Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0664
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Micro 6.1 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS | ||
| SUSE | N/A | SUSE Linux Micro Extras 6.1 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP applications 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | N/A | SUSE Linux Micro 6.2 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Micro 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro Extras 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2026-31685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
},
{
"name": "CVE-2026-23269",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23269"
},
{
"name": "CVE-2026-31416",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31416"
},
{
"name": "CVE-2026-23293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23293"
},
{
"name": "CVE-2023-20585",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20585"
},
{
"name": "CVE-2026-23290",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23290"
},
{
"name": "CVE-2026-31787",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31787"
},
{
"name": "CVE-2026-23468",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23468"
},
{
"name": "CVE-2026-23461",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23461"
},
{
"name": "CVE-2026-23340",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23340"
},
{
"name": "CVE-2026-31738",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31738"
},
{
"name": "CVE-2026-43284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43284"
},
{
"name": "CVE-2026-43025",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43025"
},
{
"name": "CVE-2026-23268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23268"
},
{
"name": "CVE-2026-31408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31408"
},
{
"name": "CVE-2026-31524",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31524"
},
{
"name": "CVE-2026-23209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
},
{
"name": "CVE-2026-31681",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31681"
},
{
"name": "CVE-2026-23456",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23456"
},
{
"name": "CVE-2026-23457",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23457"
},
{
"name": "CVE-2026-31496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31496"
},
{
"name": "CVE-2026-23408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23408"
},
{
"name": "CVE-2026-43334",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43334"
},
{
"name": "CVE-2026-23391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23391"
},
{
"name": "CVE-2026-23462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23462"
},
{
"name": "CVE-2026-23273",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23273"
},
{
"name": "CVE-2026-31422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31422"
},
{
"name": "CVE-2024-50082",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50082"
},
{
"name": "CVE-2026-43264",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43264"
},
{
"name": "CVE-2026-31427",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31427"
},
{
"name": "CVE-2026-23472",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23472"
},
{
"name": "CVE-2025-71108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71108"
},
{
"name": "CVE-2026-31423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31423"
},
{
"name": "CVE-2026-23216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23216"
},
{
"name": "CVE-2026-43437",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43437"
},
{
"name": "CVE-2026-31675",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31675"
},
{
"name": "CVE-2026-23193",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23193"
},
{
"name": "CVE-2026-43126",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43126"
},
{
"name": "CVE-2026-31403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31403"
},
{
"name": "CVE-2026-31400",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31400"
},
{
"name": "CVE-2026-31512",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31512"
},
{
"name": "CVE-2026-31504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31504"
},
{
"name": "CVE-2025-71118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71118"
},
{
"name": "CVE-2026-31607",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31607"
},
{
"name": "CVE-2026-23405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23405"
},
{
"name": "CVE-2026-23403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23403"
},
{
"name": "CVE-2026-43190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43190"
},
{
"name": "CVE-2026-23292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23292"
},
{
"name": "CVE-2022-50053",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50053"
},
{
"name": "CVE-2026-23455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23455"
},
{
"name": "CVE-2026-43110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43110"
},
{
"name": "CVE-2026-31507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31507"
},
{
"name": "CVE-2026-46333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46333"
},
{
"name": "CVE-2026-31411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31411"
},
{
"name": "CVE-2026-31428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31428"
},
{
"name": "CVE-2026-23449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23449"
},
{
"name": "CVE-2026-23442",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23442"
},
{
"name": "CVE-2026-23458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23458"
},
{
"name": "CVE-2026-31649",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
},
{
"name": "CVE-2026-31393",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31393"
},
{
"name": "CVE-2026-23404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23404"
},
{
"name": "CVE-2026-23378",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23378"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2026-31700",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31700"
},
{
"name": "CVE-2026-23312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23312"
},
{
"name": "CVE-2026-31424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31424"
},
{
"name": "CVE-2026-31407",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31407"
},
{
"name": "CVE-2026-31602",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31602"
},
{
"name": "CVE-2026-31425",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31425"
},
{
"name": "CVE-2025-71238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71238"
},
{
"name": "CVE-2026-43255",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43255"
},
{
"name": "CVE-2026-23276",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23276"
},
{
"name": "CVE-2026-43088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43088"
},
{
"name": "CVE-2026-31667",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
}
],
"initial_release_date": "2026-05-29T00:00:00",
"last_revision_date": "2026-05-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0664",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21818-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621818-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21816-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621816-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621720-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621720-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21775-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621775-1"
},
{
"published_at": "2026-05-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2068-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262068-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21771-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621771-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21777-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621777-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21772-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621772-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21743-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621743-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621721-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621721-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21774-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621774-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21766-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621766-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21767-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621767-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621723-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621723-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21817-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621817-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21765-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621765-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21745-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621745-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21778-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621778-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21734-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621734-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621719-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621719-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21773-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621773-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21776-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621776-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621724-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621724-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21735-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621735-1"
}
]
}
CVE-2024-50082 (GCVE-0-2024-50082)
Vulnerability from cvelistv5
Published
2024-10-29 00:50
Modified
2026-05-11 20:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race
We're seeing crashes from rq_qos_wake_function that look like this:
BUG: unable to handle page fault for address: ffffafe180a40084
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0
Oops: Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00
RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011
RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084
RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011
R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002
R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003
FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
try_to_wake_up+0x5a/0x6a0
rq_qos_wake_function+0x71/0x80
__wake_up_common+0x75/0xa0
__wake_up+0x36/0x60
scale_up.part.0+0x50/0x110
wb_timer_fn+0x227/0x450
...
