8f1d4bb76098e87b8269a0631019648330e6d"
},
{
"url": "https://git.kernel.org/stable/c/298db6167f81e9c470a57cf652e4e47757b4293e"
},
{
"url": "https://git.kernel.org/stable/c/87dfb977bdb6eaa47e9993a34e18f44970f88b1f"
},
{
"url": "https://git.kernel.org/stable/c/90e47dc5c572d1c73971ac51c7428803f42b78eb"
},
{
"url": "https://git.kernel.org/stable/c/18fc650ccd7fe3376eca89203668cfb8268f60df"
}
],
"title": "bpf: Free reuseport cBPF prog after RCU grace period.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52910",
"datePublished": "2026-06-19T14:43:33.952Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-30T12:09:47.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31613 (GCVE-0-2026-31613)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-14 17:42
VLAI?
EPSS
Title
smb: client: fix OOB reads parsing symlink error response
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix OOB reads parsing symlink error response
When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.
symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0. When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it. When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.
smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base. That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorContextCount == 0.
With at least one error context the symlink data sits 8 bytes deeper,
and each skipped non-matching context shifts it further by 8 +
ALIGN(ErrorDataLength, 8). The check is too short, allowing the
substitute name read to run past iov_len. The out-of-bound heap bytes
are UTF-16-decoded into the symlink target and returned to userspace via
readlink(2).
Fix this all up by making the loops test require the full context header
to fit, rejecting sym if its header runs past end, and bound the
substitute name against the actual position of sym->PathBuffer rather
than a fixed offset.
Because sub_offs and sub_len are 16bits, the pointer math will not
overflow here with the new greater-than.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
76894f3e2f71177747b8b4763fb180e800279585 , < 043834e72337ee7b4e9685859888623ba1504ac7
(git)
Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < d65a64755a3df68a2fd19d2a81395e9f723aca23 (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < 20ac98f0eb6047edb73c9a27af782bdde08b3757 (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < e0dd90d14cbbf318157ea8e3fb62ee68a28655ed (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < 781902e069f4ecb6c3b83502f181972c1446110a (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < a66ef2e7ed837325c5600f8617d5ee0a0a149fdd (git) Affected: 76894f3e2f71177747b8b4763fb180e800279585 , < 3df690bba28edec865cf7190be10708ad0ddd67e (git) Affected: 2d046892a493d9760c35fdaefc3017f27f91b621 (git) Affected: 6.0.16 , < 6.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "043834e72337ee7b4e9685859888623ba1504ac7",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "d65a64755a3df68a2fd19d2a81395e9f723aca23",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "20ac98f0eb6047edb73c9a27af782bdde08b3757",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "e0dd90d14cbbf318157ea8e3fb62ee68a28655ed",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "781902e069f4ecb6c3b83502f181972c1446110a",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "a66ef2e7ed837325c5600f8617d5ee0a0a149fdd",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "3df690bba28edec865cf7190be10708ad0ddd67e",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"status": "affected",
"version": "2d046892a493d9760c35fdaefc3017f27f91b621",
"versionType": "git"
},
{
"lessThan": "6.1",
"status": "affected",
"version": "6.0.16",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB reads parsing symlink error response\n\nWhen a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()\nreturns success without any length validation, leaving the symlink\nparsers as the only defense against an untrusted server.\n\nsymlink_data() walks SMB 3.1.1 error contexts with the loop test \"p \u003c\nend\", but reads p-\u003eErrorId at offset 4 and p-\u003eErrorDataLength at offset\n0. When the server-controlled ErrorDataLength advances p to within 1-7\nbytes of end, the next iteration will read past it. When the matching\ncontext is found, sym-\u003eSymLinkErrorTag is read at offset 4 from\np-\u003eErrorContextData with no check that the symlink header itself fits.\n\nsmb2_parse_symlink_response() then bounds-checks the substitute name\nusing SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from\niov_base. That value is computed as sizeof(smb2_err_rsp) +\nsizeof(smb2_symlink_err_rsp), which is correct only when\nErrorContextCount == 0.\n\nWith at least one error context the symlink data sits 8 bytes deeper,\nand each skipped non-matching context shifts it further by 8 +\nALIGN(ErrorDataLength, 8). The check is too short, allowing the\nsubstitute name read to run past iov_len. The out-of-bound heap bytes\nare UTF-16-decoded into the symlink target and returned to userspace via\nreadlink(2).\n\nFix this all up by making the loops test require the full context header\nto fit, rejecting sym if its header runs past end, and bound the\nsubstitute name against the actual position of sym-\u003ePathBuffer rather\nthan a fixed offset.\n\nBecause sub_offs and sub_len are 16bits, the pointer math will not\noverflow here with the new greater-than."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:42:57.094Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/043834e72337ee7b4e9685859888623ba1504ac7"
},
{
"url": "https://git.kernel.org/stable/c/d65a64755a3df68a2fd19d2a81395e9f723aca23"
},
{
"url": "https://git.kernel.org/stable/c/20ac98f0eb6047edb73c9a27af782bdde08b3757"
},
{
"url": "https://git.kernel.org/stable/c/e0dd90d14cbbf318157ea8e3fb62ee68a28655ed"
},
{
"url": "https://git.kernel.org/stable/c/781902e069f4ecb6c3b83502f181972c1446110a"
},
{
"url": "https://git.kernel.org/stable/c/a66ef2e7ed837325c5600f8617d5ee0a0a149fdd"
},
{
"url": "https://git.kernel.org/stable/c/3df690bba28edec865cf7190be10708ad0ddd67e"
}
],
"title": "smb: client: fix OOB reads parsing symlink error response",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31613",
"datePublished": "2026-04-24T14:42:33.453Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-06-14T17:42:57.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45930 (GCVE-0-2026-45930)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
net: mctp: ensure our nlmsg responses are initialised
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mctp: ensure our nlmsg responses are initialised
Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from
DEVCORE Research Team working with Trend Micro Zero Day Initiative
report that a RTM_GETNEIGH will return uninitalised data in the pad
bytes of the ndmsg data.
Ensure we're initialising the netlink data to zero, in the link, addr
and neigh response messages.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
583be982d93479ea3d85091b0fd0b01201ede87d , < b37da3ac099e145bcd3be82c745a8d335772e3af
(git)
Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < c4f840437e7641764de15f2de951ac8335d641f1 (git) Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < 963537a26fd892f7e414a091f807b44aeee97a7d (git) Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < 976612471a9e6ead6ceffc241e4d0a1aac90b36a (git) Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < 54ed418de62a148a655262da682a050fa05f7924 (git) Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < 6fb6a97c86abb8592158088afaea0eb464cf9de1 (git) Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < a6a9bc544b675d8b5180f2718ec985ad267b5cbf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mctp/device.c",
"net/mctp/neigh.c",
"net/mctp/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b37da3ac099e145bcd3be82c745a8d335772e3af",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "c4f840437e7641764de15f2de951ac8335d641f1",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "963537a26fd892f7e414a091f807b44aeee97a7d",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "976612471a9e6ead6ceffc241e4d0a1aac90b36a",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "54ed418de62a148a655262da682a050fa05f7924",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "6fb6a97c86abb8592158088afaea0eb464cf9de1",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "a6a9bc544b675d8b5180f2718ec985ad267b5cbf",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mctp/device.c",
"net/mctp/neigh.c",
"net/mctp/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: ensure our nlmsg responses are initialised\n\nSyed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from\nDEVCORE Research Team working with Trend Micro Zero Day Initiative\nreport that a RTM_GETNEIGH will return uninitalised data in the pad\nbytes of the ndmsg data.\n\nEnsure we\u0027re initialising the netlink data to zero, in the link, addr\nand neigh response messages."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:46.478Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b37da3ac099e145bcd3be82c745a8d335772e3af"
},
{
"url": "https://git.kernel.org/stable/c/c4f840437e7641764de15f2de951ac8335d641f1"
},
{
"url": "https://git.kernel.org/stable/c/963537a26fd892f7e414a091f807b44aeee97a7d"
},
{
"url": "https://git.kernel.org/stable/c/976612471a9e6ead6ceffc241e4d0a1aac90b36a"
},
{
"url": "https://git.kernel.org/stable/c/54ed418de62a148a655262da682a050fa05f7924"
},
{
"url": "https://git.kernel.org/stable/c/6fb6a97c86abb8592158088afaea0eb464cf9de1"
},
{
"url": "https://git.kernel.org/stable/c/a6a9bc544b675d8b5180f2718ec985ad267b5cbf"
}
],
"title": "net: mctp: ensure our nlmsg responses are initialised",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45930",
"datePublished": "2026-05-27T12:17:48.689Z",
"dateReserved": "2026-05-13T15:03:33.086Z",
"dateUpdated": "2026-06-19T11:58:46.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45850 (GCVE-0-2026-45850)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:15 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
ipvs: skip ipv6 extension headers for csum checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: skip ipv6 extension headers for csum checks
Protocol checksum validation fails for IPv6 if there are extension
headers before the protocol header. iph->len already contains its
offset, so use it to fix the problem.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 0bf92a90bf05ecafe52e92d5bc15a585021a64ac
(git)
Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 54add3b7d3c154ca89ef5bac2582b0ed1a3a15d5 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 768f665f3685b455ed686370ed7ccb852a125a3b (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 9aa7edc1347b98774e5167ca34e5b8aa6083bde7 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < d643c1ec80b70508f54dac12179e36920e2c00de (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < cdce1e797addab72393c0dfee31aaca41ef7d937 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 05cfe9863ef049d98141dc2969eefde72fb07625 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_proto_sctp.c",
"net/netfilter/ipvs/ip_vs_proto_tcp.c",
"net/netfilter/ipvs/ip_vs_proto_udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bf92a90bf05ecafe52e92d5bc15a585021a64ac",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "54add3b7d3c154ca89ef5bac2582b0ed1a3a15d5",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "768f665f3685b455ed686370ed7ccb852a125a3b",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "9aa7edc1347b98774e5167ca34e5b8aa6083bde7",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "d643c1ec80b70508f54dac12179e36920e2c00de",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "cdce1e797addab72393c0dfee31aaca41ef7d937",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "05cfe9863ef049d98141dc2969eefde72fb07625",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_proto_sctp.c",
"net/netfilter/ipvs/ip_vs_proto_tcp.c",
"net/netfilter/ipvs/ip_vs_proto_udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: skip ipv6 extension headers for csum checks\n\nProtocol checksum validation fails for IPv6 if there are extension\nheaders before the protocol header. iph-\u003elen already contains its\noffset, so use it to fix the problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:42.748Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bf92a90bf05ecafe52e92d5bc15a585021a64ac"
},
{
"url": "https://git.kernel.org/stable/c/54add3b7d3c154ca89ef5bac2582b0ed1a3a15d5"
},
{
"url": "https://git.kernel.org/stable/c/768f665f3685b455ed686370ed7ccb852a125a3b"
},
{
"url": "https://git.kernel.org/stable/c/9aa7edc1347b98774e5167ca34e5b8aa6083bde7"
},
{
"url": "https://git.kernel.org/stable/c/d643c1ec80b70508f54dac12179e36920e2c00de"
},
{
"url": "https://git.kernel.org/stable/c/cdce1e797addab72393c0dfee31aaca41ef7d937"
},
{
"url": "https://git.kernel.org/stable/c/a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4"
},
{
"url": "https://git.kernel.org/stable/c/05cfe9863ef049d98141dc2969eefde72fb07625"
}
],
"title": "ipvs: skip ipv6 extension headers for csum checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45850",
"datePublished": "2026-05-27T12:15:21.389Z",
"dateReserved": "2026-05-13T15:03:33.079Z",
"dateUpdated": "2026-06-19T11:58:42.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46331 (GCVE-0-2026-46331)
Vulnerability from cvelistv5 – Published: 2026-06-16 06:26 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
net/sched: fix pedit partial COW leading to page cache corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix pedit partial COW leading to page cache corruption
tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8b796475fd7882663a870456466a4fb315cc1bd6 , < 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b
(git)
Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < b198ed4e52580a7238c7c7082f03906f8b310313 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 3dee9d0c198faeb95d052c1b94c2958751a28512 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 899ee91156e57784090c5565e4f31bd7dbffbc5a (git) Affected: d0c38a914b0c4c21d553da801003d36979016726 (git) Affected: 2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 (git) Affected: abe35bf3be51482593076d516a680d79e5fbc8e1 (git) Affected: b773640d5bb9e2acfd91e2695717af04d47aa116 (git) Affected: c19cc520b3d69904e9518d401ad0df7f4702aca0 (git) Affected: 4.19.244 , < 4.20 (semver) Affected: 5.4.195 , < 5.5 (semver) Affected: 5.10.117 , < 5.11 (semver) Affected: 5.15.41 , < 5.16 (semver) Affected: 5.17.9 , < 5.18 (semver) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46331",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:32.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/sgkdev/packet_edit_meme/tree/main"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.22::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.22",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-18T04:04:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s traffic control packet editing (pedit) subsystem. In tcf_pedit_act(), the copy-on-write (COW) range for skb_ensure_writable() is computed once before iterating over edit keys, but the calculation does not account for runtime header offsets added by typed keys. This can leave part of the target write region without a proper copy-on-write, leading to an out-of-bounds write that corrupts page cache memory. A local attacker with the ability to configure traffic control rules could exploit this to escalate privileges or crash the system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:02.449Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46331"
},
{
"name": "RHBZ#2479492",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479492"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46331.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27709"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33666"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29080"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29856"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29863"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29799"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29833"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29794"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27288"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27705"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27713"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27353"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33220"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27707"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27704"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27355"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33219"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33221"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33222"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33223"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33224"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27354"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27706"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27709: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33666: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:29080: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:29856: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:29863: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:29799: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:29833: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:29794: Red Hat OpenShift Container Platform 4.22"
},
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27288: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27705: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27713: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33225: Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27353: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33220: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:27707: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27704: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:27355: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33219: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33221: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:33222: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:33223: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:33224: Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:27354: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:27706: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-18T06:17:23.219Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-18T04:04:00.000Z",
"value": "Made public."
}
],
"title": "kernel: net/sched: act_pedit: extend the writable skb range per key",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "b198ed4e52580a7238c7c7082f03906f8b310313",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "3dee9d0c198faeb95d052c1b94c2958751a28512",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "899ee91156e57784090c5565e4f31bd7dbffbc5a",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"status": "affected",
"version": "d0c38a914b0c4c21d553da801003d36979016726",
"versionType": "git"
},
{
"status": "affected",
"version": "2ec2dd7d51a9320151f275ddbb2b53260fb32ca1",
"versionType": "git"
},
{
"status": "affected",
"version": "abe35bf3be51482593076d516a680d79e5fbc8e1",
"versionType": "git"
},
{
"status": "affected",
"version": "b773640d5bb9e2acfd91e2695717af04d47aa116",
"versionType": "git"
},
{
"status": "affected",
"version": "c19cc520b3d69904e9518d401ad0df7f4702aca0",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.244",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.195",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.117",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.41",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix pedit partial COW leading to page cache corruption\n\ntcf_pedit_act() computes the COW range for skb_ensure_writable()\nonce before the key loop using tcfp_off_max_hint, but the hint does\nnot account for the runtime header offset added by typed keys. This\ncan leave part of the write region un-COW\u0027d.\n\nFix by moving skb_ensure_writable() inside the per-key loop where\nthe actual write offset is known, and add overflow checking on the\noffset arithmetic. For negative offsets (e.g. Ethernet header edits\nat ingress), use skb_cow() to COW the headroom instead. Guard\noffset_valid() against INT_MIN, where negation is undefined."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:22.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b"
},
{
"url": "https://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313"
},
{
"url": "https://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512"
},
{
"url": "https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a"
}
],
"title": "net/sched: fix pedit partial COW leading to page cache corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46331",
"datePublished": "2026-06-16T06:26:21.066Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-07-03T12:05:02.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31486 (GCVE-0-2026-31486)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-06-19 11:57
VLAI?
EPSS
Title
hwmon: (pmbus/core) Protect regulator operations with mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (pmbus/core) Protect regulator operations with mutex
The regulator operations pmbus_regulator_get_voltage(),
pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()
access PMBus registers and shared data but were not protected by
the update_lock mutex. This could lead to race conditions.
However, adding mutex protection directly to these functions causes
a deadlock because pmbus_regulator_notify() (which calls
regulator_notifier_call_chain()) is often called with the mutex
already held (e.g., from pmbus_fault_handler()). If a regulator
callback then calls one of the now-protected voltage functions,
it will attempt to acquire the same mutex.
Rework pmbus_regulator_notify() to utilize a worker function to
send notifications outside of the mutex protection. Events are
stored as atomics in a per-page bitmask and processed by the worker.
Initialize the worker and its associated data during regulator
registration, and ensure it is cancelled on device removal using
devm_add_action_or_reset().
While at it, remove the unnecessary include of linux/of.h.
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 , < b26849cffaa7c43355b82e9bef3725e786973a1a
(git)
Affected: ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 , < acf04e2863132f6d9222f71f3a76fb9782cbe061 (git) Affected: ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 , < 4e9d723d9f198b86f6882a84c501ba1f39e8d055 (git) Affected: ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 , < 2c77ae315f3ce9d2c8e1609be74c9358c1fe4e07 (git) Affected: ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 , < 754bd2b4a084b90b5e7b630e1f423061a9b9b761 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/pmbus/pmbus_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b26849cffaa7c43355b82e9bef3725e786973a1a",
"status": "affected",
"version": "ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7",
"versionType": "git"
},
{
"lessThan": "acf04e2863132f6d9222f71f3a76fb9782cbe061",
"status": "affected",
"version": "ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7",
"versionType": "git"
},
{
"lessThan": "4e9d723d9f198b86f6882a84c501ba1f39e8d055",
"status": "affected",
"version": "ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7",
"versionType": "git"
},
{
"lessThan": "2c77ae315f3ce9d2c8e1609be74c9358c1fe4e07",
"status": "affected",
"version": "ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7",
"versionType": "git"
},
{
"lessThan": "754bd2b4a084b90b5e7b630e1f423061a9b9b761",
"status": "affected",
"version": "ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/pmbus/pmbus_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/core) Protect regulator operations with mutex\n\nThe regulator operations pmbus_regulator_get_voltage(),\npmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()\naccess PMBus registers and shared data but were not protected by\nthe update_lock mutex. This could lead to race conditions.\n\nHowever, adding mutex protection directly to these functions causes\na deadlock because pmbus_regulator_notify() (which calls\nregulator_notifier_call_chain()) is often called with the mutex\nalready held (e.g., from pmbus_fault_handler()). If a regulator\ncallback then calls one of the now-protected voltage functions,\nit will attempt to acquire the same mutex.\n\nRework pmbus_regulator_notify() to utilize a worker function to\nsend notifications outside of the mutex protection. Events are\nstored as atomics in a per-page bitmask and processed by the worker.\n\nInitialize the worker and its associated data during regulator\nregistration, and ensure it is cancelled on device removal using\ndevm_add_action_or_reset().\n\nWhile at it, remove the unnecessary include of linux/of.h."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:45.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b26849cffaa7c43355b82e9bef3725e786973a1a"
},
{
"url": "https://git.kernel.org/stable/c/acf04e2863132f6d9222f71f3a76fb9782cbe061"
},
{
"url": "https://git.kernel.org/stable/c/4e9d723d9f198b86f6882a84c501ba1f39e8d055"
},
{
"url": "https://git.kernel.org/stable/c/2c77ae315f3ce9d2c8e1609be74c9358c1fe4e07"
},
{
"url": "https://git.kernel.org/stable/c/754bd2b4a084b90b5e7b630e1f423061a9b9b761"
}
],
"title": "hwmon: (pmbus/core) Protect regulator operations with mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31486",
"datePublished": "2026-04-22T13:54:11.594Z",
"dateReserved": "2026-03-09T15:48:24.101Z",
"dateUpdated": "2026-06-19T11:57:45.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46322 (GCVE-0-2026-46322)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
tun: free page on build_skb failure in tun_xdp_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: free page on build_skb failure in tun_xdp_one()
When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.
Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
043d222f93ab8c76b56a3b315cd8692e35affb6c , < 26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9
(git)
Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 793385c154771603b8671dd8338927221e9d8d78 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 2638a9c1521905bb5c5d1e95c8fbc09f79148ed7 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 60d9c0d6cdde5420d6483c921b16fe5465eb5238 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < d16e38fac09a47bfcf98c1ad65a1bb53f94540f5 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < aa308e9dbb9acb17cacdbbce9e4504f69bac8385 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 4fefc6156a162a9f50035c12091a5e5130c82c6e (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < aa8963fdce667a42fb7f0bdd2909fadcab02f9a8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "793385c154771603b8671dd8338927221e9d8d78",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "2638a9c1521905bb5c5d1e95c8fbc09f79148ed7",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "60d9c0d6cdde5420d6483c921b16fe5465eb5238",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "d16e38fac09a47bfcf98c1ad65a1bb53f94540f5",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "aa308e9dbb9acb17cacdbbce9e4504f69bac8385",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "4fefc6156a162a9f50035c12091a5e5130c82c6e",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "aa8963fdce667a42fb7f0bdd2909fadcab02f9a8",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on build_skb failure in tun_xdp_one()\n\nWhen build_skb() fails in tun_xdp_one(), the function sets ret to\n-ENOMEM and jumps to the out label, which returns without freeing the\npage that vhost_net_build_xdp() allocated for the frame. As with the\nshort-frame rejection path, tun_sendmsg() discards the per-buffer error\nand still returns total_len, so vhost_tx_batch() takes the success path\nand never frees the page. Each build_skb() failure in a batch leaks one\npage-frag chunk.\n\nFree the page before taking the error path, matching the put_page() the\nother error exits of tun_xdp_one() already perform."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:24.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9"
},
{
"url": "https://git.kernel.org/stable/c/793385c154771603b8671dd8338927221e9d8d78"
},
{
"url": "https://git.kernel.org/stable/c/2638a9c1521905bb5c5d1e95c8fbc09f79148ed7"
},
{
"url": "https://git.kernel.org/stable/c/60d9c0d6cdde5420d6483c921b16fe5465eb5238"
},
{
"url": "https://git.kernel.org/stable/c/d16e38fac09a47bfcf98c1ad65a1bb53f94540f5"
},
{
"url": "https://git.kernel.org/stable/c/aa308e9dbb9acb17cacdbbce9e4504f69bac8385"
},
{
"url": "https://git.kernel.org/stable/c/4fefc6156a162a9f50035c12091a5e5130c82c6e"
},
{
"url": "https://git.kernel.org/stable/c/aa8963fdce667a42fb7f0bdd2909fadcab02f9a8"
}
],
"title": "tun: free page on build_skb failure in tun_xdp_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46322",
"datePublished": "2026-06-09T12:11:14.776Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:24.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43219 (GCVE-0-2026-43219)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
If an error occurs during register_netdev() for the first MAC in
cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,
cpsw->slaves[1].ndev would remain unchanged. This could later cause
cpsw_unregister_ports() to attempt unregistering the second MAC.
To address this, add a check for ndev->reg_state before calling
unregister_netdev(). With this change, setting cpsw->slaves[i].ndev
to NULL becomes unnecessary and can be removed accordingly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed3525eda4c4983fb8509e488de0a351788041ba , < d31a12cee10bbc12b4b523a4709fd1fdee8b7d0f
(git)
Affected: ed3525eda4c4983fb8509e488de0a351788041ba , < 23acc565186ee27e788408cbd81b92730b6aaa3a (git) Affected: ed3525eda4c4983fb8509e488de0a351788041ba , < 67cca9df4d17f2c824655d31195b2e75334ae286 (git) Affected: ed3525eda4c4983fb8509e488de0a351788041ba , < 14645799ad5253a028cf662e2f9cd18a68f74b31 (git) Affected: ed3525eda4c4983fb8509e488de0a351788041ba , < 29739ec197ed66535bc0b86f14ab66c5f4512138 (git) Affected: ed3525eda4c4983fb8509e488de0a351788041ba , < 349c4cac6f54a81fc107589771f88136a2b20415 (git) Affected: ed3525eda4c4983fb8509e488de0a351788041ba , < 9d724b34fbe13b71865ad0906a4be97571f19cf5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw_new.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d31a12cee10bbc12b4b523a4709fd1fdee8b7d0f",
"status": "affected",
"version": "ed3525eda4c4983fb8509e488de0a351788041ba",
"versionType": "git"
},
{
"lessThan": "23acc565186ee27e788408cbd81b92730b6aaa3a",
"status": "affected",
"version": "ed3525eda4c4983fb8509e488de0a351788041ba",
"versionType": "git"
},
{
"lessThan": "67cca9df4d17f2c824655d31195b2e75334ae286",
"status": "affected",
"version": "ed3525eda4c4983fb8509e488de0a351788041ba",
"versionType": "git"
},
{
"lessThan": "14645799ad5253a028cf662e2f9cd18a68f74b31",
"status": "affected",
"version": "ed3525eda4c4983fb8509e488de0a351788041ba",
"versionType": "git"
},
{
"lessThan": "29739ec197ed66535bc0b86f14ab66c5f4512138",
"status": "affected",
"version": "ed3525eda4c4983fb8509e488de0a351788041ba",
"versionType": "git"
},
{
"lessThan": "349c4cac6f54a81fc107589771f88136a2b20415",
"status": "affected",
"version": "ed3525eda4c4983fb8509e488de0a351788041ba",
"versionType": "git"
},
{
"lessThan": "9d724b34fbe13b71865ad0906a4be97571f19cf5",
"status": "affected",
"version": "ed3525eda4c4983fb8509e488de0a351788041ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw_new.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw_new: Fix potential unregister of netdev that has not been registered yet\n\nIf an error occurs during register_netdev() for the first MAC in\ncpsw_register_ports(), even though cpsw-\u003eslaves[0].ndev is set to NULL,\ncpsw-\u003eslaves[1].ndev would remain unchanged. This could later cause\ncpsw_unregister_ports() to attempt unregistering the second MAC.\nTo address this, add a check for ndev-\u003ereg_state before calling\nunregister_netdev(). With this change, setting cpsw-\u003eslaves[i].ndev\nto NULL becomes unnecessary and can be removed accordingly."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:21.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d31a12cee10bbc12b4b523a4709fd1fdee8b7d0f"
},
{
"url": "https://git.kernel.org/stable/c/23acc565186ee27e788408cbd81b92730b6aaa3a"
},
{
"url": "https://git.kernel.org/stable/c/67cca9df4d17f2c824655d31195b2e75334ae286"
},
{
"url": "https://git.kernel.org/stable/c/14645799ad5253a028cf662e2f9cd18a68f74b31"
},
{
"url": "https://git.kernel.org/stable/c/29739ec197ed66535bc0b86f14ab66c5f4512138"
},
{
"url": "https://git.kernel.org/stable/c/349c4cac6f54a81fc107589771f88136a2b20415"
},
{
"url": "https://git.kernel.org/stable/c/9d724b34fbe13b71865ad0906a4be97571f19cf5"
}
],
"title": "net: cpsw_new: Fix potential unregister of netdev that has not been registered yet",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43219",
"datePublished": "2026-05-06T11:28:20.243Z",
"dateReserved": "2026-05-01T14:12:55.993Z",
"dateUpdated": "2026-06-19T11:58:21.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31663 (GCVE-0-2026-31663)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-06-30 12:07
VLAI?
EPSS
Title
xfrm: hold dev ref until after transport_finish NF_HOOK
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: hold dev ref until after transport_finish NF_HOOK
After async crypto completes, xfrm_input_resume() calls dev_put()
immediately on re-entry before the skb reaches transport_finish.
The skb->dev pointer is then used inside NF_HOOK and its okfn,
which can race with device teardown.
Remove the dev_put from the async resumption entry and instead
drop the reference after the NF_HOOK call in transport_finish,
using a saved device pointer since NF_HOOK may consume the skb.
This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip
the okfn.
For non-transport exits (decaps, gro, drop) and secondary
async return points, release the reference inline when
async is set.
Severity ?
7.8 (High)
CWE
- CWE-826 - Premature Release of Resource During Expected Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
acf568ee859f098279eadf551612f103afdacb4e , < 4236c30b437b80f673b9e08c8fae38b8d471ac9e
(git)
Affected: acf568ee859f098279eadf551612f103afdacb4e , < 0f451b43c88bf2b9c038b414be580efee42e031b (git) Affected: acf568ee859f098279eadf551612f103afdacb4e , < 5002beda5cac69d522dc54da0d5d463ed9c963d2 (git) Affected: acf568ee859f098279eadf551612f103afdacb4e , < 1c428b03840094410c5fb6a5db30640486bbbfcb (git) Affected: 69895c5ea0ca2e8d7de1e6d36965d0ab9730787f (git) Affected: 833760100588acfb267dac4d6a02ab9931237739 (git) Affected: e095ecaec6d94aa2156cceb98a85d409b51190f3 (git) Affected: 3.2.100 , < 3.3 (semver) Affected: 3.16.55 , < 3.17 (semver) Affected: 4.14.24 , < 4.15 (semver) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s `xfrm` (IP eXtensible FRamework) subsystem. This vulnerability involves a race condition where a network device\u0027s reference is released too early during packet processing after asynchronous cryptography. This premature release can lead to the system attempting to access a deallocated device, potentially causing a system crash (Denial of Service)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-826",
"description": "Premature Release of Resource During Expected Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:48.515Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-31663"
},
{
"name": "RHBZ#2461462",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461462"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31663.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-24T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-24T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: xfrm: hold dev ref until after transport_finish NF_HOOK",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/xfrm4_input.c",
"net/ipv6/xfrm6_input.c",
"net/xfrm/xfrm_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4236c30b437b80f673b9e08c8fae38b8d471ac9e",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"lessThan": "0f451b43c88bf2b9c038b414be580efee42e031b",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"lessThan": "5002beda5cac69d522dc54da0d5d463ed9c963d2",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"lessThan": "1c428b03840094410c5fb6a5db30640486bbbfcb",
"status": "affected",
"version": "acf568ee859f098279eadf551612f103afdacb4e",
"versionType": "git"
},
{
"status": "affected",
"version": "69895c5ea0ca2e8d7de1e6d36965d0ab9730787f",
"versionType": "git"
},
{
"status": "affected",
"version": "833760100588acfb267dac4d6a02ab9931237739",
"versionType": "git"
},
{
"status": "affected",
"version": "e095ecaec6d94aa2156cceb98a85d409b51190f3",
"versionType": "git"
},
{
"lessThan": "3.3",
"status": "affected",
"version": "3.2.100",
"versionType": "semver"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.55",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.24",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/xfrm4_input.c",
"net/ipv6/xfrm6_input.c",
"net/xfrm/xfrm_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: hold dev ref until after transport_finish NF_HOOK\n\nAfter async crypto completes, xfrm_input_resume() calls dev_put()\nimmediately on re-entry before the skb reaches transport_finish.\nThe skb-\u003edev pointer is then used inside NF_HOOK and its okfn,\nwhich can race with device teardown.\n\nRemove the dev_put from the async resumption entry and instead\ndrop the reference after the NF_HOOK call in transport_finish,\nusing a saved device pointer since NF_HOOK may consume the skb.\nThis covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip\nthe okfn.\n\nFor non-transport exits (decaps, gro, drop) and secondary\nasync return points, release the reference inline when\nasync is set."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:49.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4236c30b437b80f673b9e08c8fae38b8d471ac9e"
},
{
"url": "https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b"
},
{
"url": "https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2"
},
{
"url": "https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb"
}
],
"title": "xfrm: hold dev ref until after transport_finish NF_HOOK",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31663",
"datePublished": "2026-04-24T14:45:13.239Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-06-30T12:07:48.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23469 (GCVE-0-2026-23469)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-06-01 16:11
VLAI?
EPSS
Title
drm/imagination: Synchronize interrupts before suspending the GPU
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/imagination: Synchronize interrupts before suspending the GPU
The runtime PM suspend callback doesn't know whether the IRQ handler is
in progress on a different CPU core and doesn't wait for it to finish.
Depending on timing, the IRQ handler could be running while the GPU is
suspended, leading to kernel crashes when trying to access GPU
registers. See example signature below.
In a power off sequence initiated by the runtime PM suspend callback,
wait for any IRQ handlers in progress on other CPU cores to finish, by
calling synchronize_irq().
At the same time, remove the runtime PM resume/put calls in the threaded
IRQ handler. On top of not being the right approach to begin with, and
being at the wrong place as they should have wrapped all GPU register
accesses, the driver would hit a deadlock between synchronize_irq()
being called from a runtime PM suspend callback, holding the device
power lock, and the resume callback requiring the same.
Example crash signature on a TI AM68 SK platform:
[ 337.241218] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError
[ 337.241239] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT
[ 337.241246] Tainted: [M]=MACHINE_CHECK
[ 337.241249] Hardware name: Texas Instruments AM68 SK (DT)
[ 337.241252] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 337.241256] pc : pvr_riscv_irq_pending+0xc/0x24
[ 337.241277] lr : pvr_device_irq_thread_handler+0x64/0x310
[ 337.241282] sp : ffff800085b0bd30
[ 337.241284] x29: ffff800085b0bd50 x28: ffff0008070d9eab x27: ffff800083a5ce10
[ 337.241291] x26: ffff000806e48f80 x25: ffff0008070d9eac x24: 0000000000000000
[ 337.241296] x23: ffff0008068e9bf0 x22: ffff0008068e9bd0 x21: ffff800085b0bd30
[ 337.241301] x20: ffff0008070d9e00 x19: ffff0008068e9000 x18: 0000000000000001
[ 337.241305] x17: 637365645f656c70 x16: 0000000000000000 x15: ffff000b7df9ff40
[ 337.241310] x14: 0000a585fe3c0d0e x13: 000000999704f060 x12: 000000000002771a
[ 337.241314] x11: 00000000000000c0 x10: 0000000000000af0 x9 : ffff800085b0bd00
[ 337.241318] x8 : ffff0008071175d0 x7 : 000000000000b955 x6 : 0000000000000003
[ 337.241323] x5 : 0000000000000000 x4 : 0000000000000002 x3 : 0000000000000000
[ 337.241327] x2 : ffff800080e39d20 x1 : ffff800080e3fc48 x0 : 0000000000000000
[ 337.241333] Kernel panic - not syncing: Asynchronous SError Interrupt
[ 337.241337] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT
[ 337.241342] Tainted: [M]=MACHINE_CHECK
[ 337.241343] Hardware name: Texas Instruments AM68 SK (DT)
[ 337.241345] Call trace:
[ 337.241348] show_stack+0x18/0x24 (C)
[ 337.241357] dump_stack_lvl+0x60/0x80
[ 337.241364] dump_stack+0x18/0x24
[ 337.241368] vpanic+0x124/0x2ec
[ 337.241373] abort+0x0/0x4
[ 337.241377] add_taint+0x0/0xbc
[ 337.241384] arm64_serror_panic+0x70/0x80
[ 337.241389] do_serror+0x3c/0x74
[ 337.241392] el1h_64_error_handler+0x30/0x48
[ 337.241400] el1h_64_error+0x6c/0x70
[ 337.241404] pvr_riscv_irq_pending+0xc/0x24 (P)
[ 337.241410] irq_thread_fn+0x2c/0xb0
[ 337.241416] irq_thread+0x170/0x334
[ 337.241421] kthread+0x12c/0x210
[ 337.241428] ret_from_fork+0x10/0x20
[ 337.241434] SMP: stopping secondary CPUs
[ 337.241451] Kernel Offset: disabled
[ 337.241453] CPU features: 0x040000,02002800,20002001,0400421b
[ 337.241456] Memory Limit: none
[ 337.457921] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cc1aeedb98ad347c06ff59e991b2f94dfb4c565d , < 50257450196e4bba11c562117847ea409660a7de
(git)
Affected: cc1aeedb98ad347c06ff59e991b2f94dfb4c565d , < 772f3653eef50ea7cf721b05d8e275f93bc460f3 (git) Affected: cc1aeedb98ad347c06ff59e991b2f94dfb4c565d , < 8e0c15e426a056b9fb604cf87a1dfdec4d61e407 (git) Affected: cc1aeedb98ad347c06ff59e991b2f94dfb4c565d , < 2d7f05cddf4c268cc36256a2476946041dbdd36d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imagination/pvr_device.c",
"drivers/gpu/drm/imagination/pvr_power.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50257450196e4bba11c562117847ea409660a7de",
"status": "affected",
"version": "cc1aeedb98ad347c06ff59e991b2f94dfb4c565d",
"versionType": "git"
},
{
"lessThan": "772f3653eef50ea7cf721b05d8e275f93bc460f3",
"status": "affected",
"version": "cc1aeedb98ad347c06ff59e991b2f94dfb4c565d",
"versionType": "git"
},
{
"lessThan": "8e0c15e426a056b9fb604cf87a1dfdec4d61e407",
"status": "affected",
"version": "cc1aeedb98ad347c06ff59e991b2f94dfb4c565d",
"versionType": "git"
},
{
"lessThan": "2d7f05cddf4c268cc36256a2476946041dbdd36d",
"status": "affected",
"version": "cc1aeedb98ad347c06ff59e991b2f94dfb4c565d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imagination/pvr_device.c",
"drivers/gpu/drm/imagination/pvr_power.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: Synchronize interrupts before suspending the GPU\n\nThe runtime PM suspend callback doesn\u0027t know whether the IRQ handler is\nin progress on a different CPU core and doesn\u0027t wait for it to finish.\n\nDepending on timing, the IRQ handler could be running while the GPU is\nsuspended, leading to kernel crashes when trying to access GPU\nregisters. See example signature below.\n\nIn a power off sequence initiated by the runtime PM suspend callback,\nwait for any IRQ handlers in progress on other CPU cores to finish, by\ncalling synchronize_irq().\n\nAt the same time, remove the runtime PM resume/put calls in the threaded\nIRQ handler. On top of not being the right approach to begin with, and\nbeing at the wrong place as they should have wrapped all GPU register\naccesses, the driver would hit a deadlock between synchronize_irq()\nbeing called from a runtime PM suspend callback, holding the device\npower lock, and the resume callback requiring the same.\n\nExample crash signature on a TI AM68 SK platform:\n\n [ 337.241218] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError\n [ 337.241239] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT\n [ 337.241246] Tainted: [M]=MACHINE_CHECK\n [ 337.241249] Hardware name: Texas Instruments AM68 SK (DT)\n [ 337.241252] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 337.241256] pc : pvr_riscv_irq_pending+0xc/0x24\n [ 337.241277] lr : pvr_device_irq_thread_handler+0x64/0x310\n [ 337.241282] sp : ffff800085b0bd30\n [ 337.241284] x29: ffff800085b0bd50 x28: ffff0008070d9eab x27: ffff800083a5ce10\n [ 337.241291] x26: ffff000806e48f80 x25: ffff0008070d9eac x24: 0000000000000000\n [ 337.241296] x23: ffff0008068e9bf0 x22: ffff0008068e9bd0 x21: ffff800085b0bd30\n [ 337.241301] x20: ffff0008070d9e00 x19: ffff0008068e9000 x18: 0000000000000001\n [ 337.241305] x17: 637365645f656c70 x16: 0000000000000000 x15: ffff000b7df9ff40\n [ 337.241310] x14: 0000a585fe3c0d0e x13: 000000999704f060 x12: 000000000002771a\n [ 337.241314] x11: 00000000000000c0 x10: 0000000000000af0 x9 : ffff800085b0bd00\n [ 337.241318] x8 : ffff0008071175d0 x7 : 000000000000b955 x6 : 0000000000000003\n [ 337.241323] x5 : 0000000000000000 x4 : 0000000000000002 x3 : 0000000000000000\n [ 337.241327] x2 : ffff800080e39d20 x1 : ffff800080e3fc48 x0 : 0000000000000000\n [ 337.241333] Kernel panic - not syncing: Asynchronous SError Interrupt\n [ 337.241337] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT\n [ 337.241342] Tainted: [M]=MACHINE_CHECK\n [ 337.241343] Hardware name: Texas Instruments AM68 SK (DT)\n [ 337.241345] Call trace:\n [ 337.241348] show_stack+0x18/0x24 (C)\n [ 337.241357] dump_stack_lvl+0x60/0x80\n [ 337.241364] dump_stack+0x18/0x24\n [ 337.241368] vpanic+0x124/0x2ec\n [ 337.241373] abort+0x0/0x4\n [ 337.241377] add_taint+0x0/0xbc\n [ 337.241384] arm64_serror_panic+0x70/0x80\n [ 337.241389] do_serror+0x3c/0x74\n [ 337.241392] el1h_64_error_handler+0x30/0x48\n [ 337.241400] el1h_64_error+0x6c/0x70\n [ 337.241404] pvr_riscv_irq_pending+0xc/0x24 (P)\n [ 337.241410] irq_thread_fn+0x2c/0xb0\n [ 337.241416] irq_thread+0x170/0x334\n [ 337.241421] kthread+0x12c/0x210\n [ 337.241428] ret_from_fork+0x10/0x20\n [ 337.241434] SMP: stopping secondary CPUs\n [ 337.241451] Kernel Offset: disabled\n [ 337.241453] CPU features: 0x040000,02002800,20002001,0400421b\n [ 337.241456] Memory Limit: none\n [ 337.457921] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:19.052Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50257450196e4bba11c562117847ea409660a7de"
},
{
"url": "https://git.kernel.org/stable/c/772f3653eef50ea7cf721b05d8e275f93bc460f3"
},
{
"url": "https://git.kernel.org/stable/c/8e0c15e426a056b9fb604cf87a1dfdec4d61e407"
},
{
"url": "https://git.kernel.org/stable/c/2d7f05cddf4c268cc36256a2476946041dbdd36d"
}
],
"title": "drm/imagination: Synchronize interrupts before suspending the GPU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23469",
"datePublished": "2026-04-03T15:15:48.599Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-06-01T16:11:19.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46170 (GCVE-0-2026-46170)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-14 17:59
VLAI?
EPSS
Title
mptcp: pm: ADD_ADDR rtx: free sk if last
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: ADD_ADDR rtx: free sk if last
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),
and released at the end.
If at that moment, it was the last reference being held, the sk would
not be freed. sock_put() should then be called instead of __sock_put().
But that's not enough: if it is the last reference, sock_put() will call
sk_free(), which will end up calling sk_stop_timer_sync() on the same
timer, and waiting indefinitely to finish. So it is needed to mark that
the timer is done at the end of the timer handler when it has not been
rescheduled, not to call sk_stop_timer_sync() on "itself".