So rq_qos_wake_function() calls wake_up_process(data->task), which calls
try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock).
p comes from data->task, and data comes from the waitqueue entry, which
is stored on the waiter's stack in rq_qos_wait(). Analyzing the core
dump with drgn, I found that the waiter had already woken up and moved
on to a completely unrelated code path, clobbering what was previously
data->task. Meanwhile, the waker was passing the clobbered garbage in
data->task to wake_up_process(), leading to the crash.
What's happening is that in between rq_qos_wake_function() deleting the
waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding
that it already got a token and returning. The race looks like this:
rq_qos_wait() rq_qos_wake_function()
==============================================================
prepare_to_wait_exclusive()
data->got_token = true;
list_del_init(&curr->entry);
if (data.got_token)
break;
finish_wait(&rqw->wait, &data.wq);
^- returns immediately because
list_empty_careful(&wq_entry->entry)
is true
... return, go do something else ...
wake_up_process(data->task)
(NO LONGER VALID!)-^
Normally, finish_wait() is supposed to synchronize against the waker.
But, as noted above, it is returning immediately because the waitqueue
entry has already been removed from the waitqueue.
The bug is that rq_qos_wake_function() is accessing the waitqueue entry
AFTER deleting it. Note that autoremove_wake_function() wakes the waiter
and THEN deletes the waitqueue entry, which is the proper order.
Fix it by swapping the order. We also need to use
list_del_init_careful() to match the list_empty_careful() in
finish_wait().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 38cfb5a45ee013bfab5d1ae4c4738815e744b440 Version: 38cfb5a45ee013bfab5d1ae4c4738815e744b440 Version: 38cfb5a45ee013bfab5d1ae4c4738815e744b440 Version: 38cfb5a45ee013bfab5d1ae4c4738815e744b440 Version: 38cfb5a45ee013bfab5d1ae4c4738815e744b440 Version: 38cfb5a45ee013bfab5d1ae4c4738815e744b440 Version: 38cfb5a45ee013bfab5d1ae4c4738815e744b440 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:25:14.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-rq-qos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d04b72c9ef2b0689bfc1057d21c4aeed087c329f",
"status": "affected",
"version": "38cfb5a45ee013bfab5d1ae4c4738815e744b440",
"versionType": "git"
},
{
"lessThan": "3bc6d0f8b70a9101456cf02ab99acb75254e1852",
"status": "affected",
"version": "38cfb5a45ee013bfab5d1ae4c4738815e744b440",
"versionType": "git"
},
{
"lessThan": "455a469758e57a6fe070e3e342db12e4a629e0eb",
"status": "affected",
"version": "38cfb5a45ee013bfab5d1ae4c4738815e744b440",
"versionType": "git"
},
{
"lessThan": "b5e900a3612b69423a0e1b0ab67841a1fb4af80f",
"status": "affected",
"version": "38cfb5a45ee013bfab5d1ae4c4738815e744b440",
"versionType": "git"
},
{
"lessThan": "4c5b123ab289767afe940389dbb963c5c05e594e",
"status": "affected",
"version": "38cfb5a45ee013bfab5d1ae4c4738815e744b440",
"versionType": "git"
},
{
"lessThan": "04f283fc16c8d5db641b6bffd2d8310aa7eccebc",
"status": "affected",
"version": "38cfb5a45ee013bfab5d1ae4c4738815e744b440",
"versionType": "git"
},
{
"lessThan": "e972b08b91ef48488bae9789f03cfedb148667fb",
"status": "affected",
"version": "38cfb5a45ee013bfab5d1ae4c4738815e744b440",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-rq-qos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.228",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.228",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.169",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.114",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.58",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race\n\nWe\u0027re seeing crashes from rq_qos_wake_function that look like this:\n\n BUG: unable to handle page fault for address: ffffafe180a40084\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0\n Oops: Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40\n Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 \u003cf0\u003e 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00\n RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084\n RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011\n R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002\n R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n try_to_wake_up+0x5a/0x6a0\n rq_qos_wake_function+0x71/0x80\n __wake_up_common+0x75/0xa0\n __wake_up+0x36/0x60\n scale_up.part.0+0x50/0x110\n wb_timer_fn+0x227/0x450\n ...\n\nSo rq_qos_wake_function() calls wake_up_process(data-\u003etask), which calls\ntry_to_wake_up(), which faults in raw_spin_lock_irqsave(\u0026p-\u003epi_lock).\n\np comes from data-\u003etask, and data comes from the waitqueue entry, which\nis stored on the waiter\u0027s stack in rq_qos_wait(). Analyzing the core\ndump with drgn, I found that the waiter had already woken up and moved\non to a completely unrelated code path, clobbering what was previously\ndata-\u003etask. Meanwhile, the waker was passing the clobbered garbage in\ndata-\u003etask to wake_up_process(), leading to the crash.\n\nWhat\u0027s happening is that in between rq_qos_wake_function() deleting the\nwaitqueue entry and calling wake_up_process(), rq_qos_wait() is finding\nthat it already got a token and returning. The race looks like this:\n\nrq_qos_wait() rq_qos_wake_function()\n==============================================================\nprepare_to_wait_exclusive()\n data-\u003egot_token = true;\n list_del_init(\u0026curr-\u003eentry);\nif (data.got_token)\n break;\nfinish_wait(\u0026rqw-\u003ewait, \u0026data.wq);\n ^- returns immediately because\n list_empty_careful(\u0026wq_entry-\u003eentry)\n is true\n... return, go do something else ...\n wake_up_process(data-\u003etask)\n (NO LONGER VALID!)-^\n\nNormally, finish_wait() is supposed to synchronize against the waker.\nBut, as noted above, it is returning immediately because the waitqueue\nentry has already been removed from the waitqueue.\n\nThe bug is that rq_qos_wake_function() is accessing the waitqueue entry\nAFTER deleting it. Note that autoremove_wake_function() wakes the waiter\nand THEN deletes the waitqueue entry, which is the proper order.\n\nFix it by swapping the order. We also need to use\nlist_del_init_careful() to match the list_empty_careful() in\nfinish_wait()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:45:05.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d04b72c9ef2b0689bfc1057d21c4aeed087c329f"
},
{
"url": "https://git.kernel.org/stable/c/3bc6d0f8b70a9101456cf02ab99acb75254e1852"
},
{
"url": "https://git.kernel.org/stable/c/455a469758e57a6fe070e3e342db12e4a629e0eb"
},
{
"url": "https://git.kernel.org/stable/c/b5e900a3612b69423a0e1b0ab67841a1fb4af80f"
},
{
"url": "https://git.kernel.org/stable/c/4c5b123ab289767afe940389dbb963c5c05e594e"
},
{
"url": "https://git.kernel.org/stable/c/04f283fc16c8d5db641b6bffd2d8310aa7eccebc"
},
{
"url": "https://git.kernel.org/stable/c/e972b08b91ef48488bae9789f03cfedb148667fb"
}
],
"title": "blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50082",
"datePublished": "2024-10-29T00:50:24.667Z",
"dateReserved": "2024-10-21T19:36:19.941Z",
"dateUpdated": "2026-05-11T20:45:05.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23468 (GCVE-0-2026-23468)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-06-01 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
Userspace can pass an arbitrary number of BO list entries via the
bo_number field. Although the previous multiplication overflow check
prevents out-of-bounds allocation, a large number of entries could still
cause excessive memory allocation (up to potentially gigabytes) and
unnecessarily long list processing times.
Introduce a hard limit of 128k entries per BO list, which is more than
sufficient for any realistic use case (e.g., a single list containing all
buffers in a large scene). This prevents memory exhaustion attacks and
ensures predictable performance.
Return -EINVAL if the requested entry count exceeds the limit
(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c833d6c7199c5b5fca9ec95593acd539ec9c171c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "e620378aab78d415bd8a15a2f91c145906520288",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "2723e6851309531ce61aed74e93a0cd268cc862a",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "5ce4a38e6c2488949e373d5066303f9c128db614",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "6270b1a5dab94665d7adce3dc78bc9066ed28bdd",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Limit BO list entry count to prevent resource exhaustion\n\nUserspace can pass an arbitrary number of BO list entries via the\nbo_number field. Although the previous multiplication overflow check\nprevents out-of-bounds allocation, a large number of entries could still\ncause excessive memory allocation (up to potentially gigabytes) and\nunnecessarily long list processing times.\n\nIntroduce a hard limit of 128k entries per BO list, which is more than\nsufficient for any realistic use case (e.g., a single list containing all\nbuffers in a large scene). This prevents memory exhaustion attacks and\nensures predictable performance.\n\nReturn -EINVAL if the requested entry count exceeds the limit\n\n(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:15.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c833d6c7199c5b5fca9ec95593acd539ec9c171c"
},
{
"url": "https://git.kernel.org/stable/c/e620378aab78d415bd8a15a2f91c145906520288"
},
{
"url": "https://git.kernel.org/stable/c/2723e6851309531ce61aed74e93a0cd268cc862a"
},
{
"url": "https://git.kernel.org/stable/c/5ce4a38e6c2488949e373d5066303f9c128db614"
},
{
"url": "https://git.kernel.org/stable/c/f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9"
},
{
"url": "https://git.kernel.org/stable/c/6270b1a5dab94665d7adce3dc78bc9066ed28bdd"
}
],
"title": "drm/amdgpu: Limit BO list entry count to prevent resource exhaustion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23468",
"datePublished": "2026-04-03T15:15:47.207Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-06-01T16:11:15.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23408 (GCVE-0-2026-23408)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-05-11 22:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: Fix double free of ns_name in aa_replace_profiles()
if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);
and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {
then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;
however ent->ns_name is freed at
1262 aa_load_ent_free(ent);
and then again when freeing ns_name at
1270 kfree(ns_name);
Fix this by NULLing out ent->ns_name after it is transferred to ns_name
")
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "c053ae381ce227577567d1ef10090ce7506d7a28",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "35f4caec1352054b9a61cfdf2bf1898073637aa0",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "86feeccd6b93ed94bd6655f30de80f163f8d5a45",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "7998ab3010d2317643f91828f1853d954ef31387",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "18b5233e860c294a847ee07869d93c0b8673a54b",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "5df0c44e8f5f619d3beb871207aded7c78414502",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, \u0026lh, \u0026ns_name);\n\nand if ent-\u003ens_name contains an ns_name in\n1089 } else if (ent-\u003ens_name) {\n\nthen ns_name is assigned the ent-\u003ens_name\n1095 ns_name = ent-\u003ens_name;\n\nhowever ent-\u003ens_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent-\u003ens_name after it is transferred to ns_name\n\n\")"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:19.995Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689"
},
{
"url": "https://git.kernel.org/stable/c/c053ae381ce227577567d1ef10090ce7506d7a28"
},
{
"url": "https://git.kernel.org/stable/c/35f4caec1352054b9a61cfdf2bf1898073637aa0"
},
{
"url": "https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a"
},
{
"url": "https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45"
},
{
"url": "https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387"
},
{
"url": "https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b"
},
{
"url": "https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502"
}
],
"title": "apparmor: Fix double free of ns_name in aa_replace_profiles()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23408",