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 6a3af482188f6db4186d1605f64d911d7330abb3
(git)
Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 531c537b8fb620beabccfb1594e8d43cbebbb87a (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < b74ad20198652b6b39a761c277ba65ae82b1e107 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 8143a224785ceaf2b0856e08d4498916f38228fb (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < b7b9a461569734d33d3259d58d2507adfac107ed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a3af482188f6db4186d1605f64d911d7330abb3",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "531c537b8fb620beabccfb1594e8d43cbebbb87a",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "b74ad20198652b6b39a761c277ba65ae82b1e107",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "8143a224785ceaf2b0856e08d4498916f38228fb",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "b7b9a461569734d33d3259d58d2507adfac107ed",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: ADD_ADDR rtx: free sk if last\n\nWhen an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),\nand released at the end.\n\nIf at that moment, it was the last reference being held, the sk would\nnot be freed. sock_put() should then be called instead of __sock_put().\n\nBut that\u0027s not enough: if it is the last reference, sock_put() will call\nsk_free(), which will end up calling sk_stop_timer_sync() on the same\ntimer, and waiting indefinitely to finish. So it is needed to mark that\nthe timer is done at the end of the timer handler when it has not been\nrescheduled, not to call sk_stop_timer_sync() on \"itself\"."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:59:51.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a3af482188f6db4186d1605f64d911d7330abb3"
},
{
"url": "https://git.kernel.org/stable/c/531c537b8fb620beabccfb1594e8d43cbebbb87a"
},
{
"url": "https://git.kernel.org/stable/c/b74ad20198652b6b39a761c277ba65ae82b1e107"
},
{
"url": "https://git.kernel.org/stable/c/8143a224785ceaf2b0856e08d4498916f38228fb"
},
{
"url": "https://git.kernel.org/stable/c/b7b9a461569734d33d3259d58d2507adfac107ed"
}
],
"title": "mptcp: pm: ADD_ADDR rtx: free sk if last",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46170",
"datePublished": "2026-05-28T09:36:25.184Z",
"dateReserved": "2026-05-13T15:03:33.103Z",
"dateUpdated": "2026-06-14T17:59:51.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46323 (GCVE-0-2026-46323)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
net: gro: don't merge zcopy skbs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gro: don't merge zcopy skbs
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
Severity ?
7.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d
(git)
Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 1f9c828556416fbe3f49386708ce999fc4d4da06 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 479084ae0e1d9cb7929cb4298d35623de189f80a (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < e334cbf3388fd9334503a778a82d9e9f14dd2f71 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 44bea2032af0425e4ce6d26a8af0ede79db49ec1 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 4db79a322db8c97f7b73b8a347395ef4d685eb40 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux for NVIDIA 26",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Generic Receive Offload (GRO) networking subsystem. This vulnerability occurs when `skb_gro_receive()` attempts to merge zerocopy socket buffers (skbs) without properly managing page reference counts, specifically when the `SKBFL_MANAGED_FRAG_REFS` flag is set. An attacker could potentially exploit this to trigger a Use-After-Free (UAF) condition, which is a memory corruption vulnerability that can lead to system instability or potentially arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:06.631Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46323"
},
{
"name": "RHBZ#2479832",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479832"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46323.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T11:49:44.372Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "1f9c828556416fbe3f49386708ce999fc4d4da06",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "479084ae0e1d9cb7929cb4298d35623de189f80a",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "e334cbf3388fd9334503a778a82d9e9f14dd2f71",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "44bea2032af0425e4ce6d26a8af0ede79db49ec1",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "4db79a322db8c97f7b73b8a347395ef4d685eb40",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: don\u0027t merge zcopy skbs\n\nskb_gro_receive() can currently copy frags between the source and GRO\nskb, without checking the zerocopy status, and in particular the\nSKBFL_MANAGED_FRAG_REFS flag.\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, the skb doesn\u0027t hold a reference\non the pages in shinfo-\u003efrags. Appending those frags to another skb\u0027s\nfrags without fixing up the page refcount can lead to UAF.\n\nWhen either the last skb in the GRO chain (the one we would append\nfrags to) or the source skb is zerocopy, don\u0027t merge the skbs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:26.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d"
},
{
"url": "https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06"
},
{
"url": "https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a"
},
{
"url": "https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71"
},
{
"url": "https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1"
},
{
"url": "https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40"
}
],
"title": "net: gro: don\u0027t merge zcopy skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46323",
"datePublished": "2026-06-09T12:11:15.562Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-30T12:10:06.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68251 (GCVE-0-2025-68251)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:32 – Updated: 2026-05-23 16:02
VLAI?
EPSS
Title
erofs: avoid infinite loops due to corrupted subpage compact indexes
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: avoid infinite loops due to corrupted subpage compact indexes
Robert reported an infinite loop observed by two crafted images.
The root cause is that `clusterofs` can be larger than `lclustersize`
for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.:
blocksize = lclustersize = 512 lcn = 6 clusterofs = 515
Move the corresponding check for full compress indexes to
`z_erofs_load_lcluster_from_disk()` to also cover subpage compact
compress indexes.
It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX`
check, since it should be placed right after
`z_erofs_load_{compact,full}_lcluster()`.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8d2517aaeea3ab8651bb517bca8f3c8664d318ea , < dbfac1b85d0753996ddfef636934d431b588dd1f
(git)
Affected: 8d2517aaeea3ab8651bb517bca8f3c8664d318ea , < 8675447a8794983f2b7e694b378112772c17635e (git) Affected: 8d2517aaeea3ab8651bb517bca8f3c8664d318ea , < e13d315ae077bb7c3c6027cc292401bc0f4ec683 (git) Affected: 3f691aa676f29586e83e6c032713554a290418c3 (git) Affected: 22438a34d383ec2789eaf450728e38abc53051f8 (git) Affected: 6.6.16 , < 6.7 (semver) Affected: 6.7.4 , < 6.8 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbfac1b85d0753996ddfef636934d431b588dd1f",
"status": "affected",
"version": "8d2517aaeea3ab8651bb517bca8f3c8664d318ea",
"versionType": "git"
},
{
"lessThan": "8675447a8794983f2b7e694b378112772c17635e",
"status": "affected",
"version": "8d2517aaeea3ab8651bb517bca8f3c8664d318ea",
"versionType": "git"
},
{
"lessThan": "e13d315ae077bb7c3c6027cc292401bc0f4ec683",
"status": "affected",
"version": "8d2517aaeea3ab8651bb517bca8f3c8664d318ea",
"versionType": "git"
},
{
"status": "affected",
"version": "3f691aa676f29586e83e6c032713554a290418c3",
"versionType": "git"
},
{
"status": "affected",
"version": "22438a34d383ec2789eaf450728e38abc53051f8",
"versionType": "git"
},
{
"lessThan": "6.7",
"status": "affected",
"version": "6.6.16",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: avoid infinite loops due to corrupted subpage compact indexes\n\nRobert reported an infinite loop observed by two crafted images.\n\nThe root cause is that `clusterofs` can be larger than `lclustersize`\nfor !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.:\n\n blocksize = lclustersize = 512 lcn = 6 clusterofs = 515\n\nMove the corresponding check for full compress indexes to\n`z_erofs_load_lcluster_from_disk()` to also cover subpage compact\ncompress indexes.\n\nIt also fixes the position of `m-\u003etype \u003e= Z_EROFS_LCLUSTER_TYPE_MAX`\ncheck, since it should be placed right after\n`z_erofs_load_{compact,full}_lcluster()`."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:29.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbfac1b85d0753996ddfef636934d431b588dd1f"
},
{
"url": "https://git.kernel.org/stable/c/8675447a8794983f2b7e694b378112772c17635e"
},
{
"url": "https://git.kernel.org/stable/c/e13d315ae077bb7c3c6027cc292401bc0f4ec683"
}
],
"title": "erofs: avoid infinite loops due to corrupted subpage compact indexes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68251",
"datePublished": "2025-12-16T14:32:17.979Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2026-05-23T16:02:29.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52911 (GCVE-0-2026-52911)
Vulnerability from cvelistv5 – Published: 2026-06-21 06:18 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
ksmbd: scope conn->binding slowpath to bound sessions only
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: scope conn->binding slowpath to bound sessions only
When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.
Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.
The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5a544e3bab78142207e0242d22442db85ba1eff , < e74c00c6af428a39e564cdc5bd3a3648c6d8de87
(git)
Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 1ff46c9915c1cbf454db58a8cb87f7cac818e6a6 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 974c1c224e85549dc3459f3bb2255bbbdd2b9372 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 2cc8a4db633b10715450b291c1343859a4b2c509 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 1e2bec062c5c9ec282636715166056d0998d746d (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < b0da97c034b6107d14e537e212d4ce8b22109a58 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e74c00c6af428a39e564cdc5bd3a3648c6d8de87",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "1ff46c9915c1cbf454db58a8cb87f7cac818e6a6",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "974c1c224e85549dc3459f3bb2255bbbdd2b9372",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "2cc8a4db633b10715450b291c1343859a4b2c509",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "1e2bec062c5c9ec282636715166056d0998d746d",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "b0da97c034b6107d14e537e212d4ce8b22109a58",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: scope conn-\u003ebinding slowpath to bound sessions only\n\nWhen the binding SESSION_SETUP sets conn-\u003ebinding = true, the flag stays\nset after the call so that the global session lookup in\nksmbd_session_lookup_all() can find the session, which was not added to\nconn-\u003esessions. Because the flag is connection-wide, the global lookup\npath will also resolve any other session by id if asked.\n\nTighten the global lookup so that the returned session must have this\nconnection registered in its channel xarray (sess-\u003eksmbd_chann_list).\nThe channel entry is installed by the existing binding_session path in\nntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes\nsuccessfully, so this condition is a strict equivalent of \"this\nconnection has been accepted as a channel of this session\". Connections\nthat have not bound to a given session cannot reach it via the global\ntable.\n\nThe existing conn-\u003ebinding gate for entering the slowpath is preserved\nso that non-binding connections keep the fast-path-only behavior, and\nthe session-\u003estate check is unchanged."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:29.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e74c00c6af428a39e564cdc5bd3a3648c6d8de87"
},
{
"url": "https://git.kernel.org/stable/c/e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a"
},
{
"url": "https://git.kernel.org/stable/c/1ff46c9915c1cbf454db58a8cb87f7cac818e6a6"
},
{
"url": "https://git.kernel.org/stable/c/974c1c224e85549dc3459f3bb2255bbbdd2b9372"
},
{
"url": "https://git.kernel.org/stable/c/2cc8a4db633b10715450b291c1343859a4b2c509"
},
{
"url": "https://git.kernel.org/stable/c/1e2bec062c5c9ec282636715166056d0998d746d"
},
{
"url": "https://git.kernel.org/stable/c/b0da97c034b6107d14e537e212d4ce8b22109a58"
}
],
"title": "ksmbd: scope conn-\u003ebinding slowpath to bound sessions only",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52911",
"datePublished": "2026-06-21T06:18:49.342Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-28T06:36:29.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46203 (GCVE-0-2026-46203)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
spi: cadence-quadspi: fix unclocked access on unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: cadence-quadspi: fix unclocked access on unbind
Make sure that the controller is runtime resumed before disabling it
during driver unbind to avoid an unclocked register access.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0578a6dbfe7514db7134501cf93acc21cf13e479 , < 2e7cd62c37f51823c2bb79de1d4d76d0c1678c7e
(git)
Affected: 0578a6dbfe7514db7134501cf93acc21cf13e479 , < 63a9f6012f453578898c9fcc13c8452a8651104e (git) Affected: 0578a6dbfe7514db7134501cf93acc21cf13e479 , < d67a5311818b3e6481a1e4293c9337ebfee73111 (git) Affected: 0578a6dbfe7514db7134501cf93acc21cf13e479 , < 233db2cb14db8b1935dda52a6affd97276462b82 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e7cd62c37f51823c2bb79de1d4d76d0c1678c7e",
"status": "affected",
"version": "0578a6dbfe7514db7134501cf93acc21cf13e479",
"versionType": "git"
},
{
"lessThan": "63a9f6012f453578898c9fcc13c8452a8651104e",
"status": "affected",
"version": "0578a6dbfe7514db7134501cf93acc21cf13e479",
"versionType": "git"
},
{
"lessThan": "d67a5311818b3e6481a1e4293c9337ebfee73111",
"status": "affected",
"version": "0578a6dbfe7514db7134501cf93acc21cf13e479",
"versionType": "git"
},
{
"lessThan": "233db2cb14db8b1935dda52a6affd97276462b82",
"status": "affected",
"version": "0578a6dbfe7514db7134501cf93acc21cf13e479",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: fix unclocked access on unbind\n\nMake sure that the controller is runtime resumed before disabling it\nduring driver unbind to avoid an unclocked register access.\n\nThis issue was flagged by Sashiko when reviewing a controller\nderegistration fix."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:01.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e7cd62c37f51823c2bb79de1d4d76d0c1678c7e"
},
{
"url": "https://git.kernel.org/stable/c/63a9f6012f453578898c9fcc13c8452a8651104e"
},
{
"url": "https://git.kernel.org/stable/c/d67a5311818b3e6481a1e4293c9337ebfee73111"
},
{
"url": "https://git.kernel.org/stable/c/233db2cb14db8b1935dda52a6affd97276462b82"
}
],
"title": "spi: cadence-quadspi: fix unclocked access on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46203",
"datePublished": "2026-05-28T09:40:20.631Z",
"dateReserved": "2026-05-13T15:03:33.104Z",
"dateUpdated": "2026-06-19T12:00:01.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45839 (GCVE-0-2026-45839)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
CO-RE accessor strings are colon-separated indices that describe a path
from a root BTF type to a target field, e.g. "0:1:2" walks through
nested struct members. bpf_core_parse_spec() parses each component with
sscanf("%d"), so negative values like -1 are silently accepted. The
subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
upper bound and always pass for negative values because C integer
promotion converts the __u16 btf_vlen result to int, making the
comparison (int)(-1) >= (int)(N) false for any positive N.
When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,
producing an out-of-bounds read far past the members array. A crafted
BPF program with a negative CO-RE accessor on any struct that exists in
vmlinux BTF (e.g. task_struct) crashes the kernel deterministically
during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y
(default on major distributions). The bug is reachable with CAP_BPF:
BUG: unable to handle page fault for address: ffffed11818b6626
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)
RAX: 00000000ffffffff
Call Trace:
<TASK>
bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)
bpf_core_apply (kernel/bpf/btf.c:9507)
check_core_relo (kernel/bpf/verifier.c:19475)
bpf_check (kernel/bpf/verifier.c:26031)
bpf_prog_load (kernel/bpf/syscall.c:3089)
__sys_bpf (kernel/bpf/syscall.c:6228)
</TASK>
CO-RE accessor indices are inherently non-negative (struct member index,
array element index, or enumerator index), so reject them immediately
after parsing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ddc7c3042614e273044f698d2beab25cc3842d45 , < a9e777f856cd2f1efc106afc7bf21aef868509d5
(git)
Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 669349b4612c26b3d7aacfa99d7174681bd19223 (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 3ff85ae79e1a74baeb916b78a63d821f6d19a994 (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 76f2ebaf79a9ae6d0737b87f045fe769e425d78f (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2 (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 1c22483a2c4bbf747787f328392ca3e68619c4dc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"tools/lib/bpf/relo_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9e777f856cd2f1efc106afc7bf21aef868509d5",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "669349b4612c26b3d7aacfa99d7174681bd19223",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "3ff85ae79e1a74baeb916b78a63d821f6d19a994",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "76f2ebaf79a9ae6d0737b87f045fe769e425d78f",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "1c22483a2c4bbf747787f328392ca3e68619c4dc",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"tools/lib/bpf/relo_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()\n\nCO-RE accessor strings are colon-separated indices that describe a path\nfrom a root BTF type to a target field, e.g. \"0:1:2\" walks through\nnested struct members. bpf_core_parse_spec() parses each component with\nsscanf(\"%d\"), so negative values like -1 are silently accepted. The\nsubsequent bounds checks (access_idx \u003e= btf_vlen(t)) only guard the\nupper bound and always pass for negative values because C integer\npromotion converts the __u16 btf_vlen result to int, making the\ncomparison (int)(-1) \u003e= (int)(N) false for any positive N.\n\nWhen -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,\nproducing an out-of-bounds read far past the members array. A crafted\nBPF program with a negative CO-RE accessor on any struct that exists in\nvmlinux BTF (e.g. task_struct) crashes the kernel deterministically\nduring BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y\n(default on major distributions). The bug is reachable with CAP_BPF:\n\n BUG: unable to handle page fault for address: ffffed11818b6626\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)\n RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)\n RAX: 00000000ffffffff\n Call Trace:\n \u003cTASK\u003e\n bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)\n bpf_core_apply (kernel/bpf/btf.c:9507)\n check_core_relo (kernel/bpf/verifier.c:19475)\n bpf_check (kernel/bpf/verifier.c:26031)\n bpf_prog_load (kernel/bpf/syscall.c:3089)\n __sys_bpf (kernel/bpf/syscall.c:6228)\n \u003c/TASK\u003e\n\nCO-RE accessor indices are inherently non-negative (struct member index,\narray element index, or enumerator index), so reject them immediately\nafter parsing."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:08.677Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9e777f856cd2f1efc106afc7bf21aef868509d5"
},
{
"url": "https://git.kernel.org/stable/c/669349b4612c26b3d7aacfa99d7174681bd19223"
},
{
"url": "https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994"
},
{
"url": "https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a"
},
{
"url": "https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f"
},
{
"url": "https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2"
},
{
"url": "https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc"
}
],
"title": "bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45839",
"datePublished": "2026-05-27T09:24:37.855Z",
"dateReserved": "2026-05-13T15:03:33.077Z",
"dateUpdated": "2026-06-14T17:46:08.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52908 (GCVE-0-2026-52908)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:00 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be
re-evaluated to ensure it is properly pinned as RW. Since the umem is
hidden inside each driver's mr struct add a ib_umem_check_rereg() function
that each driver has to call before processing IB_MR_REREG_ACCESS.
mlx4 has to retain its duplicate ib_access_writable check because it
implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items
in place sequentially while the MR is live, so it will continue to not
support this combination.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b40656aa7d559adc1fe689396dc58b92a9a27286 , < 09dc18894148381d3bfc550083b1236043870dce
(git)
Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < eba5df21eda0fe7418efbea2f799f8ea1b8ca94c (git) Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < 2904e985a2917b5dac65df82733065e78a65fc9d (git) Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < 50334a05a950840b39a1ce3d2a173b4183db9b3e (git) Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < badad6fad60def1b9805559dd81dbab3d97b82aa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/umem.c",
"drivers/infiniband/hw/hns/hns_roce_mr.c",
"drivers/infiniband/hw/irdma/verbs.c",
"drivers/infiniband/hw/mlx4/mr.c",
"drivers/infiniband/hw/mlx5/mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"include/rdma/ib_umem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09dc18894148381d3bfc550083b1236043870dce",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "eba5df21eda0fe7418efbea2f799f8ea1b8ca94c",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "2904e985a2917b5dac65df82733065e78a65fc9d",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "50334a05a950840b39a1ce3d2a173b4183db9b3e",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "badad6fad60def1b9805559dd81dbab3d97b82aa",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/umem.c",
"drivers/infiniband/hw/hns/hns_roce_mr.c",
"drivers/infiniband/hw/irdma/verbs.c",
"drivers/infiniband/hw/mlx4/mr.c",
"drivers/infiniband/hw/mlx5/mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"include/rdma/ib_umem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: During rereg_mr ensure that REREG_ACCESS is compatible\n\nIf IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be\nre-evaluated to ensure it is properly pinned as RW. Since the umem is\nhidden inside each driver\u0027s mr struct add a ib_umem_check_rereg() function\nthat each driver has to call before processing IB_MR_REREG_ACCESS.\n\nmlx4 has to retain its duplicate ib_access_writable check because it\nimplements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items\nin place sequentially while the MR is live, so it will continue to not\nsupport this combination."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:24.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09dc18894148381d3bfc550083b1236043870dce"
},
{
"url": "https://git.kernel.org/stable/c/eba5df21eda0fe7418efbea2f799f8ea1b8ca94c"
},
{
"url": "https://git.kernel.org/stable/c/2904e985a2917b5dac65df82733065e78a65fc9d"
},
{
"url": "https://git.kernel.org/stable/c/50334a05a950840b39a1ce3d2a173b4183db9b3e"
},
{
"url": "https://git.kernel.org/stable/c/badad6fad60def1b9805559dd81dbab3d97b82aa"
}
],
"title": "RDMA: During rereg_mr ensure that REREG_ACCESS is compatible",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52908",
"datePublished": "2026-06-19T14:00:35.971Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-28T06:36:24.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45841 (GCVE-0-2026-45841)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".
Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < cb833bbc1b3c51e08652d3c86298307c07d3f2db
(git)
Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 26900306a5a2c3e4f75c643a064525526bb6e5f3 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 0694618cf3e9b120666e31f5f383a6e466d95a0d (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 8def8fbd23f40e945febe913d04b731012ce0082 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < c55940895245d8ef658ab381248a28755218d625 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 9a05e195618a6d474f2bcd5b6376d0ffc2f00366 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 2195574dc6d9017d32ac346987e12659f931d932 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb833bbc1b3c51e08652d3c86298307c07d3f2db",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "26900306a5a2c3e4f75c643a064525526bb6e5f3",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "0694618cf3e9b120666e31f5f383a6e466d95a0d",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "8def8fbd23f40e945febe913d04b731012ce0082",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "c55940895245d8ef658ab381248a28755218d625",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "9a05e195618a6d474f2bcd5b6376d0ffc2f00366",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "2195574dc6d9017d32ac346987e12659f931d932",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO\n\nnf_osf_match_one() computes ctx-\u003ewindow % f-\u003ewss.val in the\nOSF_WSS_MODULO branch with no guard for f-\u003ewss.val == 0. A\nCAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a\nsubsequent matching TCP SYN divides by zero and panics the kernel.\n\nReject the bogus fingerprint in nfnl_osf_add_callback() above the\nper-option for-loop. f-\u003ewss is per-fingerprint, not per-option, so\nthe check must run regardless of f-\u003eopt_num (including 0). Also\nreject wss.wc \u003e= OSF_WSS_MAX; nf_osf_match_one() already treats that\nas \"should not happen\".\n\nCrash:\n Oops: divide error: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n \u003cIRQ\u003e\n nf_osf_match (net/netfilter/nfnetlink_osf.c:220)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\n nf_hook_slow (net/netfilter/core.c:622)\n ip_local_deliver (net/ipv4/ip_input.c:265)\n ip_rcv (include/linux/skbuff.h:1162)\n __netif_receive_skb_one_core (net/core/dev.c:6181)\n process_backlog (net/core/dev.c:6642)\n __napi_poll (net/core/dev.c:7710)\n net_rx_action (net/core/dev.c:7945)\n handle_softirqs (kernel/softirq.c:622)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:14.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb833bbc1b3c51e08652d3c86298307c07d3f2db"
},
{
"url": "https://git.kernel.org/stable/c/26900306a5a2c3e4f75c643a064525526bb6e5f3"
},
{
"url": "https://git.kernel.org/stable/c/0694618cf3e9b120666e31f5f383a6e466d95a0d"
},
{
"url": "https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082"
},
{
"url": "https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625"
},
{
"url": "https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f"
},
{
"url": "https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366"
},
{
"url": "https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932"
}
],
"title": "netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45841",
"datePublished": "2026-05-27T09:24:40.805Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:14.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22069 (GCVE-0-2025-22069)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-06-01 16:05
VLAI?
EPSS
Title
riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler
Naresh Kamboju reported a "Bad frame pointer" kernel warning while
running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the
same issue with the following command:
```
$ cd /sys/kernel/debug/tracing
$ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events
$ echo 1 > events/fprobes/enable
$ echo 1 > tracing_on
$ sleep 1
```
And we can get the following kernel warning:
[ 127.692888] ------------[ cut here ]------------
[ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000
[ 127.693755] from func do_nanosleep return to ffffffff800ccb16
[ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be
[ 127.699894] Modules linked in:
[ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32
[ 127.701453] Hardware name: riscv-virtio,qemu (DT)
[ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be
[ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be
[ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10
[ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000
[ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80
[ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20
[ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000
[ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038
[ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0
[ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068
[ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001
[ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e
[ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18
[ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
[ 127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be
[ 127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26
[ 127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26
[ 127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54
[ 127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a
[ 127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218
[ 127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156
[ 127.705436] ---[ end trace 0000000000000000 ]---
The reason is that the stack layout for constructing argument for the
ftrace_return_to_handler in the return_to_handler does not match the
__arch_ftrace_regs structure of riscv, leading to unexpected results.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
33d4e904e24d14ff0fbc528b657ddc7c7b636e6a , < 7ed384db061a264bd806898f7ccab9b98b591488
(git)
Affected: a3ed4157b7d89800a0008de0c9e46a438a5c3745 , < 78b39c587b8f6c69140177108f9c08a75b1c7c37 (git) Affected: a3ed4157b7d89800a0008de0c9e46a438a5c3745 , < 67a5ba8f742f247bc83e46dd2313c142b1383276 (git) Affected: 6.12.75 , < 6.12.92 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/mcount.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ed384db061a264bd806898f7ccab9b98b591488",
"status": "affected",
"version": "33d4e904e24d14ff0fbc528b657ddc7c7b636e6a",
"versionType": "git"
},
{
"lessThan": "78b39c587b8f6c69140177108f9c08a75b1c7c37",
"status": "affected",
"version": "a3ed4157b7d89800a0008de0c9e46a438a5c3745",
"versionType": "git"
},
{
"lessThan": "67a5ba8f742f247bc83e46dd2313c142b1383276",
"status": "affected",
"version": "a3ed4157b7d89800a0008de0c9e46a438a5c3745",
"versionType": "git"
},
{
"lessThan": "6.12.92",
"status": "affected",
"version": "6.12.75",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/mcount.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.12.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler\n\nNaresh Kamboju reported a \"Bad frame pointer\" kernel warning while\nrunning LTP trace ftrace_stress_test.sh in riscv. We can reproduce the\nsame issue with the following command:\n\n```\n$ cd /sys/kernel/debug/tracing\n$ echo \u0027f:myprobe do_nanosleep%return args1=$retval\u0027 \u003e dynamic_events\n$ echo 1 \u003e events/fprobes/enable\n$ echo 1 \u003e tracing_on\n$ sleep 1\n```\n\nAnd we can get the following kernel warning:\n\n[ 127.692888] ------------[ cut here ]------------\n[ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000\n[ 127.693755] from func do_nanosleep return to ffffffff800ccb16\n[ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be\n[ 127.699894] Modules linked in:\n[ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32\n[ 127.701453] Hardware name: riscv-virtio,qemu (DT)\n[ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be\n[ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be\n[ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10\n[ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000\n[ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80\n[ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20\n[ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000\n[ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038\n[ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0\n[ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068\n[ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001\n[ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e\n[ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18\n[ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003\n[ 127.703292] [\u003cffffffff8013b5e0\u003e] ftrace_return_to_handler+0x1b2/0x1be\n[ 127.703760] [\u003cffffffff80017bce\u003e] return_to_handler+0x16/0x26\n[ 127.704009] [\u003cffffffff80017bb8\u003e] return_to_handler+0x0/0x26\n[ 127.704057] [\u003cffffffff800d3352\u003e] common_nsleep+0x42/0x54\n[ 127.704117] [\u003cffffffff800d44a2\u003e] __riscv_sys_clock_nanosleep+0xba/0x10a\n[ 127.704176] [\u003cffffffff80901c56\u003e] do_trap_ecall_u+0x188/0x218\n[ 127.704295] [\u003cffffffff8090cc3e\u003e] handle_exception+0x14a/0x156\n[ 127.705436] ---[ end trace 0000000000000000 ]---\n\nThe reason is that the stack layout for constructing argument for the\nftrace_return_to_handler in the return_to_handler does not match the\n__arch_ftrace_regs structure of riscv, leading to unexpected results."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:05:09.341Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ed384db061a264bd806898f7ccab9b98b591488"
},
{
"url": "https://git.kernel.org/stable/c/78b39c587b8f6c69140177108f9c08a75b1c7c37"
},
{
"url": "https://git.kernel.org/stable/c/67a5ba8f742f247bc83e46dd2313c142b1383276"
}
],
"title": "riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22069",
"datePublished": "2025-04-16T14:12:22.357Z",
"dateReserved": "2024-12-29T08:45:45.814Z",
"dateUpdated": "2026-06-01T16:05:09.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45838 (GCVE-0-2026-45838)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.
Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
de9cbbaadba5adf88a19e46df61f7054000838f6 , < 0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
(git)
Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 26d3339e465e54107bd85884341d1609c5300d6a (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6 (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < b4b5a20bed82130da2f2818f04d52378952fbd0b (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 85a2f30e40f7468db732f55659bc6318874f49af (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 32ce55d424395904986f5066f8755f6cb9993377 (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < fc39753b7f92e09177777e9c648afe5aa3abb81f (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 5828b9e5b272ecff7cf5d345128d3de7324117f7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f3d9dd5e1fd52b39e25328307c6a694e994ffe3",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "26d3339e465e54107bd85884341d1609c5300d6a",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "b4b5a20bed82130da2f2818f04d52378952fbd0b",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "85a2f30e40f7468db732f55659bc6318874f49af",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "32ce55d424395904986f5066f8755f6cb9993377",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "fc39753b7f92e09177777e9c648afe5aa3abb81f",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "5828b9e5b272ecff7cf5d345128d3de7324117f7",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix end-of-list detection in cgroup_storage_get_next_key()\n\nlist_next_entry() never returns NULL -- when the current element is the\nlast entry it wraps to the list head via container_of(). The subsequent\nNULL check is therefore dead code and get_next_key() never returns\n-ENOENT for the last element, instead reading storage-\u003ekey from a bogus\npointer that aliases internal map fields and copying the result to\nuserspace.\n\nReplace it with list_entry_is_head() so the function correctly returns\n-ENOENT when there are no more entries."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:05.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3"
},
{
"url": "https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a"
},
{
"url": "https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6"
},
{
"url": "https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b"
},
{
"url": "https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af"
},
{
"url": "https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377"
},
{
"url": "https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f"
},
{
"url": "https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7"
}
],
"title": "bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45838",
"datePublished": "2026-05-27T09:24:36.561Z",
"dateReserved": "2026-05-13T15:03:33.077Z",
"dateUpdated": "2026-06-14T17:46:05.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45843 (GCVE-0-2026-45843)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
slip: bound decode() reads against the compressed packet length
Summary
In the Linux kernel, the following vulnerability has been resolved:
slip: bound decode() reads against the compressed packet length
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6268f01ae989013671b526c883e92655342c6f6f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9aafba2f49e1fcccc2018816f5836a609c925879 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 335957df4ed60f02a2ec0432fbedbf0cc7241d8b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 37537e42e6df387398bee85cb85070cc80bb1e10 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4cefe32639933d652614b0bd50f818f9af4af78f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d42bec6e4f6d6d658be365539400b3314b76b2a7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6268f01ae989013671b526c883e92655342c6f6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9aafba2f49e1fcccc2018816f5836a609c925879",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "335957df4ed60f02a2ec0432fbedbf0cc7241d8b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37537e42e6df387398bee85cb85070cc80bb1e10",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4cefe32639933d652614b0bd50f818f9af4af78f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d42bec6e4f6d6d658be365539400b3314b76b2a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: bound decode() reads against the compressed packet length\n\nslhc_uncompress() parses a VJ-compressed TCP header by advancing a\npointer through the packet via decode() and pull16(). Neither helper\nbounds-checks against isize, and decode() masks its return with\n\u0026 0xffff so it can never return the -1 that callers test for -- those\nerror paths are dead code.\n\nA short compressed frame whose change byte requests optional fields\nlets decode() read past the end of the packet. The over-read bytes\nare folded into the cached cstate and reflected into subsequent\nreconstructed packets.\n\nMake decode() and pull16() take the packet end pointer and return -1\nwhen exhausted. Add a bounds check before the TCP-checksum read.\nThe existing == -1 tests now do what they were always meant to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:20.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6268f01ae989013671b526c883e92655342c6f6f"
},
{
"url": "https://git.kernel.org/stable/c/9aafba2f49e1fcccc2018816f5836a609c925879"
},
{
"url": "https://git.kernel.org/stable/c/335957df4ed60f02a2ec0432fbedbf0cc7241d8b"
},
{
"url": "https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10"
},
{
"url": "https://git.kernel.org/stable/c/4cefe32639933d652614b0bd50f818f9af4af78f"
},
{
"url": "https://git.kernel.org/stable/c/0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d"
},
{
"url": "https://git.kernel.org/stable/c/d42bec6e4f6d6d658be365539400b3314b76b2a7"
},
{
"url": "https://git.kernel.org/stable/c/4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7"
}
],
"title": "slip: bound decode() reads against the compressed packet length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45843",
"datePublished": "2026-05-27T09:24:45.516Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:20.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43303 (GCVE-0-2026-43303)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
mm/page_alloc: clear page->private in free_pages_prepare()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: clear page->private in free_pages_prepare()
Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.
This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b8000ae185cb068adbda5f966a3835053c85fd4 , < e7790ab165713b79b1617ce659742ceb3a859d05
(git)
Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < 3edb8ebbf79b9016040e8f3421d723ae3d542b32 (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < 23b82b7a26182ad840ae67d390d7ec9771e8c00f (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < d757c793853ec5483eb41ec2942c300b8fa720fb (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < ac1ea219590c09572ed5992dc233bbf7bb70fef9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7790ab165713b79b1617ce659742ceb3a859d05",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "3edb8ebbf79b9016040e8f3421d723ae3d542b32",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "23b82b7a26182ad840ae67d390d7ec9771e8c00f",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "d757c793853ec5483eb41ec2942c300b8fa720fb",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "ac1ea219590c09572ed5992dc233bbf7bb70fef9",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: clear page-\u003eprivate in free_pages_prepare()\n\nSeveral subsystems (slub, shmem, ttm, etc.) use page-\u003eprivate but don\u0027t\nclear it before freeing pages. When these pages are later allocated as\nhigh-order pages and split via split_page(), tail pages retain stale\npage-\u003eprivate values.\n\nThis causes a use-after-free in the swap subsystem. The swap code uses\npage-\u003eprivate to track swap count continuations, assuming freshly\nallocated pages have page-\u003eprivate == 0. When stale values are present,\nswap_count_continued() incorrectly assumes the continuation list is valid\nand iterates over uninitialized page-\u003elru containing LIST_POISON values,\ncausing a crash:\n\n KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]\n RIP: 0010:__do_sys_swapoff+0x1151/0x1860\n\nFix this by clearing page-\u003eprivate in free_pages_prepare(), ensuring all\nfreed pages have clean state regardless of previous use."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:25.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7790ab165713b79b1617ce659742ceb3a859d05"
},
{
"url": "https://git.kernel.org/stable/c/3edb8ebbf79b9016040e8f3421d723ae3d542b32"
},
{
"url": "https://git.kernel.org/stable/c/f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b"
},
{
"url": "https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f"
},
{
"url": "https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb"
},
{
"url": "https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9"
}
],
"title": "mm/page_alloc: clear page-\u003eprivate in free_pages_prepare()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43303",
"datePublished": "2026-05-08T13:11:23.561Z",
"dateReserved": "2026-05-01T14:12:56.000Z",
"dateUpdated": "2026-06-19T11:58:25.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46274 (GCVE-0-2026-46274)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:30 – Updated: 2026-06-14 18:05
VLAI?
EPSS
Title
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled
work was the tail of its hash bucket. When doing this, it checks whether
the preceding entry in acct->work_list has the same hash value, but
never checks that the predecessor is hashed at all. io_get_work_hash()
is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash
bits are never set for non-hashed work, so it returns 0. Thus, when a
hashed bucket-0 work is cancelled while a non-hashed work is its list
predecessor, the check spuriously passes and a pointer to the non-hashed
io_kiocb is stored in wq->hash_tail[0].
Because non-hashed work is dequeued via the fast path in
io_get_next_work(), which never touches hash_tail[], the stale pointer
is never cleared. Therefore, after the non-hashed io_kiocb completes and
is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The
io_wq is per-task (tctx->io_wq) and survives ring open/close, so the
dangling pointer persists for the lifetime of the task; the next hashed
bucket-0 enqueue dereferences it in io_wq_insert_work() and
wq_list_add_after() writes through freed memory.
Add the missing io_wq_is_hashed() check so a non-hashed predecessor
never inherits a hash_tail[] slot.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
204361a77f4018627addd4a06877448f088ddfc0 , < d6bda9df0c0a3080804181464d5c0f4d78a4e769
(git)
Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < 5a20ebf0c81b61f5ea3b1b529c100cad69b9f603 (git) Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < 252c5051dba9c709b6a72f2866f93e5e618b3f06 (git) Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < d376c131af7c7739a87ff037ed2fdb67c2542c8a (git) Affected: 204361a77f4018627addd4a06877448f088ddfc0 , < d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc (git) Affected: 13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5 (git) Affected: 5.8.6 , < 5.9 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6bda9df0c0a3080804181464d5c0f4d78a4e769",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "5a20ebf0c81b61f5ea3b1b529c100cad69b9f603",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "252c5051dba9c709b6a72f2866f93e5e618b3f06",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "d376c131af7c7739a87ff037ed2fdb67c2542c8a",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"lessThan": "d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc",
"status": "affected",
"version": "204361a77f4018627addd4a06877448f088ddfc0",
"versionType": "git"
},
{
"status": "affected",
"version": "13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5",
"versionType": "git"
},
{
"lessThan": "5.9",
"status": "affected",
"version": "5.8.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\n\nio_wq_remove_pending() needs to fix up wq-\u003ehash_tail[] if the cancelled\nwork was the tail of its hash bucket. When doing this, it checks whether\nthe preceding entry in acct-\u003ework_list has the same hash value, but\nnever checks that the predecessor is hashed at all. io_get_work_hash()\nis simply atomic_read(\u0026work-\u003eflags) \u003e\u003e IO_WQ_HASH_SHIFT, and the hash\nbits are never set for non-hashed work, so it returns 0. Thus, when a\nhashed bucket-0 work is cancelled while a non-hashed work is its list\npredecessor, the check spuriously passes and a pointer to the non-hashed\nio_kiocb is stored in wq-\u003ehash_tail[0].\n\nBecause non-hashed work is dequeued via the fast path in\nio_get_next_work(), which never touches hash_tail[], the stale pointer\nis never cleared. Therefore, after the non-hashed io_kiocb completes and\nis freed back to req_cachep, wq-\u003ehash_tail[0] is a dangling pointer. The\nio_wq is per-task (tctx-\u003eio_wq) and survives ring open/close, so the\ndangling pointer persists for the lifetime of the task; the next hashed\nbucket-0 enqueue dereferences it in io_wq_insert_work() and\nwq_list_add_after() writes through freed memory.\n\nAdd the missing io_wq_is_hashed() check so a non-hashed predecessor\nnever inherits a hash_tail[] slot."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:05:34.336Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769"
},
{
"url": "https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603"
},
{
"url": "https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06"
},
{
"url": "https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a"
},
{
"url": "https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc"
}
],
"title": "io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46274",
"datePublished": "2026-06-08T14:30:53.323Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-14T18:05:34.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45846 (GCVE-0-2026-45846)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 31e010a106ff6cd8ccac4bfee547fd3fa1015574
(git)
Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 55193df8d6d33318435f19572bf5ea47a22eee28 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 51eef9c072aa3405a6823a96ae666d38a3b48750 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < a0f4e4e8e0f5e24ddd83e3d1221732621cf34636 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 35a115a204be08f97450b0389413e218268ef4a2 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 74a02921c48fcd35a7881956c9e5c52b86595f5d (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 638905520fc4fae6a80991563f264131545ba3df (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < aa6c6d9ee064aabfede4402fd1283424e649ca19 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bareudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31e010a106ff6cd8ccac4bfee547fd3fa1015574",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "55193df8d6d33318435f19572bf5ea47a22eee28",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "51eef9c072aa3405a6823a96ae666d38a3b48750",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "a0f4e4e8e0f5e24ddd83e3d1221732621cf34636",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "35a115a204be08f97450b0389413e218268ef4a2",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "74a02921c48fcd35a7881956c9e5c52b86595f5d",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "638905520fc4fae6a80991563f264131545ba3df",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "aa6c6d9ee064aabfede4402fd1283424e649ca19",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bareudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()\n\nbareudp_fill_metadata_dst() passes bareudp-\u003esock to\nudp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.\nThe socket is only created in bareudp_open() and NULLed in\nbareudp_stop(), so calling this function while the device is down\ntriggers a NULL dereference via sock-\u003esk.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)\n Call Trace:\n \u003cTASK\u003e\n bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)\n do_execute_actions (net/openvswitch/actions.c:901)\n ovs_execute_actions (net/openvswitch/actions.c:1589)\n ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)\n genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1209)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n \u003c/TASK\u003e\n\nAdd a NULL check returning -ESHUTDOWN, consistent with the xmit paths\nin the same driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:30.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574"
},
{
"url": "https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28"
},
{
"url": "https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750"
},
{
"url": "https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636"
},
{
"url": "https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2"
},
{
"url": "https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d"
},
{
"url": "https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df"
},
{
"url": "https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19"
}
],
"title": "bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45846",
"datePublished": "2026-05-27T09:24:52.122Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:30.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46216 (GCVE-0-2026-46216)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-06-14 18:03
VLAI?
EPSS
Title
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
When media GT is disabled via configfs, there is no allocation for
media_gt, which is kept as NULL. In such scenario,
intel_hdcp_gsc_check_status() results in a kernel pagefault error due to
>->uc.gsc being evaluated as an invalid memory address.
Fix that by introducing a NULL check on media_gt and bailing out early
if so.
While at it, also drop the NULL check for gsc, since it can't be NULL if
media_gt is not NULL.
v2:
- Get address for gsc only after checking that gt is not NULL.