"datePublished": "2026-04-01T08:36:37.873Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-05-11T22:06:19.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23273 (GCVE-0-2026-23273)
Vulnerability from cvelistv5
Published
2026-03-20 08:08
Modified
2026-05-23 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: observe an RCU grace period in macvlan_common_newlink() error path
valis reported that a race condition still happens after my prior patch.
macvlan_common_newlink() might have made @dev visible before
detecting an error, and its caller will directly call free_netdev(dev).
We must respect an RCU period, either in macvlan or the core networking
stack.
After adding a temporary mdelay(1000) in macvlan_forward_source_one()
to open the race window, valis repro was:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
(ip link add invalid% link p2 type macvlan mode source macaddr add
00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4
PING 1.2.3.4 (1.2.3.4): 56 data bytes
RTNETLINK answers: Invalid argument
BUG: KASAN: slab-use-after-free in macvlan_forward_source
(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
Read of size 8 at addr ffff888016bb89c0 by task e/175
CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:123)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
kasan_report (mm/kasan/report.c:597)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
? tasklet_init (kernel/softirq.c:983)
macvlan_handle_frame (drivers/net/macvlan.c:501)
Allocated by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
__kasan_kmalloc (mm/kasan/common.c:419)
__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657
mm/slub.c:7140)
alloc_netdev_mqs (net/core/dev.c:12012)
rtnl_create_link (net/core/rtnetlink.c:3648)
rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Freed by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
kasan_save_free_info (mm/kasan/generic.c:587)
__kasan_slab_free (mm/kasan/common.c:287)
kfree (mm/slub.c:6674 mm/slub.c:6882)
rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: da5c6b8ae47e414be47e5e04def15b25d5c962dc Version: 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a Version: c43d0e787cbba569ec9d11579ed370b50fab6c9c Version: 11ba9f0dc865136174cb98834280fb21bbc950c7 Version: 986967a162142710076782d5b93daab93a892980 Version: cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 Version: f8db6475a83649689c087a8f52486fcc53e627e9 Version: f8db6475a83649689c087a8f52486fcc53e627e9 Version: 5.10.250 ≤ Version: 5.15.200 ≤ Version: 6.1.163 ≤ Version: 6.6.124 ≤ Version: 6.12.70 ≤ Version: 6.18.10 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91e4ff8d966978901630fc29582c1a76d3c6e46c",
"status": "affected",
"version": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"versionType": "git"
},
{
"lessThan": "3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4",
"status": "affected",
"version": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"versionType": "git"
},
{
"lessThan": "721eb342d9ba19bad5c4815ea3921465158b7362",
"status": "affected",
"version": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"versionType": "git"
},
{
"lessThan": "19c7d8ac51988d053709c1e85bd8482076af845d",
"status": "affected",
"version": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"versionType": "git"
},
{
"lessThan": "a1f686d273d129b45712d95f4095843b864466bd",
"status": "affected",
"version": "986967a162142710076782d5b93daab93a892980",
"versionType": "git"
},
{
"lessThan": "d34f7a8aa9a25b7e64e0e46e444697c0f702374d",
"status": "affected",
"version": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"versionType": "git"
},
{
"lessThan": "1e58ae87ad1e6e24368dea9aec9048c758cd0e2b",
"status": "affected",
"version": "f8db6475a83649689c087a8f52486fcc53e627e9",
"versionType": "git"
},
{
"lessThan": "e3f000f0dee1bfab52e2e61ca6a3835d9e187e35",
"status": "affected",
"version": "f8db6475a83649689c087a8f52486fcc53e627e9",
"versionType": "git"
},
{
"lessThan": "5.10.252",
"status": "affected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThan": "5.15.202",
"status": "affected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThan": "6.1.165",
"status": "affected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThan": "6.6.128",
"status": "affected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThan": "6.18.14",
"status": "affected",
"version": "6.18.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.10.250",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: observe an RCU grace period in macvlan_common_newlink() error path\n\nvalis reported that a race condition still happens after my prior patch.\n\nmacvlan_common_newlink() might have made @dev visible before\ndetecting an error, and its caller will directly call free_netdev(dev).\n\nWe must respect an RCU period, either in macvlan or the core networking\nstack.\n\nAfter adding a temporary mdelay(1000) in macvlan_forward_source_one()\nto open the race window, valis repro was:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\nip link add mv0 link p2 type macvlan mode source\n\n(ip link add invalid% link p2 type macvlan mode source macaddr add\n00:00:00:00:00:20 \u0026) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4\nPING 1.2.3.4 (1.2.3.4): 56 data bytes\nRTNETLINK answers: Invalid argument\n\nBUG: KASAN: slab-use-after-free in macvlan_forward_source\n(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nRead of size 8 at addr ffff888016bb89c0 by task e/175\n\nCPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl (lib/dump_stack.c:123)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nkasan_report (mm/kasan/report.c:597)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nmacvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\n? tasklet_init (kernel/softirq.c:983)\nmacvlan_handle_frame (drivers/net/macvlan.c:501)\n\nAllocated by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657\nmm/slub.c:7140)\nalloc_netdev_mqs (net/core/dev.c:12012)\nrtnl_create_link (net/core/rtnetlink.c:3648)\nrtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nFreed by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_free_info (mm/kasan/generic.c:587)\n__kasan_slab_free (mm/kasan/common.c:287)\nkfree (mm/slub.c:6674 mm/slub.c:6882)\nrtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:27.068Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c"