(Shuicheng)
- Drop the NULL check for gsc. (Shuicheng)
v3:
- Add "Fixes" and "Cc: <stable...>" tags. (Matt)
(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4af50beb4e0f9e6aed9cd53436c099f1dba826f1 , < cad210d2851f3a7d9573bdfc02aa61d9287bbe8c
(git)
Affected: 4af50beb4e0f9e6aed9cd53436c099f1dba826f1 , < 814326e86e929b865020ff44f4576dbdfe3f7ff3 (git) Affected: 4af50beb4e0f9e6aed9cd53436c099f1dba826f1 , < d8ab4b47edf4578dbfbe5e95817107a514fa34cc (git) Affected: 4af50beb4e0f9e6aed9cd53436c099f1dba826f1 , < 60a1e131a811b68703da58fd805ab359b704ab03 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/display/xe_hdcp_gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cad210d2851f3a7d9573bdfc02aa61d9287bbe8c",
"status": "affected",
"version": "4af50beb4e0f9e6aed9cd53436c099f1dba826f1",
"versionType": "git"
},
{
"lessThan": "814326e86e929b865020ff44f4576dbdfe3f7ff3",
"status": "affected",
"version": "4af50beb4e0f9e6aed9cd53436c099f1dba826f1",
"versionType": "git"
},
{
"lessThan": "d8ab4b47edf4578dbfbe5e95817107a514fa34cc",
"status": "affected",
"version": "4af50beb4e0f9e6aed9cd53436c099f1dba826f1",
"versionType": "git"
},
{
"lessThan": "60a1e131a811b68703da58fd805ab359b704ab03",
"status": "affected",
"version": "4af50beb4e0f9e6aed9cd53436c099f1dba826f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/display/xe_hdcp_gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()\n\nWhen media GT is disabled via configfs, there is no allocation for\nmedia_gt, which is kept as NULL. In such scenario,\nintel_hdcp_gsc_check_status() results in a kernel pagefault error due to\n\u0026gt-\u003euc.gsc being evaluated as an invalid memory address.\n\nFix that by introducing a NULL check on media_gt and bailing out early\nif so.\n\nWhile at it, also drop the NULL check for gsc, since it can\u0027t be NULL if\nmedia_gt is not NULL.\n\nv2:\n - Get address for gsc only after checking that gt is not NULL.\n (Shuicheng)\n - Drop the NULL check for gsc. (Shuicheng)\nv3:\n - Add \"Fixes\" and \"Cc: \u003cstable...\u003e\" tags. (Matt)\n\n(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:03:22.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cad210d2851f3a7d9573bdfc02aa61d9287bbe8c"
},
{
"url": "https://git.kernel.org/stable/c/814326e86e929b865020ff44f4576dbdfe3f7ff3"
},
{
"url": "https://git.kernel.org/stable/c/d8ab4b47edf4578dbfbe5e95817107a514fa34cc"
},
{
"url": "https://git.kernel.org/stable/c/60a1e131a811b68703da58fd805ab359b704ab03"
}
],
"title": "drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46216",
"datePublished": "2026-05-28T09:40:32.891Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-06-14T18:03:22.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23346 (GCVE-0-2026-23346)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-06-19 11:57
VLAI?
EPSS
Title
arm64: io: Extract user memory type in ioremap_prot()
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: io: Extract user memory type in ioremap_prot()
The only caller of ioremap_prot() outside of the generic ioremap()
implementation is generic_access_phys(), which passes a 'pgprot_t' value
determined from the user mapping of the target 'pfn' being accessed by
the kernel. On arm64, the 'pgprot_t' contains all of the non-address
bits from the pte, including the permission controls, and so we end up
returning a new user mapping from ioremap_prot() which faults when
accessed from the kernel on systems with PAN:
| Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000
| ...
| Call trace:
| __memcpy_fromio+0x80/0xf8
| generic_access_phys+0x20c/0x2b8
| __access_remote_vm+0x46c/0x5b8
| access_remote_vm+0x18/0x30
| environ_read+0x238/0x3e8
| vfs_read+0xe4/0x2b0
| ksys_read+0xcc/0x178
| __arm64_sys_read+0x4c/0x68
Extract only the memory type from the user 'pgprot_t' in ioremap_prot()
and assert that we're being passed a user mapping, to protect us against
any changes in future that may require additional handling. To avoid
falsely flagging users of ioremap(), provide our own ioremap() macro
which simply wraps __ioremap_prot().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
893dea9ccd08dab924839354aba21d4ed7a9abc0 , < 64858b76ec67c5fc40fef8ec1841fecb78c1ebde
(git)
Affected: 893dea9ccd08dab924839354aba21d4ed7a9abc0 , < eeecafce5afffb4da703666ebefbd4d6e2a5abf6 (git) Affected: 893dea9ccd08dab924839354aba21d4ed7a9abc0 , < 3d64dcc0799c2d6921ba027716b7be721eb19fa8 (git) Affected: 893dea9ccd08dab924839354aba21d4ed7a9abc0 , < d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a (git) Affected: 893dea9ccd08dab924839354aba21d4ed7a9abc0 , < 8f098037139b294050053123ab2bc0f819d08932 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64858b76ec67c5fc40fef8ec1841fecb78c1ebde",
"status": "affected",
"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0",
"versionType": "git"
},
{
"lessThan": "eeecafce5afffb4da703666ebefbd4d6e2a5abf6",
"status": "affected",
"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0",
"versionType": "git"
},
{
"lessThan": "3d64dcc0799c2d6921ba027716b7be721eb19fa8",
"status": "affected",
"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0",
"versionType": "git"
},
{
"lessThan": "d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a",
"status": "affected",
"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0",
"versionType": "git"
},
{
"lessThan": "8f098037139b294050053123ab2bc0f819d08932",
"status": "affected",
"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: io: Extract user memory type in ioremap_prot()\n\nThe only caller of ioremap_prot() outside of the generic ioremap()\nimplementation is generic_access_phys(), which passes a \u0027pgprot_t\u0027 value\ndetermined from the user mapping of the target \u0027pfn\u0027 being accessed by\nthe kernel. On arm64, the \u0027pgprot_t\u0027 contains all of the non-address\nbits from the pte, including the permission controls, and so we end up\nreturning a new user mapping from ioremap_prot() which faults when\naccessed from the kernel on systems with PAN:\n\n | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000\n | ...\n | Call trace:\n | __memcpy_fromio+0x80/0xf8\n | generic_access_phys+0x20c/0x2b8\n | __access_remote_vm+0x46c/0x5b8\n | access_remote_vm+0x18/0x30\n | environ_read+0x238/0x3e8\n | vfs_read+0xe4/0x2b0\n | ksys_read+0xcc/0x178\n | __arm64_sys_read+0x4c/0x68\n\nExtract only the memory type from the user \u0027pgprot_t\u0027 in ioremap_prot()\nand assert that we\u0027re being passed a user mapping, to protect us against\nany changes in future that may require additional handling. To avoid\nfalsely flagging users of ioremap(), provide our own ioremap() macro\nwhich simply wraps __ioremap_prot()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:35.219Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64858b76ec67c5fc40fef8ec1841fecb78c1ebde"
},
{
"url": "https://git.kernel.org/stable/c/eeecafce5afffb4da703666ebefbd4d6e2a5abf6"
},
{
"url": "https://git.kernel.org/stable/c/3d64dcc0799c2d6921ba027716b7be721eb19fa8"
},
{
"url": "https://git.kernel.org/stable/c/d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a"
},
{
"url": "https://git.kernel.org/stable/c/8f098037139b294050053123ab2bc0f819d08932"
}
],
"title": "arm64: io: Extract user memory type in ioremap_prot()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23346",
"datePublished": "2026-03-25T10:27:33.133Z",
"dateReserved": "2026-01-13T15:37:45.999Z",
"dateUpdated": "2026-06-19T11:57:35.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46320 (GCVE-0-2026-46320)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
tap: free page on error paths in tap_get_user_xdp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tap: free page on error paths in tap_get_user_xdp()
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.
Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Severity ?
7.4 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0efac27791ee068075d80f07c55a229b1335ce12 , < 8d03e65eb6cfbffec471a6b65416f93679bf3286
(git)
Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < f979971835dddbca86cf99e3b2e2b94a408a1ab2 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 3f52a86a482a69294c50a5a2a097bd6f4104990a (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < d30aac0fa00ca0afc3e08174cf7f974a66bdcf05 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < d68eab61944a9b0826fa2e954e42db1aa3201b7a (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < e27c17346628cb56843a83f93ac63c314c00f388 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 18a84c35842e19cd3c5534d8cee73d31863f696d (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d03e65eb6cfbffec471a6b65416f93679bf3286",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "f979971835dddbca86cf99e3b2e2b94a408a1ab2",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "3f52a86a482a69294c50a5a2a097bd6f4104990a",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "d30aac0fa00ca0afc3e08174cf7f974a66bdcf05",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "d68eab61944a9b0826fa2e954e42db1aa3201b7a",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "e27c17346628cb56843a83f93ac63c314c00f388",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "18a84c35842e19cd3c5534d8cee73d31863f696d",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: free page on error paths in tap_get_user_xdp()\n\ntap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,\nand returns -ENOMEM when build_skb() fails. Both paths jump to the err\nlabel without freeing the page that vhost_net_build_xdp() allocated for\nthe frame. tap_sendmsg() discards the per-buffer return value and always\nreturns 0, so vhost_tx_batch() takes the success path and never frees\nthe page; each rejected frame in a batch leaks one page-frag chunk.\n\nFree the page on both error paths, before the skb is built. This is the\ntap counterpart of the same leak in tun_xdp_one()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:17.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d03e65eb6cfbffec471a6b65416f93679bf3286"
},
{
"url": "https://git.kernel.org/stable/c/f979971835dddbca86cf99e3b2e2b94a408a1ab2"
},
{
"url": "https://git.kernel.org/stable/c/3f52a86a482a69294c50a5a2a097bd6f4104990a"
},
{
"url": "https://git.kernel.org/stable/c/d30aac0fa00ca0afc3e08174cf7f974a66bdcf05"
},
{
"url": "https://git.kernel.org/stable/c/d68eab61944a9b0826fa2e954e42db1aa3201b7a"
},
{
"url": "https://git.kernel.org/stable/c/e27c17346628cb56843a83f93ac63c314c00f388"
},
{
"url": "https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d"
},
{
"url": "https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2"
}
],
"title": "tap: free page on error paths in tap_get_user_xdp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46320",
"datePublished": "2026-06-09T12:11:12.882Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:17.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46321 (GCVE-0-2026-46321)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI?
EPSS
Title
tun: free page on short-frame rejection in tun_xdp_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: free page on short-frame rejection in tun_xdp_one()
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6100e0237204890269e3f934acfc50d35fd6f319 , < 0a6f46a9332ad6958992d64d3b3a81a80b2ca940
(git)
Affected: 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2 , < 0e8211fcf9426f5adddf32516ba0f400ceb9544d (git) Affected: ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146 , < e915445942af6dcea628bf66d6241641201a0c41 (git) Affected: d5ad89b7d01ed4e66fd04734fc63d6e78536692a , < 5b34f9e4fe2f203724a6e893d6df0316b9670057 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 69863ff2720a0e9871f1a5710f2a33a94217fee0 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 98c67be9eb9de72465a071949e84a3cdb8fab5a3 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < f4feb1e20058e407cb00f45aff47f5b7e19a6bbf (git) Affected: 32b0aaba5dbc85816898167d9b5d45a22eae82e9 (git) Affected: a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb (git) Affected: 8418f55302fa1d2eeb73e16e345167e545c598a5 (git) Affected: 5.10.223 , < 5.10.259 (semver) Affected: 5.15.164 , < 5.15.210 (semver) Affected: 6.1.102 , < 6.1.176 (semver) Affected: 6.6.43 , < 6.6.143 (semver) Affected: 5.4.281 , < 5.5 (semver) Affected: 6.9.12 , < 6.10 (semver) Affected: 6.10.2 , < 6.11 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a6f46a9332ad6958992d64d3b3a81a80b2ca940",
"status": "affected",
"version": "6100e0237204890269e3f934acfc50d35fd6f319",
"versionType": "git"
},
{
"lessThan": "0e8211fcf9426f5adddf32516ba0f400ceb9544d",
"status": "affected",
"version": "589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2",
"versionType": "git"
},
{
"lessThan": "e915445942af6dcea628bf66d6241641201a0c41",
"status": "affected",
"version": "ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146",
"versionType": "git"
},
{
"lessThan": "5b34f9e4fe2f203724a6e893d6df0316b9670057",
"status": "affected",
"version": "d5ad89b7d01ed4e66fd04734fc63d6e78536692a",
"versionType": "git"
},
{
"lessThan": "69863ff2720a0e9871f1a5710f2a33a94217fee0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "37a1c268c2c8090bf4dc552d732bd23ba36f8eb0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "98c67be9eb9de72465a071949e84a3cdb8fab5a3",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "f4feb1e20058e407cb00f45aff47f5b7e19a6bbf",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"status": "affected",
"version": "32b0aaba5dbc85816898167d9b5d45a22eae82e9",
"versionType": "git"
},
{
"status": "affected",
"version": "a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb",
"versionType": "git"
},
{
"status": "affected",
"version": "8418f55302fa1d2eeb73e16e345167e545c598a5",
"versionType": "git"
},
{
"lessThan": "5.10.259",
"status": "affected",
"version": "5.10.223",
"versionType": "semver"
},
{
"lessThan": "5.15.210",
"status": "affected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.102",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.43",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.281",
"versionType": "semver"
},
{
"lessThan": "6.10",
"status": "affected",
"version": "6.9.12",
"versionType": "semver"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.10.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.15.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:22.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a6f46a9332ad6958992d64d3b3a81a80b2ca940"
},
{
"url": "https://git.kernel.org/stable/c/0e8211fcf9426f5adddf32516ba0f400ceb9544d"
},
{
"url": "https://git.kernel.org/stable/c/e915445942af6dcea628bf66d6241641201a0c41"
},
{
"url": "https://git.kernel.org/stable/c/5b34f9e4fe2f203724a6e893d6df0316b9670057"
},
{
"url": "https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0"
},
{
"url": "https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0"
},
{
"url": "https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3"
},
{
"url": "https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf"
}
],
"title": "tun: free page on short-frame rejection in tun_xdp_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46321",
"datePublished": "2026-06-09T12:11:13.872Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:22.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68768 (GCVE-0-2025-68768)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-06-19 11:57
VLAI?
EPSS
Title
inet: frags: flush pending skbs in fqdir_pre_exit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
inet: frags: flush pending skbs in fqdir_pre_exit()
We have been seeing occasional deadlocks on pernet_ops_rwsem since
September in NIPA. The stuck task was usually modprobe (often loading
a driver like ipvlan), trying to take the lock as a Writer.
lockdep does not track readers for rwsems so the read wasn't obvious
from the reports.
On closer inspection the Reader holding the lock was conntrack looping
forever in nf_conntrack_cleanup_net_list(). Based on past experience
with occasional NIPA crashes I looked thru the tests which run before
the crash and noticed that the crash follows ip_defrag.sh. An immediate
red flag. Scouring thru (de)fragmentation queues reveals skbs sitting
around, holding conntrack references.
The problem is that since conntrack depends on nf_defrag_ipv6,
nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its
netns exit hooks run _after_ conntrack's netns exit hook.
Flush all fragment queue SKBs during fqdir_pre_exit() to release
conntrack references before conntrack cleanup runs. Also flush
the queues in timer expiry handlers when they discover fqdir->dead
is set, in case packet sneaks in while we're running the pre_exit
flush.
The commit under Fixes is not exactly the culprit, but I think
previously the timer firing would eventually unblock the spinning
conntrack.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db , < 22ee4010866da81aeee08e1ea3fddbe418feb212
(git)
Affected: d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db , < 543555954b1ee8d1903a7020324efb41b0c97428 (git) Affected: d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db , < c70df25214ac9b32b53e18e6ae3b8f073ffa6903 (git) Affected: d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db , < 006a5035b495dec008805df249f92c22c89c3d2e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/inet_frag.h",
"include/net/ipv6_frag.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22ee4010866da81aeee08e1ea3fddbe418feb212",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
},
{
"lessThan": "543555954b1ee8d1903a7020324efb41b0c97428",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
},
{
"lessThan": "c70df25214ac9b32b53e18e6ae3b8f073ffa6903",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
},
{
"lessThan": "006a5035b495dec008805df249f92c22c89c3d2e",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/inet_frag.h",
"include/net/ipv6_frag.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: flush pending skbs in fqdir_pre_exit()\n\nWe have been seeing occasional deadlocks on pernet_ops_rwsem since\nSeptember in NIPA. The stuck task was usually modprobe (often loading\na driver like ipvlan), trying to take the lock as a Writer.\nlockdep does not track readers for rwsems so the read wasn\u0027t obvious\nfrom the reports.\n\nOn closer inspection the Reader holding the lock was conntrack looping\nforever in nf_conntrack_cleanup_net_list(). Based on past experience\nwith occasional NIPA crashes I looked thru the tests which run before\nthe crash and noticed that the crash follows ip_defrag.sh. An immediate\nred flag. Scouring thru (de)fragmentation queues reveals skbs sitting\naround, holding conntrack references.\n\nThe problem is that since conntrack depends on nf_defrag_ipv6,\nnf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its\nnetns exit hooks run _after_ conntrack\u0027s netns exit hook.\n\nFlush all fragment queue SKBs during fqdir_pre_exit() to release\nconntrack references before conntrack cleanup runs. Also flush\nthe queues in timer expiry handlers when they discover fqdir-\u003edead\nis set, in case packet sneaks in while we\u0027re running the pre_exit\nflush.\n\nThe commit under Fixes is not exactly the culprit, but I think\npreviously the timer firing would eventually unblock the spinning\nconntrack."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:29.047Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22ee4010866da81aeee08e1ea3fddbe418feb212"
},
{
"url": "https://git.kernel.org/stable/c/543555954b1ee8d1903a7020324efb41b0c97428"
},
{
"url": "https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903"
},
{
"url": "https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e"
}
],
"title": "inet: frags: flush pending skbs in fqdir_pre_exit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68768",
"datePublished": "2026-01-13T15:28:47.106Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-06-19T11:57:29.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45845 (GCVE-0-2026-45845)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
net/sched: taprio: fix NULL pointer dereference in class dump
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: taprio: fix NULL pointer dereference in class dump
When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()
is called with new == NULL and stores NULL into q->qdiscs[cl - 1].
Subsequent RTM_GETTCLASS dump operations walk all classes via
taprio_walk() and call taprio_dump_class(), which calls taprio_leaf()
returning the NULL pointer, then dereferences it to read child->handle,
causing a kernel NULL pointer dereference.
The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel
with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user
namespaces enabled, an unprivileged local user can trigger a kernel
panic by creating a taprio qdisc inside a new network namespace,
grafting an explicit child qdisc, deleting it, and requesting a class
dump. The RTM_GETTCLASS dump itself requires no capability.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)
Call Trace:
<TASK>
tc_fill_tclass (net/sched/sch_api.c:1966)
qdisc_class_dump (net/sched/sch_api.c:2326)
taprio_walk (net/sched/sch_taprio.c:2514)
tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)
tc_dump_tclass_root (net/sched/sch_api.c:2370)
tc_dump_tclass (net/sched/sch_api.c:2431)
rtnl_dumpit (net/core/rtnetlink.c:6864)
netlink_dump (net/netlink/af_netlink.c:2325)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Fix this by substituting &noop_qdisc when new is NULL in
taprio_graft(), a common pattern used by other qdiscs (e.g.,
multiq_graft()) to ensure the q->qdiscs[] slots are never NULL.
This makes control-plane dump paths safe without requiring individual
NULL checks.
Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)
previously had explicit NULL guards that would drop/skip the packet
cleanly, update those checks to test for &noop_qdisc instead. Without
this, packets would reach taprio_enqueue_one() which increments the root
qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc
drops the packet but those counters are never rolled back, permanently
inflating the root qdisc's statistics.
After this change *old can be a valid qdisc, NULL, or &noop_qdisc.