},
{
"url": "https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4"
},
{
"url": "https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362"
},
{
"url": "https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d"
},
{
"url": "https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd"
},
{
"url": "https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d"
},
{
"url": "https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b"
},
{
"url": "https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35"
}
],
"title": "macvlan: observe an RCU grace period in macvlan_common_newlink() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23273",
"datePublished": "2026-03-20T08:08:54.111Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-23T16:04:27.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23269 (GCVE-0-2026-23269)
Vulnerability from cvelistv5
Published
2026-03-18 17:54
Modified
2026-05-11 22:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: validate DFA start states are in bounds in unpack_pdb
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f43eea8ae0102ea198da211ef7f5ce83725ecf19",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "5487871b2b56c19d26936ed6fdc62652b30941df",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "07cf6320f40ea2ccfad63728cff34ecb309d03da",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "0baadb0eece2c4d939db10d3c323b4652ac79a58",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "3bb7db43e32190c973d4019037cedb7895920184",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "9063d7e2615f4a7ab321de6b520e23d370e58816",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa-\u003etables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:35.779Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f43eea8ae0102ea198da211ef7f5ce83725ecf19"
},
{
"url": "https://git.kernel.org/stable/c/5487871b2b56c19d26936ed6fdc62652b30941df"
},
{
"url": "https://git.kernel.org/stable/c/5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a"
},
{
"url": "https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da"
},
{
"url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"
},
{
"url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"
},
{
"url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"
},
{
"url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"
},
{
"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
}
],
"title": "apparmor: validate DFA start states are in bounds in unpack_pdb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23269",
"datePublished": "2026-03-18T17:54:42.988Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-11T22:03:35.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23405 (GCVE-0-2026-23405)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-05-11 22:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix: limit the number of levels of policy namespaces
Currently the number of policy namespaces is not bounded relying on
the user namespace limit. However policy namespaces aren't strictly
tied to user namespaces and it is possible to create them and nest
them arbitrarily deep which can be used to exhaust system resource.
Hard cap policy namespaces to the same depth as user namespaces.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/policy_ns.h",
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b396cc2f0365e684fc1d3547d18ef79fcee225d",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "87d0cecc900e55d55fc4dbfb43ac93e269c7a5b3",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "b1226e37eb3754d389721c135db6107db94c7a72",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "853ce31ca72097d23991a06876a2ccb5cb64b603",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "d42b2b6bb77ca40ee34ab74ad79305840b5f315d",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "7b6495ead2c611647f6b11441a852324e3eb8616",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "306039414932c80f8420695a24d4fe10c84ccfb2",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/policy_ns.h",
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix: limit the number of levels of policy namespaces\n\nCurrently the number of policy namespaces is not bounded relying on\nthe user namespace limit. However policy namespaces aren\u0027t strictly\ntied to user namespaces and it is possible to create them and nest\nthem arbitrarily deep which can be used to exhaust system resource.\n\nHard cap policy namespaces to the same depth as user namespaces."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:16.436Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b396cc2f0365e684fc1d3547d18ef79fcee225d"
},
{
"url": "https://git.kernel.org/stable/c/87d0cecc900e55d55fc4dbfb43ac93e269c7a5b3"
},
{
"url": "https://git.kernel.org/stable/c/b1226e37eb3754d389721c135db6107db94c7a72"
},
{
"url": "https://git.kernel.org/stable/c/3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e"
},
{
"url": "https://git.kernel.org/stable/c/853ce31ca72097d23991a06876a2ccb5cb64b603"
},
{
"url": "https://git.kernel.org/stable/c/d42b2b6bb77ca40ee34ab74ad79305840b5f315d"
},
{
"url": "https://git.kernel.org/stable/c/7b6495ead2c611647f6b11441a852324e3eb8616"
},
{
"url": "https://git.kernel.org/stable/c/306039414932c80f8420695a24d4fe10c84ccfb2"
}
],
"title": "apparmor: fix: limit the number of levels of policy namespaces",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23405",
"datePublished": "2026-04-01T08:36:35.697Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-05-11T22:06:16.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31425 (GCVE-0-2026-31425)
Vulnerability from cvelistv5
Published
2026-04-13 13:40
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rds: ib: reject FRMR registration before IB connection is established
rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data
and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a
fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with
i_cm_id = NULL because the connection worker has not yet called
rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with
RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses
the control message before any connection establishment, allowing
rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the
kernel.
The existing guard in rds_ib_reg_frmr() only checks for !ic (added in
commit 9e630bcb7701), which does not catch this case since ic is allocated
early and is always non-NULL once the connection object exists.
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920
Call Trace:
rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)
rds_ib_map_frmr (net/rds/ib_frmr.c:252)
rds_ib_reg_frmr (net/rds/ib_frmr.c:430)
rds_ib_get_mr (net/rds/ib_rdma.c:615)
__rds_rdma_map (net/rds/rdma.c:295)
rds_cmsg_rdma_map (net/rds/rdma.c:860)
rds_sendmsg (net/rds/send.c:1363)
____sys_sendmsg
do_syscall_64
Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all
non-NULL before proceeding with FRMR registration, mirroring the guard
already present in rds_ib_post_inv(). Return -ENODEV when the connection
is not ready, which the existing error handling in rds_cmsg_send() converts
to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to
start the connection worker.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1659185fb4d0025835eb2058a141f0746c5cab00 Version: 1659185fb4d0025835eb2058a141f0746c5cab00 Version: 1659185fb4d0025835eb2058a141f0746c5cab00 Version: 1659185fb4d0025835eb2058a141f0746c5cab00 Version: 1659185fb4d0025835eb2058a141f0746c5cab00 Version: 1659185fb4d0025835eb2058a141f0746c5cab00 Version: 1659185fb4d0025835eb2058a141f0746c5cab00 Version: 1659185fb4d0025835eb2058a141f0746c5cab00 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/ib_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c506456ebf84c50ed9327473d4e9bd905def212b",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "82e4a3b56b23b844802056c9e75a39d24169b0a4",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "450ec93c0f172374acbf236f1f5f02d53650aa2d",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "6b0a8de67ac0c74e1a7df92b73c862cb36780dfc",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "a5bfd14c9a299e6db4add4440430ee5e010b03ad",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "23e07c340c445f0ebff7757ba15434cb447eb662",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "47de5b73db3b88f45c107393f26aeba26e9e8fae",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "a54ecccfae62c5c85259ae5ea5d9c20009519049",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/ib_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: ib: reject FRMR registration before IB connection is established\n\nrds_ib_get_mr() extracts the rds_ib_connection from conn-\u003ec_transport_data\nand passes it to rds_ib_reg_frmr() for FRWR memory registration. On a\nfresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with\ni_cm_id = NULL because the connection worker has not yet called\nrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with\nRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses\nthe control message before any connection establishment, allowing\nrds_ib_post_reg_frmr() to dereference ic-\u003ei_cm_id-\u003eqp and crash the\nkernel.\n\nThe existing guard in rds_ib_reg_frmr() only checks for !ic (added in\ncommit 9e630bcb7701), which does not catch this case since ic is allocated\nearly and is always non-NULL once the connection object exists.\n\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920\n Call Trace:\n rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)\n rds_ib_map_frmr (net/rds/ib_frmr.c:252)\n rds_ib_reg_frmr (net/rds/ib_frmr.c:430)\n rds_ib_get_mr (net/rds/ib_rdma.c:615)\n __rds_rdma_map (net/rds/rdma.c:295)\n rds_cmsg_rdma_map (net/rds/rdma.c:860)\n rds_sendmsg (net/rds/send.c:1363)\n ____sys_sendmsg\n do_syscall_64\n\nAdd a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all\nnon-NULL before proceeding with FRMR registration, mirroring the guard\nalready present in rds_ib_post_inv(). Return -ENODEV when the connection\nis not ready, which the existing error handling in rds_cmsg_send() converts\nto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to\nstart the connection worker."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:27.602Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c506456ebf84c50ed9327473d4e9bd905def212b"
},
{
"url": "https://git.kernel.org/stable/c/82e4a3b56b23b844802056c9e75a39d24169b0a4"
},
{
"url": "https://git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2d"
},
{
"url": "https://git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc"
},
{
"url": "https://git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03ad"
},
{
"url": "https://git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662"
},
{
"url": "https://git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8fae"
},
{
"url": "https://git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049"
}
],
"title": "rds: ib: reject FRMR registration before IB connection is established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31425",
"datePublished": "2026-04-13T13:40:28.911Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:27.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23216 (GCVE-0-2026-23216)
Vulnerability from cvelistv5
Published
2026-02-18 14:21
Modified
2026-05-11 22:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
In iscsit_dec_conn_usage_count(), the function calls complete() while
holding the conn->conn_usage_lock. As soon as complete() is invoked, the
waiter (such as iscsit_close_connection()) may wake up and proceed to free
the iscsit_conn structure.