Only call qdisc_put(*old) in the first case to avoid decreasing
noop_qdisc's refcount, which was never increased.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
665338b2a7a0139337d1f85be65ed16e487f84c1 , < ec2501e361b08b50bcb1e7b3253fc861abbda28d
(git)
Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < d02e2fbf60de46678e2ea698a6a904fd21e1cc31 (git) Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < 48b26d48e76221dc90b02bf5428bab53643461ca (git) Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < 8f1ff8866cb9f655e5faea6994eb902960be8e04 (git) Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < 3d07ca5c0fae311226f737963984bd94bb159a87 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec2501e361b08b50bcb1e7b3253fc861abbda28d",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "d02e2fbf60de46678e2ea698a6a904fd21e1cc31",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "48b26d48e76221dc90b02bf5428bab53643461ca",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "8f1ff8866cb9f655e5faea6994eb902960be8e04",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "3d07ca5c0fae311226f737963984bd94bb159a87",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: fix NULL pointer dereference in class dump\n\nWhen a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()\nis called with new == NULL and stores NULL into q-\u003eqdiscs[cl - 1].\nSubsequent RTM_GETTCLASS dump operations walk all classes via\ntaprio_walk() and call taprio_dump_class(), which calls taprio_leaf()\nreturning the NULL pointer, then dereferences it to read child-\u003ehandle,\ncausing a kernel NULL pointer dereference.\n\nThe bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel\nwith CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user\nnamespaces enabled, an unprivileged local user can trigger a kernel\npanic by creating a taprio qdisc inside a new network namespace,\ngrafting an explicit child qdisc, deleting it, and requesting a class\ndump. The RTM_GETTCLASS dump itself requires no capability.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)\n Call Trace:\n \u003cTASK\u003e\n tc_fill_tclass (net/sched/sch_api.c:1966)\n qdisc_class_dump (net/sched/sch_api.c:2326)\n taprio_walk (net/sched/sch_taprio.c:2514)\n tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)\n tc_dump_tclass_root (net/sched/sch_api.c:2370)\n tc_dump_tclass (net/sched/sch_api.c:2431)\n rtnl_dumpit (net/core/rtnetlink.c:6864)\n netlink_dump (net/netlink/af_netlink.c:2325)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n \u003c/TASK\u003e\n\nFix this by substituting \u0026noop_qdisc when new is NULL in\ntaprio_graft(), a common pattern used by other qdiscs (e.g.,\nmultiq_graft()) to ensure the q-\u003eqdiscs[] slots are never NULL.\nThis makes control-plane dump paths safe without requiring individual\nNULL checks.\n\nSince the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)\npreviously had explicit NULL guards that would drop/skip the packet\ncleanly, update those checks to test for \u0026noop_qdisc instead. Without\nthis, packets would reach taprio_enqueue_one() which increments the root\nqdisc\u0027s qlen and backlog before calling the child\u0027s enqueue; noop_qdisc\ndrops the packet but those counters are never rolled back, permanently\ninflating the root qdisc\u0027s statistics.\n\nAfter this change *old can be a valid qdisc, NULL, or \u0026noop_qdisc.\nOnly call qdisc_put(*old) in the first case to avoid decreasing\nnoop_qdisc\u0027s refcount, which was never increased."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:27.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec2501e361b08b50bcb1e7b3253fc861abbda28d"
},
{
"url": "https://git.kernel.org/stable/c/d02e2fbf60de46678e2ea698a6a904fd21e1cc31"
},
{
"url": "https://git.kernel.org/stable/c/48b26d48e76221dc90b02bf5428bab53643461ca"
},
{
"url": "https://git.kernel.org/stable/c/8f1ff8866cb9f655e5faea6994eb902960be8e04"
},
{
"url": "https://git.kernel.org/stable/c/3d07ca5c0fae311226f737963984bd94bb159a87"
}
],
"title": "net/sched: taprio: fix NULL pointer dereference in class dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45845",
"datePublished": "2026-05-27T09:24:48.438Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:27.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46160 (GCVE-0-2026-46160)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-19 11:59
VLAI?
EPSS
Title
btrfs: fix missing last_unlink_trans update when removing a directory
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix missing last_unlink_trans update when removing a directory
When removing a directory we are not updating its last_unlink_trans field,
which can result in incorrect fsync behaviour in case some one fsyncs the
directory after it was removed because it's holding a file descriptor on
it.
Example scenario:
mkdir /mnt/dir1
mkdir /mnt/dir1/dir2
mkdir /mnt/dir3
sync -f /mnt
# Do some change to the directory and fsync it.
chmod 700 /mnt/dir1
xfs_io -c fsync /mnt/dir1
# Move dir2 out of dir1 so that dir1 becomes empty.
mv /mnt/dir1/dir2 /mnt/dir3/
open fd on /mnt/dir1
call rmdir(2) on path "/mnt/dir1"
fsync fd
<trigger power failure>
When attempting to mount the filesystem, the log replay will fail with
an -EIO error and dmesg/syslog has the following:
[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650
[445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm
[445771.627912] BTRFS info (device dm-0): start tree-log replay
[445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5
[445771.629453] memcg:ffff89f400351b00
[445771.629892] aops:btree_aops [btrfs] ino:1
[445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8
[445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00
[445771.635029] page dumped because: eb page dump
[445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir
[445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5
[445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087
[445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[445771.638097] inode generation 3 transid 9 size 16 nbytes 16384
[445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.638100] rdev 0 sequence 2 flags 0x0
[445771.638102] atime 1775744884.0
[445771.660056] ctime 1775744885.645502983
[445771.660058] mtime 1775744885.645502983
[445771.660060] otime 1775744884.0
[445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[445771.660064] index 0 name_len 2
[445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34
[445771.660068] location key (259 1 0) type 2
[445771.660070] transid 9 data_len 0 name_len 4
[445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34
[445771.660076] location key (257 1 0) type 2
[445771.660077] transid 9 data_len 0 name_len 4
[445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[445771.660079] location key (257 1 0) type 2
[445771.660080] transid 9 data_len 0 name_len 4
[445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34
[445771.660082] location key (259 1 0) type 2
[445771.660083] transid 9 data_len 0 name_len 4
[445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160
[445771.660086] inode generation 9 transid 9 size 8 nbytes 0
[445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0
[445771.660088] rdev 0 sequence 2 flags 0x0
[445771.660089] atime 1775744885.641174097
[445771.660090] ctime 1775744885.645502983
[445771.660091] mtime 1775744885.645502983
[445771.660105] otime 1775744885.641174097
[445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14
[445771.660107] index 2 name_len 4
[445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34
[445771.660109] location key (2
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
12fcfd22fe5bf4fe74710232098bc101af497995 , < af467162290f5fe79d6a361b7c84302e45b1fd9f
(git)
Affected: 12fcfd22fe5bf4fe74710232098bc101af497995 , < 2525998ac956476bded26b9f34c4164dc890b87a (git) Affected: 12fcfd22fe5bf4fe74710232098bc101af497995 , < 6acbb2f6dff23c9bb9761fb98b516525b9cf1ce9 (git) Affected: 12fcfd22fe5bf4fe74710232098bc101af497995 , < cc3c0a0f965754ce230d93ba44ee5b34fbe6138a (git) Affected: 12fcfd22fe5bf4fe74710232098bc101af497995 , < aa9c3ecaf7337df3a689318584f879b5339ede0f (git) Affected: 12fcfd22fe5bf4fe74710232098bc101af497995 , < fb388eb58c1ba047ccabc33901839acfecadcf49 (git) Affected: 12fcfd22fe5bf4fe74710232098bc101af497995 , < 36fcc2c7517f8a86379154c9793f867592aa8b7e (git) Affected: 12fcfd22fe5bf4fe74710232098bc101af497995 , < 999757231c49376cd1a37308d2c8c4c9932571e1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af467162290f5fe79d6a361b7c84302e45b1fd9f",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
},
{
"lessThan": "2525998ac956476bded26b9f34c4164dc890b87a",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
},
{
"lessThan": "6acbb2f6dff23c9bb9761fb98b516525b9cf1ce9",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
},
{
"lessThan": "cc3c0a0f965754ce230d93ba44ee5b34fbe6138a",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
},
{
"lessThan": "aa9c3ecaf7337df3a689318584f879b5339ede0f",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
},
{
"lessThan": "fb388eb58c1ba047ccabc33901839acfecadcf49",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
},
{
"lessThan": "36fcc2c7517f8a86379154c9793f867592aa8b7e",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
},
{
"lessThan": "999757231c49376cd1a37308d2c8c4c9932571e1",
"status": "affected",
"version": "12fcfd22fe5bf4fe74710232098bc101af497995",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix missing last_unlink_trans update when removing a directory\n\nWhen removing a directory we are not updating its last_unlink_trans field,\nwhich can result in incorrect fsync behaviour in case some one fsyncs the\ndirectory after it was removed because it\u0027s holding a file descriptor on\nit.\n\nExample scenario:\n\n mkdir /mnt/dir1\n mkdir /mnt/dir1/dir2\n mkdir /mnt/dir3\n\n sync -f /mnt\n\n # Do some change to the directory and fsync it.\n chmod 700 /mnt/dir1\n xfs_io -c fsync /mnt/dir1\n\n # Move dir2 out of dir1 so that dir1 becomes empty.\n mv /mnt/dir1/dir2 /mnt/dir3/\n\n open fd on /mnt/dir1\n call rmdir(2) on path \"/mnt/dir1\"\n fsync fd\n\n \u003ctrigger power failure\u003e\n\nWhen attempting to mount the filesystem, the log replay will fail with\nan -EIO error and dmesg/syslog has the following:\n\n [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650\n [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm\n [445771.627912] BTRFS info (device dm-0): start tree-log replay\n [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5\n [445771.629453] memcg:ffff89f400351b00\n [445771.629892] aops:btree_aops [btrfs] ino:1\n [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8\n [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00\n [445771.635029] page dumped because: eb page dump\n [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir\n [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5\n [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087\n [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n [445771.638100] \t\trdev 0 sequence 2 flags 0x0\n [445771.638102] \t\tatime 1775744884.0\n [445771.660056] \t\tctime 1775744885.645502983\n [445771.660058] \t\tmtime 1775744885.645502983\n [445771.660060] \t\totime 1775744884.0\n [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n [445771.660064] \t\tindex 0 name_len 2\n [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34\n [445771.660068] \t\tlocation key (259 1 0) type 2\n [445771.660070] \t\ttransid 9 data_len 0 name_len 4\n [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34\n [445771.660076] \t\tlocation key (257 1 0) type 2\n [445771.660077] \t\ttransid 9 data_len 0 name_len 4\n [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n [445771.660079] \t\tlocation key (257 1 0) type 2\n [445771.660080] \t\ttransid 9 data_len 0 name_len 4\n [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34\n [445771.660082] \t\tlocation key (259 1 0) type 2\n [445771.660083] \t\ttransid 9 data_len 0 name_len 4\n [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160\n [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0\n [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0\n [445771.660088] \t\trdev 0 sequence 2 flags 0x0\n [445771.660089] \t\tatime 1775744885.641174097\n [445771.660090] \t\tctime 1775744885.645502983\n [445771.660091] \t\tmtime 1775744885.645502983\n [445771.660105] \t\totime 1775744885.641174097\n [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14\n [445771.660107] \t\tindex 2 name_len 4\n [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34\n [445771.660109] \t\tlocation key (2\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:43.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af467162290f5fe79d6a361b7c84302e45b1fd9f"
},
{
"url": "https://git.kernel.org/stable/c/2525998ac956476bded26b9f34c4164dc890b87a"
},
{
"url": "https://git.kernel.org/stable/c/6acbb2f6dff23c9bb9761fb98b516525b9cf1ce9"
},
{
"url": "https://git.kernel.org/stable/c/cc3c0a0f965754ce230d93ba44ee5b34fbe6138a"
},
{
"url": "https://git.kernel.org/stable/c/aa9c3ecaf7337df3a689318584f879b5339ede0f"
},
{
"url": "https://git.kernel.org/stable/c/fb388eb58c1ba047ccabc33901839acfecadcf49"
},
{
"url": "https://git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e"
},
{
"url": "https://git.kernel.org/stable/c/999757231c49376cd1a37308d2c8c4c9932571e1"
}
],
"title": "btrfs: fix missing last_unlink_trans update when removing a directory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46160",
"datePublished": "2026-05-28T09:36:15.580Z",
"dateReserved": "2026-05-13T15:03:33.102Z",
"dateUpdated": "2026-06-19T11:59:43.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46244 (GCVE-0-2026-46244)
Vulnerability from cvelistv5 – Published: 2026-06-03 15:48 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
netfilter: nft_inner: Fix IPv6 inner_thoff desync
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_inner: Fix IPv6 inner_thoff desync
In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
ipv6_find_hdr() correctly computes the transport header offset
traversing all extension headers, but the result is immediately
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
accounts for the IPv6 base header. This creates a desync between
inner_thoff (wrong — points to extension header start) and l4proto
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
and potential firewall bypass. This issue affects stable versions
from Linux 6.2.
For comparison, the normal (non-inner) IPv6 path correctly
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
ensures that ipv6_find_hdr()'s calculated transport header offset is
preserved, thereby fixing the desynchronization.
Severity ?
9.1 (Critical)
CWE
- CWE-823 - Use of Out-of-range Pointer Offset
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3a07327d10a09379315c844c63f27941f5081e0a , < c161ad9157f5a0429b5ff94d9770faf3bf48d273
(git)
Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < 870d59e2cf218e7418491e26bad768cb16654582 (git) Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < 689bbf48c1f45130086ae1c46ab83ea4c753c601 (git) Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce (git) Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < b6a91f68ebfed9c38e0e9150f58a9b85da07181c (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s netfilter subsystem, specifically within the nft_inner module. This vulnerability arises from an incorrect handling of IPv6 inner packet processing, where the transport header offset (inner_thoff) becomes desynchronized from the Layer 4 protocol (l4proto). A remote attacker could exploit this desynchronization to perform transport header forgery, potentially leading to a firewall bypass and allowing unauthorized network access."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-823",
"description": "Use of Out-of-range Pointer Offset",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:04.391Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46244"
},
{
"name": "RHBZ#2484451",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484451"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46244.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33215"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34911"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34443"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33215: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:34911: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34443: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-03T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-03T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: netfilter: nft_inner: Fix IPv6 inner_thoff desync",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_inner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c161ad9157f5a0429b5ff94d9770faf3bf48d273",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "870d59e2cf218e7418491e26bad768cb16654582",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "689bbf48c1f45130086ae1c46ab83ea4c753c601",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "b6a91f68ebfed9c38e0e9150f58a9b85da07181c",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_inner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: Fix IPv6 inner_thoff desync\n\nIn nft_inner_parse_l2l3(), when processing inner IPv6 packets,\nipv6_find_hdr() correctly computes the transport header offset\ntraversing all extension headers, but the result is immediately\noverwritten with nhoff + sizeof(_ip6h) (40 bytes), which only\naccounts for the IPv6 base header. This creates a desync between\ninner_thoff (wrong \u2014 points to extension header start) and l4proto\n(correct \u2014 e.g., IPPROTO_TCP), enabling transport header forgery\nand potential firewall bypass. This issue affects stable versions\nfrom Linux 6.2.\n\nFor comparison, the normal (non-inner) IPv6 path correctly\npreserves ipv6_find_hdr()\u0027s result. Removing the incorrect overwrite\nensures that ipv6_find_hdr()\u0027s calculated transport header offset is\npreserved, thereby fixing the desynchronization."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:05:25.011Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273"
},
{
"url": "https://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582"
},
{
"url": "https://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601"
},
{
"url": "https://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce"
},
{
"url": "https://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c"
}
],
"title": "netfilter: nft_inner: Fix IPv6 inner_thoff desync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46244",
"datePublished": "2026-06-03T15:48:59.049Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-07-03T12:05:04.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31420 (GCVE-0-2026-31420)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-06-01 16:11
VLAI?
EPSS
Title
bridge: mrp: reject zero test interval to avoid OOM panic
Summary
In the Linux kernel, the following vulnerability has been resolved:
bridge: mrp: reject zero test interval to avoid OOM panic
br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied
interval value from netlink without validation. When interval is 0,
usecs_to_jiffies(0) yields 0, causing the delayed work
(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule
itself with zero delay. This creates a tight loop on system_percpu_wq
that allocates and transmits MRP test frames at maximum rate, exhausting
all system memory and causing a kernel panic via OOM deadlock.
The same zero-interval issue applies to br_mrp_start_in_test_parse()
for interconnect test frames.
Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both
IFLA_BRIDGE_MRP_START_TEST_INTERVAL and
IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the
netlink attribute parsing layer before the value ever reaches the
workqueue scheduling code. This is consistent with how other bridge
subsystems (br_fdb, br_mst) enforce range constraints on netlink
attributes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
20f6a05ef63594feb0c6dfbd629da0448b43124d , < 630a15a31c2034b5b697f4aabc769b9d80d82446
(git)
Affected: 20f6a05ef63594feb0c6dfbd629da0448b43124d , < e8ec80430bfa520e7352155d6ac632e527cba7aa (git) Affected: 20f6a05ef63594feb0c6dfbd629da0448b43124d , < c9bc352f716d1bebfe43354bce539ec2d0223b30 (git) Affected: 20f6a05ef63594feb0c6dfbd629da0448b43124d , < fa6e24963342de4370e3a3c9af41e38277b74cf3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_mrp_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "630a15a31c2034b5b697f4aabc769b9d80d82446",
"status": "affected",
"version": "20f6a05ef63594feb0c6dfbd629da0448b43124d",
"versionType": "git"
},
{
"lessThan": "e8ec80430bfa520e7352155d6ac632e527cba7aa",
"status": "affected",
"version": "20f6a05ef63594feb0c6dfbd629da0448b43124d",
"versionType": "git"
},
{
"lessThan": "c9bc352f716d1bebfe43354bce539ec2d0223b30",
"status": "affected",
"version": "20f6a05ef63594feb0c6dfbd629da0448b43124d",
"versionType": "git"
},
{
"lessThan": "fa6e24963342de4370e3a3c9af41e38277b74cf3",
"status": "affected",
"version": "20f6a05ef63594feb0c6dfbd629da0448b43124d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_mrp_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mrp: reject zero test interval to avoid OOM panic\n\nbr_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied\ninterval value from netlink without validation. When interval is 0,\nusecs_to_jiffies(0) yields 0, causing the delayed work\n(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule\nitself with zero delay. This creates a tight loop on system_percpu_wq\nthat allocates and transmits MRP test frames at maximum rate, exhausting\nall system memory and causing a kernel panic via OOM deadlock.\n\nThe same zero-interval issue applies to br_mrp_start_in_test_parse()\nfor interconnect test frames.\n\nUse NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both\nIFLA_BRIDGE_MRP_START_TEST_INTERVAL and\nIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the\nnetlink attribute parsing layer before the value ever reaches the\nworkqueue scheduling code. This is consistent with how other bridge\nsubsystems (br_fdb, br_mst) enforce range constraints on netlink\nattributes."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:26.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/630a15a31c2034b5b697f4aabc769b9d80d82446"
},
{
"url": "https://git.kernel.org/stable/c/e8ec80430bfa520e7352155d6ac632e527cba7aa"
},
{
"url": "https://git.kernel.org/stable/c/c9bc352f716d1bebfe43354bce539ec2d0223b30"
},
{
"url": "https://git.kernel.org/stable/c/fa6e24963342de4370e3a3c9af41e38277b74cf3"
}
],
"title": "bridge: mrp: reject zero test interval to avoid OOM panic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31420",
"datePublished": "2026-04-13T13:40:24.594Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-06-01T16:11:26.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46316 (GCVE-0-2026-46316)
Vulnerability from cvelistv5 – Published: 2026-06-09 11:52 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_irq(). It puts the iterated pointer, though, rather than the
value returned by xa_erase().
The function is called from contexts that do not exclude one another: the
ITS command handlers hold its_lock, the GITS_CTLR write path holds
cmd_lock, and the path that clears EnableLPIs in a redistributor's
GICR_CTLR holds neither. Two or more of them can drain the same cache
concurrently, and if each one observes the same entry, erases it and then
puts it, the single reference the cache holds on that entry is dropped
more than once. The entry can then be freed while an ITE still maps it.
xa_erase() is atomic and returns the previous entry, so put only the entry
that this context actually removed. The cache reference is then dropped
exactly once per entry even when the invalidations run concurrently, and
the behavior is unchanged when only one context runs.
Severity ?
9.3 (Critical)
CWE
- CWE-911 - Improper Update of Reference Count
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8201d1028caa4fae88e222c4e8cf541fdf45b821 , < b7b72e88046328c9fdc638fe887d4240257dd5dc
(git)
Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 2bbc395e81bd29c543a0529a678327e932a7ec69 (git) Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 9121f4605ab94969f62d1b5714ca3c6c69bd202f (git) Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 13031fb6b8357fbbcded2a7f4cba73e4781ee594 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Kernel-based Virtual Machine (KVM) for ARM64, specifically within the vgic-its component. This vulnerability occurs when multiple concurrent operations incorrectly drop the translation cache\u0027s reference to an entry more than once during cache invalidation. This leads to a use-after-free condition, which can result in memory corruption. The primary impact is potential system instability or a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-911",
"description": "Improper Update of Reference Count",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:04.080Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46316"
},
{
"name": "RHBZ#2486982",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486982"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46316.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34911"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34911: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-09T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-09T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7b72e88046328c9fdc638fe887d4240257dd5dc",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "2bbc395e81bd29c543a0529a678327e932a7ec69",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "9121f4605ab94969f62d1b5714ca3c6c69bd202f",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "13031fb6b8357fbbcded2a7f4cba73e4781ee594",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry\n\nvgic_its_invalidate_cache() walks the per-ITS translation cache with\nxa_for_each() and drops the cache\u0027s reference on each entry with\nvgic_put_irq(). It puts the iterated pointer, though, rather than the\nvalue returned by xa_erase().\n\nThe function is called from contexts that do not exclude one another: the\nITS command handlers hold its_lock, the GITS_CTLR write path holds\ncmd_lock, and the path that clears EnableLPIs in a redistributor\u0027s\nGICR_CTLR holds neither. Two or more of them can drain the same cache\nconcurrently, and if each one observes the same entry, erases it and then\nputs it, the single reference the cache holds on that entry is dropped\nmore than once. The entry can then be freed while an ITE still maps it.\n\nxa_erase() is atomic and returns the previous entry, so put only the entry\nthat this context actually removed. The cache reference is then dropped\nexactly once per entry even when the invalidations run concurrently, and\nthe behavior is unchanged when only one context runs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:43.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc"
},
{
"url": "https://git.kernel.org/stable/c/2bbc395e81bd29c543a0529a678327e932a7ec69"
},
{
"url": "https://git.kernel.org/stable/c/9121f4605ab94969f62d1b5714ca3c6c69bd202f"
},
{
"url": "https://git.kernel.org/stable/c/13031fb6b8357fbbcded2a7f4cba73e4781ee594"
}
],
"title": "KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46316",
"datePublished": "2026-06-09T11:52:29.349Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-07-03T12:05:04.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46158 (GCVE-0-2026-46158)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-14 17:58
VLAI?
EPSS
Title
mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().
It should then be released in all cases at the end.
Some (unlikely) checks were returning directly instead of calling
sock_put() to decrease the refcount. Jump to a new 'exit' label to call
__sock_put() (which will become sock_put() in the next commit) to fix
this potential leak.
While at it, drop the '!msk' check which cannot happen because it is
never reset, and explicitly mark the remaining one as "unlikely".
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 9426265e157dd77ec237c795901ed4dea6d69b5c
(git)
Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < b41dd76f3b9735096c21d3e799a2b9fe36498d57 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < acd3d3562315c99f3c0db16f0fcc5f0306638982 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 25e37407442b8766ec2cf52fb4e31b5c3d3aeeae (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 9634cb35af17019baec21ca648516ce376fa10e6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9426265e157dd77ec237c795901ed4dea6d69b5c",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "b41dd76f3b9735096c21d3e799a2b9fe36498d57",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "acd3d3562315c99f3c0db16f0fcc5f0306638982",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "25e37407442b8766ec2cf52fb4e31b5c3d3aeeae",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "9634cb35af17019baec21ca648516ce376fa10e6",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: ADD_ADDR rtx: always decrease sk refcount\n\nWhen an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().\nIt should then be released in all cases at the end.\n\nSome (unlikely) checks were returning directly instead of calling\nsock_put() to decrease the refcount. Jump to a new \u0027exit\u0027 label to call\n__sock_put() (which will become sock_put() in the next commit) to fix\nthis potential leak.\n\nWhile at it, drop the \u0027!msk\u0027 check which cannot happen because it is\nnever reset, and explicitly mark the remaining one as \"unlikely\"."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:58:53.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9426265e157dd77ec237c795901ed4dea6d69b5c"
},
{
"url": "https://git.kernel.org/stable/c/b41dd76f3b9735096c21d3e799a2b9fe36498d57"
},
{
"url": "https://git.kernel.org/stable/c/acd3d3562315c99f3c0db16f0fcc5f0306638982"
},
{
"url": "https://git.kernel.org/stable/c/25e37407442b8766ec2cf52fb4e31b5c3d3aeeae"
},
{
"url": "https://git.kernel.org/stable/c/9634cb35af17019baec21ca648516ce376fa10e6"
}
],
"title": "mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46158",
"datePublished": "2026-05-28T09:36:13.821Z",
"dateReserved": "2026-05-13T15:03:33.102Z",
"dateUpdated": "2026-06-14T17:58:53.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23272 (GCVE-0-2026-23272)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-23 16:04
VLAI?
EPSS
Title
netfilter: nf_tables: unconditionally bump set->nelems before insertion
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: unconditionally bump set->nelems before insertion
In case that the set is full, a new element gets published then removed
without waiting for the RCU grace period, while RCU reader can be
walking over it already.
To address this issue, add the element transaction even if set is full,
but toggle the set_full flag to report -ENFILE so the abort path safely
unwinds the set to its previous state.
As for element updates, decrement set->nelems to restore it.
A simpler fix is to call synchronize_rcu() in the error path.
However, with a large batch adding elements to already maxed-out set,
this could cause noticeable slowdown of such batches.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
35d0ac9070ef619e3bf44324375878a1c540387b , < e3ccb11fc8249759d23326038c8db987ddaabc77
(git)
Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < 86bc4b1a0f672d47ac19f9022432cb6a2e01cb33 (git) Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < 6826131c7674329335ca25df2550163eb8a1fd0c (git) Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < ccb8c8f3c1127cf34d18c737309897c68046bf21 (git) Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < def602e498a4f951da95c95b1b8ce8ae68aa733a (git) Affected: fefdd79403e89b0c673965343b92e2e01e2713a8 (git) Affected: 4.9.33 , < 4.10 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3ccb11fc8249759d23326038c8db987ddaabc77",
"status": "affected",
"version": "35d0ac9070ef619e3bf44324375878a1c540387b",
"versionType": "git"
},
{
"lessThan": "86bc4b1a0f672d47ac19f9022432cb6a2e01cb33",
"status": "affected",
"version": "35d0ac9070ef619e3bf44324375878a1c540387b",
"versionType": "git"
},
{
"lessThan": "6826131c7674329335ca25df2550163eb8a1fd0c",
"status": "affected",
"version": "35d0ac9070ef619e3bf44324375878a1c540387b",
"versionType": "git"
},
{
"lessThan": "ccb8c8f3c1127cf34d18c737309897c68046bf21",
"status": "affected",
"version": "35d0ac9070ef619e3bf44324375878a1c540387b",
"versionType": "git"
},
{
"lessThan": "def602e498a4f951da95c95b1b8ce8ae68aa733a",
"status": "affected",
"version": "35d0ac9070ef619e3bf44324375878a1c540387b",
"versionType": "git"
},
{
"status": "affected",
"version": "fefdd79403e89b0c673965343b92e2e01e2713a8",
"versionType": "git"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.33",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set-\u003enelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set-\u003enelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:26.049Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3ccb11fc8249759d23326038c8db987ddaabc77"
},
{
"url": "https://git.kernel.org/stable/c/86bc4b1a0f672d47ac19f9022432cb6a2e01cb33"
},
{
"url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c"
},
{
"url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21"
},
{
"url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a"
}
],
"title": "netfilter: nf_tables: unconditionally bump set-\u003enelems before insertion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23272",
"datePublished": "2026-03-20T08:08:52.946Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-23T16:04:26.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45840 (GCVE-0-2026-45840)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI?
EPSS
Title
openvswitch: cap upcall PID array size and pre-size vport replies
Summary
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: cap upcall PID array size and pre-size vport replies
The vport netlink reply helpers allocate a fixed-size skb with
nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID
array via ovs_vport_get_upcall_portids(). Since
ovs_vport_set_upcall_portids() accepts any non-zero multiple of
sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID
array large enough to overflow the reply buffer, causing nla_put() to
fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with
unprivileged user namespaces enabled (e.g., Ubuntu default), this is
reachable via unshare -Urn since OVS vport mutation operations use
GENL_UNS_ADMIN_PERM.
kernel BUG at net/openvswitch/datapath.c:2414!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1
RIP: 0010:ovs_vport_cmd_set+0x34c/0x400
Call Trace:
<TASK>
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)
genl_rcv_msg (net/netlink/genetlink.c:1194)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Kernel panic - not syncing: Fatal exception
Reject attempts to set more PIDs than nr_cpu_ids in
ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply
size in ovs_vport_cmd_msg_size() based on that bound, similar to the
existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already
used by the per-CPU dispatch configuration on the datapath side
(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the
two sides stay consistent.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 8d59b80e69dddb665eb2de36e62859ab2073470e
(git)
Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < b39f763d720d623218bc1d95ace6855d7b474e81 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < f9ef3db77a383d66847fd082c2b437d8ae4d9c63 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < f99ac36b5d7c719d08a69fcdecce40f78a874e15 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 1d6c02b86329883aa467a3a61f8d34369db73a2f (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 2091c6aa0df6aba47deb5c8ab232b1cb60af3519 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c",
"net/openvswitch/vport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d59b80e69dddb665eb2de36e62859ab2073470e",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "b39f763d720d623218bc1d95ace6855d7b474e81",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "f9ef3db77a383d66847fd082c2b437d8ae4d9c63",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "f99ac36b5d7c719d08a69fcdecce40f78a874e15",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "1d6c02b86329883aa467a3a61f8d34369db73a2f",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "2091c6aa0df6aba47deb5c8ab232b1cb60af3519",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c",
"net/openvswitch/vport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: cap upcall PID array size and pre-size vport replies\n\nThe vport netlink reply helpers allocate a fixed-size skb with\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\narray via ovs_vport_get_upcall_portids(). Since\novs_vport_set_upcall_portids() accepts any non-zero multiple of\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\narray large enough to overflow the reply buffer, causing nla_put() to\nfail with -EMSGSIZE and hitting BUG_ON(err \u003c 0). On systems with\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\nreachable via unshare -Urn since OVS vport mutation operations use\nGENL_UNS_ADMIN_PERM.\n\n kernel BUG at net/openvswitch/datapath.c:2414!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\n genl_rcv_msg (net/netlink/genetlink.c:1194)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sys_sendto (net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nReject attempts to set more PIDs than nr_cpu_ids in\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\nexisting ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already\nused by the per-CPU dispatch configuration on the datapath side\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\ntwo sides stay consistent."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:11.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e"
},
{
"url": "https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0"
},
{
"url": "https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81"
},
{
"url": "https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63"
},
{
"url": "https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15"
},
{
"url": "https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704"
},
{
"url": "https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f"
},
{
"url": "https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519"
}
],
"title": "openvswitch: cap upcall PID array size and pre-size vport replies",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45840",
"datePublished": "2026-05-27T09:24:39.478Z",
"dateReserved": "2026-05-13T15:03:33.077Z",
"dateUpdated": "2026-06-14T17:46:11.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31717 (GCVE-0-2026-31717)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-06-14 17:44
VLAI?
EPSS
Title
ksmbd: validate owner of durable handle on reconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate owner of durable handle on reconnect
Currently, ksmbd does not verify if the user attempting to reconnect
to a durable handle is the same user who originally opened the file.
This allows any authenticated user to hijack an orphaned durable handle
by predicting or brute-forcing the persistent ID.
According to MS-SMB2, the server MUST verify that the SecurityContext
of the reconnect request matches the SecurityContext associated with
the existing open.
Add a durable_owner structure to ksmbd_file to store the original opener's
UID, GID, and account name. and catpure the owner information when a file
handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()
to validate the identity of the requester during SMB2_CREATE (DHnC).
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8df4bcdb0a4232192b2445256c39b787d58ef14d , < 712cdf917e77a6444ce3836874829d770db20ee6
(git)
Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 00ce8d6789dae72d042a4522264964c72891ca37 (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < c908c853f304a4969b5aa10eba0b50350cc65b80 (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 49110a8ce654bbe56bef7c5e44cce31f4b102b8a (git) Affected: 6.6.32 , < 6.6.142 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c",
"fs/smb/server/oplock.c",
"fs/smb/server/oplock.h",
"fs/smb/server/smb2pdu.c",
"fs/smb/server/vfs_cache.c",
"fs/smb/server/vfs_cache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "712cdf917e77a6444ce3836874829d770db20ee6",
"status": "affected",
"version": "8df4bcdb0a4232192b2445256c39b787d58ef14d",
"versionType": "git"
},
{
"lessThan": "c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "00ce8d6789dae72d042a4522264964c72891ca37",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "c908c853f304a4969b5aa10eba0b50350cc65b80",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "49110a8ce654bbe56bef7c5e44cce31f4b102b8a",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "6.6.142",
"status": "affected",
"version": "6.6.32",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c",
"fs/smb/server/oplock.c",
"fs/smb/server/oplock.h",
"fs/smb/server/smb2pdu.c",
"fs/smb/server/vfs_cache.c",
"fs/smb/server/vfs_cache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate owner of durable handle on reconnect\n\nCurrently, ksmbd does not verify if the user attempting to reconnect\nto a durable handle is the same user who originally opened the file.\nThis allows any authenticated user to hijack an orphaned durable handle\nby predicting or brute-forcing the persistent ID.\n\nAccording to MS-SMB2, the server MUST verify that the SecurityContext\nof the reconnect request matches the SecurityContext associated with\nthe existing open.\nAdd a durable_owner structure to ksmbd_file to store the original opener\u0027s\nUID, GID, and account name. and catpure the owner information when a file\nhandle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()\nto validate the identity of the requester during SMB2_CREATE (DHnC)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:27.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/712cdf917e77a6444ce3836874829d770db20ee6"
},
{
"url": "https://git.kernel.org/stable/c/c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d"
},
{
"url": "https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37"
},
{
"url": "https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80"
},
{
"url": "https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a"
}
],
"title": "ksmbd: validate owner of durable handle on reconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31717",
"datePublished": "2026-05-01T13:56:12.012Z",
"dateReserved": "2026-03-09T15:48:24.134Z",
"dateUpdated": "2026-06-14T17:44:27.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43331 (GCVE-0-2026-43331)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
x86/kexec: Disable KCOV instrumentation after load_segments()
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/kexec: Disable KCOV instrumentation after load_segments()
The load_segments() function changes segment registers, invalidating GS base
(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any
subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins
crashing the kernel in an endless loop.
To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented
kernel:
$ kexec -l /boot/otherKernel
$ kexec -e
The real-world context for this problem is enabling crash dump collection in
syzkaller. For this, the tool loads a panic kernel before fuzzing and then
calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC
and CONFIG_KCOV to be enabled simultaneously.
Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())
is also undesirable as it would introduce an extra performance overhead.
Disabling instrumentation for the individual functions would be too fragile,
so disable KCOV instrumentation for the entire machine_kexec_64.c and
physaddr.c. If coverage-guided fuzzing ever needs these components in the
future, other approaches should be considered.
The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported
there.
[ bp: Space out comment for better readability. ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0d345996e4cb573f8cc81d49b3ee9a7fd2035bef , < 0e96cd314c0d819c1635d68125a4d77852c2162e
(git)
Affected: 0d345996e4cb573f8cc81d49b3ee9a7fd2035bef , < 593d67032544b9271094fc9b43e437e017cb2b2f (git) Affected: 0d345996e4cb573f8cc81d49b3ee9a7fd2035bef , < 1e3e98596c2769721ade0418434852fb3af4849a (git) Affected: 0d345996e4cb573f8cc81d49b3ee9a7fd2035bef , < de05c66fab8847237a9ca216934e56d3ee837f08 (git) Affected: 0d345996e4cb573f8cc81d49b3ee9a7fd2035bef , < 917e3ad3321e75ca0223d5ccf26ceda116aa51e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/Makefile",
"arch/x86/mm/Makefile"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e96cd314c0d819c1635d68125a4d77852c2162e",
"status": "affected",
"version": "0d345996e4cb573f8cc81d49b3ee9a7fd2035bef",
"versionType": "git"
},
{
"lessThan": "593d67032544b9271094fc9b43e437e017cb2b2f",
"status": "affected",
"version": "0d345996e4cb573f8cc81d49b3ee9a7fd2035bef",
"versionType": "git"
},
{
"lessThan": "1e3e98596c2769721ade0418434852fb3af4849a",
"status": "affected",
"version": "0d345996e4cb573f8cc81d49b3ee9a7fd2035bef",
"versionType": "git"
},
{
"lessThan": "de05c66fab8847237a9ca216934e56d3ee837f08",
"status": "affected",
"version": "0d345996e4cb573f8cc81d49b3ee9a7fd2035bef",
"versionType": "git"
},
{
"lessThan": "917e3ad3321e75ca0223d5ccf26ceda116aa51e1",
"status": "affected",
"version": "0d345996e4cb573f8cc81d49b3ee9a7fd2035bef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/Makefile",
"arch/x86/mm/Makefile"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Disable KCOV instrumentation after load_segments()\n\nThe load_segments() function changes segment registers, invalidating GS base\n(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any\nsubsequent instrumented C code call (e.g. native_gdt_invalidate()) begins\ncrashing the kernel in an endless loop.\n\nTo reproduce the problem, it\u0027s sufficient to do kexec on a KCOV-instrumented\nkernel:\n\n $ kexec -l /boot/otherKernel\n $ kexec -e\n\nThe real-world context for this problem is enabling crash dump collection in\nsyzkaller. For this, the tool loads a panic kernel before fuzzing and then\ncalls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC\nand CONFIG_KCOV to be enabled simultaneously.\n\nAdding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())\nis also undesirable as it would introduce an extra performance overhead.\n\nDisabling instrumentation for the individual functions would be too fragile,\nso disable KCOV instrumentation for the entire machine_kexec_64.c and\nphysaddr.c. If coverage-guided fuzzing ever needs these components in the\nfuture, other approaches should be considered.\n\nThe problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported\nthere.\n\n [ bp: Space out comment for better readability. ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:29.321Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e96cd314c0d819c1635d68125a4d77852c2162e"
},
{
"url": "https://git.kernel.org/stable/c/593d67032544b9271094fc9b43e437e017cb2b2f"
},
{
"url": "https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a"
},
{
"url": "https://git.kernel.org/stable/c/de05c66fab8847237a9ca216934e56d3ee837f08"
},
{
"url": "https://git.kernel.org/stable/c/917e3ad3321e75ca0223d5ccf26ceda116aa51e1"
}
],
"title": "x86/kexec: Disable KCOV instrumentation after load_segments()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43331",
"datePublished": "2026-05-08T13:31:18.787Z",
"dateReserved": "2026-05-01T14:12:56.002Z",
"dateUpdated": "2026-06-19T11:58:29.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43116 (GCVE-0-2026-43116)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
netfilter: ctnetlink: ensure safe access to master conntrack
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ensure safe access to master conntrack
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
- Grab the nf_conntrack_expect_lock, this gets serialized with
clean_from_lists() which also holds this lock when the master
conntrack goes away.
- Hold reference on master conntrack via nf_conntrack_find_get().
Not so easy since the master tuple to look up for the master conntrack
is not available in the existing problematic paths.
This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.
The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().
However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.
The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.
While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c1d10adb4a521de5760112853f42aaeefcec96eb , < 9e1196d27ef496f404c76f7a9d03761142d991c4
(git)
Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < 5e1c1d22268ae710c238342c8030c21daf298168 (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < d52fa1fa7440676b8c238037a050ab008c22737f (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < f338ced0473849c9f6ed0b77ca99f1aab5826787 (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < 497f99b26fffdc5635706d1b4811f1ed8ee21a5b (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_core.h",
"net/netfilter/nf_conntrack_ecache.c",
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e1196d27ef496f404c76f7a9d03761142d991c4",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "5e1c1d22268ae710c238342c8030c21daf298168",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "d52fa1fa7440676b8c238037a050ab008c22737f",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "f338ced0473849c9f6ed0b77ca99f1aab5826787",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "497f99b26fffdc5635706d1b4811f1ed8ee21a5b",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_core.h",
"net/netfilter/nf_conntrack_ecache.c",
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ensure safe access to master conntrack\n\nHolding reference on the expectation is not sufficient, the master\nconntrack object can just go away, making exp-\u003emaster invalid.\n\nTo access exp-\u003emaster safely:\n\n- Grab the nf_conntrack_expect_lock, this gets serialized with\n clean_from_lists() which also holds this lock when the master\n conntrack goes away.\n\n- Hold reference on master conntrack via nf_conntrack_find_get().\n Not so easy since the master tuple to look up for the master conntrack\n is not available in the existing problematic paths.\n\nThis patch goes for extending the nf_conntrack_expect_lock section\nto address this issue for simplicity, in the cases that are described\nbelow this is just slightly extending the lock section.\n\nThe add expectation command already holds a reference to the master\nconntrack from ctnetlink_create_expect().\n\nHowever, the delete expectation command needs to grab the spinlock\nbefore looking up for the expectation. Expand the existing spinlock\nsection to address this to cover the expectation lookup. Note that,\nthe nf_ct_expect_iterate_net() calls already grabs the spinlock while\niterating over the expectation table, which is correct.\n\nThe get expectation command needs to grab the spinlock to ensure master\nconntrack does not go away. This also expands the existing spinlock\nsection to cover the expectation lookup too. I needed to move the\nnetlink skb allocation out of the spinlock to keep it GFP_KERNEL.\n\nFor the expectation events, the IPEXP_DESTROY event is already delivered\nunder the spinlock, just move the delivery of IPEXP_NEW under the\nspinlock too because the master conntrack event cache is reached through\nexp-\u003emaster.\n\nWhile at it, add lockdep notations to help identify what codepaths need\nto grab the spinlock."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:15.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e1196d27ef496f404c76f7a9d03761142d991c4"
},
{
"url": "https://git.kernel.org/stable/c/5e1c1d22268ae710c238342c8030c21daf298168"
},
{
"url": "https://git.kernel.org/stable/c/d52fa1fa7440676b8c238037a050ab008c22737f"
},
{
"url": "https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787"
},
{
"url": "https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b"
},
{
"url": "https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5"
}
],
"title": "netfilter: ctnetlink: ensure safe access to master conntrack",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43116",
"datePublished": "2026-05-06T07:40:41.185Z",
"dateReserved": "2026-05-01T14:12:55.986Z",
"dateUpdated": "2026-06-19T11:58:15.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46275 (GCVE-0-2026-46275)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:30 – Updated: 2026-06-14 18:05
VLAI?
EPSS
Title
Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer
Dereference (NPD) conditions were observed in the lifecycle management
of hci_uart.
The primary issue arises because the workqueues (init_ready and
write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY
flag is set during TTY close. If a hangup occurs before setup completes,
hci_uart_tty_close() skips the teardown of these workqueues and
proceeds to free the `hu` struct. When the scheduled work executes
later, it blindly dereferences the freed `hu` struct.