If the waiter frees the memory before the current thread reaches
spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function
attempts to release a lock within the already-freed connection structure.
Fix this by releasing the spinlock before calling complete().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba684191437380a07b27666eb4e72748be1ea201",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "8518f072fc92921418cd9ed4268dd4f3e9a8fd75",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "275016a551ba1a068a3bd6171b18611726b67110",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "73b487d44bf4f92942629d578381f89c326ff77f",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "48fe983e92de2c59d143fe38362ad17ba23ec7f3",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "3835e49e146a4e6e7787b29465f1a23379b6ec44",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "9411a89e9e7135cc459178fa77a3f1d6191ae903",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()\n\nIn iscsit_dec_conn_usage_count(), the function calls complete() while\nholding the conn-\u003econn_usage_lock. As soon as complete() is invoked, the\nwaiter (such as iscsit_close_connection()) may wake up and proceed to free\nthe iscsit_conn structure.\n\nIf the waiter frees the memory before the current thread reaches\nspin_unlock_bh(), it results in a KASAN slab-use-after-free as the function\nattempts to release a lock within the already-freed connection structure.\n\nFix this by releasing the spinlock before calling complete()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:34.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba684191437380a07b27666eb4e72748be1ea201"
},
{
"url": "https://git.kernel.org/stable/c/8518f072fc92921418cd9ed4268dd4f3e9a8fd75"
},
{
"url": "https://git.kernel.org/stable/c/275016a551ba1a068a3bd6171b18611726b67110"
},
{
"url": "https://git.kernel.org/stable/c/73b487d44bf4f92942629d578381f89c326ff77f"
},
{
"url": "https://git.kernel.org/stable/c/48fe983e92de2c59d143fe38362ad17ba23ec7f3"
},
{
"url": "https://git.kernel.org/stable/c/3835e49e146a4e6e7787b29465f1a23379b6ec44"
},
{
"url": "https://git.kernel.org/stable/c/9411a89e9e7135cc459178fa77a3f1d6191ae903"
}
],
"title": "scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23216",
"datePublished": "2026-02-18T14:21:53.699Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-05-11T22:02:34.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23462 (GCVE-0-2026-23462)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: HIDP: Fix possible UAF
This fixes the following trace caused by not dropping l2cap_conn
reference when user->remove callback is called:
[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 97.809947] Call Trace:
[ 97.809954] <TASK>
[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
[ 97.810404] __fput (fs/file_table.c:470)
[ 97.810430] task_work_run (kernel/task_work.c:235)
[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
[ 97.810527] do_exit (kernel/exit.c:972)
[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 97.810721] do_group_exit (kernel/exit.c:1093)
[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810826] ? vfs_read (fs/read_write.c:555)
[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810960] arch_do_signal_or_restart (arch/
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 Version: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d955ccbf91ab74d76fe9e4eab2846a7d8a173075",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "18b1263ece6431bd78fa6b61faaef5281203741c",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "21a47a119f33df9bb157326846390d7e8e1b45ba",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "45ebe5b900200ac3e01f3470506a44a447825721",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "7c805b7d1e580eececcc92470292e3dbc42bc3f5",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "f8b6ed2f06d3baa44f347a0fa2af52433f386463",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "4d37fa7582aa960ba23e10a7a2596a29f37ad281",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "dbf666e4fc9bdd975a61bf682b3f75cb0145eedd",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user-\u003eremove callback is called:\n\n[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[ 97.809947] Call Trace:\n[ 97.809954] \u003cTASK\u003e\n[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)\n[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[ 97.810404] __fput (fs/file_table.c:470)\n[ 97.810430] task_work_run (kernel/task_work.c:235)\n[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)\n[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[ 97.810527] do_exit (kernel/exit.c:972)\n[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)\n[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 97.810721] do_group_exit (kernel/exit.c:1093)\n[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))\n[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810826] ? vfs_read (fs/read_write.c:555)\n[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)\n[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)\n[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810960] arch_do_signal_or_restart (arch/\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:27.500Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075"
},
{
"url": "https://git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741c"
},
{
"url": "https://git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45ba"
},
{
"url": "https://git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721"
},
{
"url": "https://git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5"
},
{
"url": "https://git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463"
},
{
"url": "https://git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281"
},
{
"url": "https://git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd"
}
],
"title": "Bluetooth: HIDP: Fix possible UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23462",
"datePublished": "2026-04-03T15:15:41.718Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-05-11T22:07:27.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31675 (GCVE-0-2026-31675)
Vulnerability from cvelistv5
Published
2026-04-25 08:46
Modified
2026-05-11 22:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_netem: fix out-of-bounds access in packet corruption
In netem_enqueue(), the packet corruption logic uses
get_random_u32_below(skb_headlen(skb)) to select an index for
modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear
packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.
Passing 0 to get_random_u32_below() takes the variable-ceil slow path
which returns an unconstrained 32-bit random integer. Using this
unconstrained value as an offset into skb->data results in an
out-of-bounds memory access.