Furthermore, several data races and UAFs were identified in the teardown
sequence:
1. Calling hci_uart_flush() from hci_uart_close() without effectively
disabling write_work causes a race condition where both can concurrently
double-free hu->tx_skb. This happens because protocol timers can
concurrently invoke hci_uart_tx_wakeup() and requeue write_work.
2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF
when vendor specific protocol close callbacks dereference hu->hdev.
3. In the initialization error paths, failing to take the proto_lock
write lock before clearing PROTO_READY leads to races with active
readers. Additionally, hci_uart_tty_receive() accesses hu->hdev
outside the read lock, leading to UAFs if the initialization error
path frees hdev concurrently.
Fix these synchronization and lifecycle issues by:
1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,
followed immediately by a cancel_work_sync(&hu->write_work). Clearing
the flag locks out concurrent protocol timers from successfully invoking
hci_uart_tx_wakeup(), effectively rendering the cancellation permanent
and preventing the tx_skb double-free.
2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip
hu->proto->flush(). This is perfectly safe in the tty_close path
because hu->proto->close() executes shortly after, which intrinsically
purges all protocol SKB queues and tears down the state.
3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)
across all close and error paths to prevent vendor-level UAFs.
4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()
inside the proto_lock read-side critical section to safely synchronize
with device unregistration.
5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely
flush the workqueue before hci_uart_flush() is invoked via the HCI core.
6. Utilizing cancel_work_sync() instead of disable_work_sync() across
all paths to prevent permanently breaking user-space retry capabilities.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b799254cf6f481460719023d7a18f46651e5e7f , < 78aad93e938f013d9272fe0ee168f27883afa95c
(git)
Affected: 3b799254cf6f481460719023d7a18f46651e5e7f , < e2d19969c8d9198ecc3090bcd5312ecd503a3339 (git) Affected: 3b799254cf6f481460719023d7a18f46651e5e7f , < c85cff648a2bc92322912db5f1727ad05afae7b6 (git) Affected: 3b799254cf6f481460719023d7a18f46651e5e7f , < 9d20d48be2c4a071fb015eb09bda2cecd25daf34 (git) Affected: 3b799254cf6f481460719023d7a18f46651e5e7f , < 81c7a3c22a0f2808cf4ae0b4908f59763b23606d (git) Affected: 3b799254cf6f481460719023d7a18f46651e5e7f , < 192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894 (git) Affected: 3b799254cf6f481460719023d7a18f46651e5e7f , < 7338031946bd06f6dff149e67b60c4cd083bfea8 (git) Affected: 3b799254cf6f481460719023d7a18f46651e5e7f , < c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b (git) Affected: cd27019bc149f20f12ebec943c2b4c775745a5a0 (git) Affected: aea63181b6fcb6b9ccde1ada9ea51be19c4015af (git) Affected: 0d234d1135dcd8876de0576dac68efd0a87eef87 (git) Affected: 3fe978892ab46efc2f3830d9abc015eff72caaf9 (git) Affected: 0d987e14bebaf0f67ee7dbefaf6165c62cd1d27f (git) Affected: 4.14.203 , < 4.15 (semver) Affected: 4.19.153 , < 4.20 (semver) Affected: 5.4.73 , < 5.5 (semver) Affected: 5.8.17 , < 5.9 (semver) Affected: 5.9.2 , < 5.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78aad93e938f013d9272fe0ee168f27883afa95c",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"lessThan": "e2d19969c8d9198ecc3090bcd5312ecd503a3339",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"lessThan": "c85cff648a2bc92322912db5f1727ad05afae7b6",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"lessThan": "9d20d48be2c4a071fb015eb09bda2cecd25daf34",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"lessThan": "81c7a3c22a0f2808cf4ae0b4908f59763b23606d",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"lessThan": "192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"lessThan": "7338031946bd06f6dff149e67b60c4cd083bfea8",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"lessThan": "c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b",
"status": "affected",
"version": "3b799254cf6f481460719023d7a18f46651e5e7f",
"versionType": "git"
},
{
"status": "affected",
"version": "cd27019bc149f20f12ebec943c2b4c775745a5a0",
"versionType": "git"
},
{
"status": "affected",
"version": "aea63181b6fcb6b9ccde1ada9ea51be19c4015af",
"versionType": "git"
},
{
"status": "affected",
"version": "0d234d1135dcd8876de0576dac68efd0a87eef87",
"versionType": "git"
},
{
"status": "affected",
"version": "3fe978892ab46efc2f3830d9abc015eff72caaf9",
"versionType": "git"
},
{
"status": "affected",
"version": "0d987e14bebaf0f67ee7dbefaf6165c62cd1d27f",
"versionType": "git"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.203",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.153",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.73",
"versionType": "semver"
},
{
"lessThan": "5.9",
"status": "affected",
"version": "5.8.17",
"versionType": "semver"
},
{
"lessThan": "5.10",
"status": "affected",
"version": "5.9.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix UAFs and race conditions in close and init paths\n\nVulnerabilities leading to Use-After-Free (UAF) and Null Pointer\nDereference (NPD) conditions were observed in the lifecycle management\nof hci_uart.\n\nThe primary issue arises because the workqueues (init_ready and\nwrite_work) are only flushed/cancelled if the HCI_UART_PROTO_READY\nflag is set during TTY close. If a hangup occurs before setup completes,\nhci_uart_tty_close() skips the teardown of these workqueues and\nproceeds to free the `hu` struct. When the scheduled work executes\nlater, it blindly dereferences the freed `hu` struct.\n\nFurthermore, several data races and UAFs were identified in the teardown\nsequence:\n1. Calling hci_uart_flush() from hci_uart_close() without effectively\n disabling write_work causes a race condition where both can concurrently\n double-free hu-\u003etx_skb. This happens because protocol timers can\n concurrently invoke hci_uart_tx_wakeup() and requeue write_work.\n2. Calling hci_free_dev(hdev) before hu-\u003eproto-\u003eclose(hu) causes a UAF\n when vendor specific protocol close callbacks dereference hu-\u003ehdev.\n3. In the initialization error paths, failing to take the proto_lock\n write lock before clearing PROTO_READY leads to races with active\n readers. Additionally, hci_uart_tty_receive() accesses hu-\u003ehdev\n outside the read lock, leading to UAFs if the initialization error\n path frees hdev concurrently.\n\nFix these synchronization and lifecycle issues by:\n1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,\n followed immediately by a cancel_work_sync(\u0026hu-\u003ewrite_work). Clearing\n the flag locks out concurrent protocol timers from successfully invoking\n hci_uart_tx_wakeup(), effectively rendering the cancellation permanent\n and preventing the tx_skb double-free.\n2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip\n hu-\u003eproto-\u003eflush(). This is perfectly safe in the tty_close path\n because hu-\u003eproto-\u003eclose() executes shortly after, which intrinsically\n purges all protocol SKB queues and tears down the state.\n3. Relocating hu-\u003eproto-\u003eclose(hu) strictly prior to hci_free_dev(hdev)\n across all close and error paths to prevent vendor-level UAFs.\n4. Moving the hdev-\u003estat.byte_rx increment in hci_uart_tty_receive()\n inside the proto_lock read-side critical section to safely synchronize\n with device unregistration.\n5. Adding cancel_work_sync(\u0026hu-\u003ewrite_work) to hci_uart_close() to safely\n flush the workqueue before hci_uart_flush() is invoked via the HCI core.\n6. Utilizing cancel_work_sync() instead of disable_work_sync() across\n all paths to prevent permanently breaking user-space retry capabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:05:39.086Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78aad93e938f013d9272fe0ee168f27883afa95c"
},
{
"url": "https://git.kernel.org/stable/c/e2d19969c8d9198ecc3090bcd5312ecd503a3339"
},
{
"url": "https://git.kernel.org/stable/c/c85cff648a2bc92322912db5f1727ad05afae7b6"
},
{
"url": "https://git.kernel.org/stable/c/9d20d48be2c4a071fb015eb09bda2cecd25daf34"
},
{
"url": "https://git.kernel.org/stable/c/81c7a3c22a0f2808cf4ae0b4908f59763b23606d"
},
{
"url": "https://git.kernel.org/stable/c/192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894"
},
{
"url": "https://git.kernel.org/stable/c/7338031946bd06f6dff149e67b60c4cd083bfea8"
},
{
"url": "https://git.kernel.org/stable/c/c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b"
}
],
"title": "Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46275",
"datePublished": "2026-06-08T14:30:54.232Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-14T18:05:39.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46315 (GCVE-0-2026-46315)
Vulnerability from cvelistv5 – Published: 2026-06-09 07:38 – Updated: 2026-06-14 18:08
VLAI?
EPSS
Title
io_uring/waitid: clear waitid info before copying it to userspace
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: clear waitid info before copying it to userspace
IORING_OP_WAITID stores its result fields in struct io_waitid::info and
later copies them to userspace siginfo. The prep path initializes the
request arguments, but it does not initialize info itself.
If the wait operation completes without reporting a child event, the common
wait code can return without writing wo_info. In that case io_waitid_finish()
still copies iw->info to userspace, exposing stale bytes from the reused
io_kiocb command storage.
Clear the result storage during prep so the io_uring path matches the
regular waitid syscall, which uses a zero-initialized struct waitid_info.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f31ecf671ddc498f20219453395794ff2383e06b , < 954518e5a4a5efc5033253f6e36fc7b9f98363a3
(git)
Affected: f31ecf671ddc498f20219453395794ff2383e06b , < b737c6612c60c23b40a9f31749b99e6f61943847 (git) Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 4d2a0de611ab60d02fc768ae0cd5918b16bd5474 (git) Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 93d93f5f8da791e98159795c6ef683f45bd95d13 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "954518e5a4a5efc5033253f6e36fc7b9f98363a3",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "b737c6612c60c23b40a9f31749b99e6f61943847",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "4d2a0de611ab60d02fc768ae0cd5918b16bd5474",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "93d93f5f8da791e98159795c6ef683f45bd95d13",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/waitid: clear waitid info before copying it to userspace\n\nIORING_OP_WAITID stores its result fields in struct io_waitid::info and\nlater copies them to userspace siginfo. The prep path initializes the\nrequest arguments, but it does not initialize info itself.\n\nIf the wait operation completes without reporting a child event, the common\nwait code can return without writing wo_info. In that case io_waitid_finish()\nstill copies iw-\u003einfo to userspace, exposing stale bytes from the reused\nio_kiocb command storage.\n\nClear the result storage during prep so the io_uring path matches the\nregular waitid syscall, which uses a zero-initialized struct waitid_info."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:38.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/954518e5a4a5efc5033253f6e36fc7b9f98363a3"
},
{
"url": "https://git.kernel.org/stable/c/b737c6612c60c23b40a9f31749b99e6f61943847"
},
{
"url": "https://git.kernel.org/stable/c/4d2a0de611ab60d02fc768ae0cd5918b16bd5474"
},
{
"url": "https://git.kernel.org/stable/c/93d93f5f8da791e98159795c6ef683f45bd95d13"
}
],
"title": "io_uring/waitid: clear waitid info before copying it to userspace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46315",
"datePublished": "2026-06-09T07:38:13.713Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:08:38.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43245 (GCVE-0-2026-43245)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-23 11:25
VLAI?
EPSS
Title
ntfs: ->d_compare() must not block
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs: ->d_compare() must not block
... so don't use __getname() there. Switch it (and ntfs_d_hash(), while
we are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash()
almost certainly can do with smaller allocations, but let ntfs folks
deal with that - keep the allocation size as-is for now.
Stop abusing names_cachep in ntfs, period - various uses of that thing
in there have nothing to do with pathnames; just use k[mz]alloc() and
be done with that. For now let's keep sizes as-in, but AFAICS none of
the users actually want PATH_MAX.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a3a956c78efaa202b1d75190136671cf6e87bfbe , < 02ecc0978c459fd90bb24b2a946dd16d43e68fe5
(git)
Affected: a3a956c78efaa202b1d75190136671cf6e87bfbe , < 1be7ca86ce1794d966fda5d82181bc978b150fbc (git) Affected: a3a956c78efaa202b1d75190136671cf6e87bfbe , < 142c444a395f4d26055c8a4473e228bb86283f1e (git) Affected: a3a956c78efaa202b1d75190136671cf6e87bfbe , < fb4b1f969ba01fa1d4088467a02fc1e5f0806710 (git) Affected: a3a956c78efaa202b1d75190136671cf6e87bfbe , < ca2a04e84af79596e5cd9cfe697d5122ec39c8ce (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/dir.c",
"fs/ntfs3/fsntfs.c",
"fs/ntfs3/inode.c",
"fs/ntfs3/namei.c",
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02ecc0978c459fd90bb24b2a946dd16d43e68fe5",
"status": "affected",
"version": "a3a956c78efaa202b1d75190136671cf6e87bfbe",
"versionType": "git"
},
{
"lessThan": "1be7ca86ce1794d966fda5d82181bc978b150fbc",
"status": "affected",
"version": "a3a956c78efaa202b1d75190136671cf6e87bfbe",
"versionType": "git"
},
{
"lessThan": "142c444a395f4d26055c8a4473e228bb86283f1e",
"status": "affected",
"version": "a3a956c78efaa202b1d75190136671cf6e87bfbe",
"versionType": "git"
},
{
"lessThan": "fb4b1f969ba01fa1d4088467a02fc1e5f0806710",
"status": "affected",
"version": "a3a956c78efaa202b1d75190136671cf6e87bfbe",
"versionType": "git"
},
{
"lessThan": "ca2a04e84af79596e5cd9cfe697d5122ec39c8ce",
"status": "affected",
"version": "a3a956c78efaa202b1d75190136671cf6e87bfbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/dir.c",
"fs/ntfs3/fsntfs.c",
"fs/ntfs3/inode.c",
"fs/ntfs3/namei.c",
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: -\u003ed_compare() must not block\n\n... so don\u0027t use __getname() there. Switch it (and ntfs_d_hash(), while\nwe are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash()\nalmost certainly can do with smaller allocations, but let ntfs folks\ndeal with that - keep the allocation size as-is for now.\n\nStop abusing names_cachep in ntfs, period - various uses of that thing\nin there have nothing to do with pathnames; just use k[mz]alloc() and\nbe done with that. For now let\u0027s keep sizes as-in, but AFAICS none of\nthe users actually want PATH_MAX."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T11:25:57.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02ecc0978c459fd90bb24b2a946dd16d43e68fe5"
},
{
"url": "https://git.kernel.org/stable/c/1be7ca86ce1794d966fda5d82181bc978b150fbc"
},
{
"url": "https://git.kernel.org/stable/c/142c444a395f4d26055c8a4473e228bb86283f1e"
},
{
"url": "https://git.kernel.org/stable/c/fb4b1f969ba01fa1d4088467a02fc1e5f0806710"
},
{
"url": "https://git.kernel.org/stable/c/ca2a04e84af79596e5cd9cfe697d5122ec39c8ce"
}
],
"title": "ntfs: -\u003ed_compare() must not block",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43245",
"datePublished": "2026-05-06T11:28:37.602Z",
"dateReserved": "2026-05-01T14:12:55.996Z",
"dateUpdated": "2026-05-23T11:25:57.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23247 (GCVE-0-2026-23247)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-06-19 11:57
VLAI?
EPSS
Title
tcp: secure_seq: add back ports to TS offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: secure_seq: add back ports to TS offset
This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets")
tcp_tw_recycle went away in 2017.
Zhouyan Deng reported off-path TCP source port leakage via
SYN cookie side-channel that can be fixed in multiple ways.
One of them is to bring back TCP ports in TS offset randomization.
As a bonus, we perform a single siphash() computation
to provide both an ISN and a TS offset.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
28ee1b746f493b7c62347d714f58fbf4f70df4f0 , < 5da5662181ef8a251e3ba564903002c2e87de452
(git)
Affected: 28ee1b746f493b7c62347d714f58fbf4f70df4f0 , < eae2f14ab2efccdb7480fae7d42c4b0116ef8805 (git) Affected: 28ee1b746f493b7c62347d714f58fbf4f70df4f0 , < 46e5b0d7cf55821527adea471ffe52a5afbd9caf (git) Affected: 28ee1b746f493b7c62347d714f58fbf4f70df4f0 , < 165573e41f2f66ef98940cf65f838b2cb575d9d1 (git) Affected: 443fac9f2618b93cbc5ab068dc594530236b3a23 (git) Affected: 4.10.14 , < 4.11 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/secure_seq.h",
"include/net/tcp.h",
"net/core/secure_seq.c",
"net/ipv4/syncookies.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv6/syncookies.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5da5662181ef8a251e3ba564903002c2e87de452",
"status": "affected",
"version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0",
"versionType": "git"
},
{
"lessThan": "eae2f14ab2efccdb7480fae7d42c4b0116ef8805",
"status": "affected",
"version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0",
"versionType": "git"
},
{
"lessThan": "46e5b0d7cf55821527adea471ffe52a5afbd9caf",
"status": "affected",
"version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0",
"versionType": "git"
},
{
"lessThan": "165573e41f2f66ef98940cf65f838b2cb575d9d1",
"status": "affected",
"version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0",
"versionType": "git"
},
{
"status": "affected",
"version": "443fac9f2618b93cbc5ab068dc594530236b3a23",
"versionType": "git"
},
{
"lessThan": "4.11",
"status": "affected",
"version": "4.10.14",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/secure_seq.h",
"include/net/tcp.h",
"net/core/secure_seq.c",
"net/ipv4/syncookies.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv6/syncookies.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.10.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: secure_seq: add back ports to TS offset\n\nThis reverts 28ee1b746f49 (\"secure_seq: downgrade to per-host timestamp offsets\")\n\ntcp_tw_recycle went away in 2017.\n\nZhouyan Deng reported off-path TCP source port leakage via\nSYN cookie side-channel that can be fixed in multiple ways.\n\nOne of them is to bring back TCP ports in TS offset randomization.\n\nAs a bonus, we perform a single siphash() computation\nto provide both an ISN and a TS offset."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:32.014Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5da5662181ef8a251e3ba564903002c2e87de452"
},
{
"url": "https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805"
},
{
"url": "https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf"
},
{
"url": "https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1"
}
],
"title": "tcp: secure_seq: add back ports to TS offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23247",
"datePublished": "2026-03-18T10:05:09.353Z",
"dateReserved": "2026-01-13T15:37:45.989Z",
"dateUpdated": "2026-06-19T11:57:32.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46117 (GCVE-0-2026-46117)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
Sashiko points out that the user can specify WQs sharing the same CQ as a
part of the uAPI and this will trigger the WARN_ON() then go on to corrupt
the kernel.
Just reject it outright and fail the QP creation.
Severity ?
7.8 (High)
CWE
- CWE-1288 - Improper Validation of Consistency within Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c15d7802a42402a87880a17eee89ff023e49ecc0 , < 9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71
(git)
Affected: c15d7802a42402a87880a17eee89ff023e49ecc0 , < 9ef65af26b2a6738bf15812042e84b3112402d3a (git) Affected: c15d7802a42402a87880a17eee89ff023e49ecc0 , < db991ba50087ad99fa12a2c483aa3be19671ea73 (git) Affected: c15d7802a42402a87880a17eee89ff023e49ecc0 , < 159f2efabc89d3f931d38f2d35876535d4abf0a3 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s RDMA/mana component. A local user could trigger a kernel corruption by providing specific configurations through the user Application Programming Interface (uAPI) that cause an internal error. This issue arises when Work Queues (WQs) are specified to share the same Completion Queue (CQ), leading to an unstable system state."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1288",
"description": "Improper Validation of Consistency within Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:12.327Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46117"
},
{
"name": "RHBZ#2482576",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482576"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46117.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:30129: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mana/cq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71",
"status": "affected",
"version": "c15d7802a42402a87880a17eee89ff023e49ecc0",
"versionType": "git"
},
{
"lessThan": "9ef65af26b2a6738bf15812042e84b3112402d3a",
"status": "affected",
"version": "c15d7802a42402a87880a17eee89ff023e49ecc0",
"versionType": "git"
},
{
"lessThan": "db991ba50087ad99fa12a2c483aa3be19671ea73",
"status": "affected",
"version": "c15d7802a42402a87880a17eee89ff023e49ecc0",
"versionType": "git"
},
{
"lessThan": "159f2efabc89d3f931d38f2d35876535d4abf0a3",
"status": "affected",
"version": "c15d7802a42402a87880a17eee89ff023e49ecc0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mana/cq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()\n\nSashiko points out that the user can specify WQs sharing the same CQ as a\npart of the uAPI and this will trigger the WARN_ON() then go on to corrupt\nthe kernel.\n\nJust reject it outright and fail the QP creation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:55:40.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71"
},
{
"url": "https://git.kernel.org/stable/c/9ef65af26b2a6738bf15812042e84b3112402d3a"
},
{
"url": "https://git.kernel.org/stable/c/db991ba50087ad99fa12a2c483aa3be19671ea73"
},
{
"url": "https://git.kernel.org/stable/c/159f2efabc89d3f931d38f2d35876535d4abf0a3"
}
],
"title": "RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46117",
"datePublished": "2026-05-28T09:35:32.344Z",
"dateReserved": "2026-05-13T15:03:33.098Z",
"dateUpdated": "2026-06-30T12:10:12.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…