Fix this by verifying skb_headlen(skb) is non-zero before attempting
to corrupt the linear data area. Fully non-linear packets will silently
bypass the corruption logic.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a14b56863348686dd0387eea8ce66b85cf455908",
"status": "affected",
"version": "c865e5d99e25a171e8262fc0f7ba608568633c64",
"versionType": "git"
},
{
"lessThan": "13a66ca1e235d4bcd53d12d4c68490cad7f8e46f",
"status": "affected",
"version": "c865e5d99e25a171e8262fc0f7ba608568633c64",
"versionType": "git"
},
{
"lessThan": "3a2999704ac36cfb4041fed3652d26a3373e8d12",
"status": "affected",
"version": "c865e5d99e25a171e8262fc0f7ba608568633c64",
"versionType": "git"
},
{
"lessThan": "4fd258e281fa8bc15e9ce2c7691941537e9258ad",
"status": "affected",
"version": "c865e5d99e25a171e8262fc0f7ba608568633c64",
"versionType": "git"
},
{
"lessThan": "d64cb81dcbd54927515a7f65e5e24affdc73c14b",
"status": "affected",
"version": "c865e5d99e25a171e8262fc0f7ba608568633c64",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_netem: fix out-of-bounds access in packet corruption\n\nIn netem_enqueue(), the packet corruption logic uses\nget_random_u32_below(skb_headlen(skb)) to select an index for\nmodifying skb-\u003edata. When an AF_PACKET TX_RING sends fully non-linear\npackets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.\n\nPassing 0 to get_random_u32_below() takes the variable-ceil slow path\nwhich returns an unconstrained 32-bit random integer. Using this\nunconstrained value as an offset into skb-\u003edata results in an\nout-of-bounds memory access.\n\nFix this by verifying skb_headlen(skb) is non-zero before attempting\nto corrupt the linear data area. Fully non-linear packets will silently\nbypass the corruption logic."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:13:27.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a14b56863348686dd0387eea8ce66b85cf455908"
},
{
"url": "https://git.kernel.org/stable/c/13a66ca1e235d4bcd53d12d4c68490cad7f8e46f"
},
{
"url": "https://git.kernel.org/stable/c/3a2999704ac36cfb4041fed3652d26a3373e8d12"
},
{
"url": "https://git.kernel.org/stable/c/4fd258e281fa8bc15e9ce2c7691941537e9258ad"
},
{
"url": "https://git.kernel.org/stable/c/d64cb81dcbd54927515a7f65e5e24affdc73c14b"
}
],
"title": "net/sched: sch_netem: fix out-of-bounds access in packet corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31675",
"datePublished": "2026-04-25T08:46:51.184Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-05-11T22:13:27.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23455 (GCVE-0-2026-23455)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2121f5fbe88daff0f1fc5bc47d359426c74b86b0",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "65fa92f79677858b14b9e4b7275f26639afe2710",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "495e97af9e7249ee02b72bb1d0848a6efc3700f4",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "f5e4f4e4cdb75ec36802059a94195a31f193da60",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "633e8f87dad32263f6a57dccdb873f042c062111",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "b652b05d51003ac074b912684f9ec7486231717b",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "f173d0f4c0f689173f8cdac79991043a4a89bf66",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:19.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0"
},
{
"url": "https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710"
},
{
"url": "https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"
},
{
"url": "https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"
},
{
"url": "https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"
},
{
"url": "https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"
},
{
"url": "https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"
},
{
"url": "https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"
}
],
"title": "netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23455",
"datePublished": "2026-04-03T15:15:36.869Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-05-11T22:07:19.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43110 (GCVE-0-2026-43110)
Vulnerability from cvelistv5
Published
2026-05-06 07:40
Modified
2026-06-01 16:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: validate bsscfg indices in IF events
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
[add missing wifi prefix]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2880b86859967af710c72f7d34fb421a86a71e22 Version: 2880b86859967af710c72f7d34fb421a86a71e22 Version: 2880b86859967af710c72f7d34fb421a86a71e22 Version: 2880b86859967af710c72f7d34fb421a86a71e22 Version: 2880b86859967af710c72f7d34fb421a86a71e22 Version: 2880b86859967af710c72f7d34fb421a86a71e22 Version: 2880b86859967af710c72f7d34fb421a86a71e22 Version: 2880b86859967af710c72f7d34fb421a86a71e22 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b329fbcf075949a038045d8e9b86ae3d5bbd8a54",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9c81bcc2c695e0082012a2a3d36a0eefaa51579c",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "3ec7437e9d11374105c2c4e47ae671537729d7e6",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9fca68c2512a362cad258e4df12a307bb2ee4b8e",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "1ae1e1caa428844e481231f6dbe9b4f475f1d52d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "b427c2b05222db36d32ee141609de6128e9091bb",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "304950a467d83678bd0b0f46331882e2ac23b12d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: validate bsscfg indices in IF events\n\nbrcmf_fweh_handle_if_event() validates the firmware-provided interface\nindex before it touches drvr-\u003eiflist[], but it still uses the raw\nbsscfgidx field as an array index without a matching range check.\n\nReject IF events whose bsscfg index does not fit in drvr-\u003eiflist[]\nbefore indexing the interface array.\n\n[add missing wifi prefix]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:14:59.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b329fbcf075949a038045d8e9b86ae3d5bbd8a54"
},
{
"url": "https://git.kernel.org/stable/c/2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734"
},
{
"url": "https://git.kernel.org/stable/c/9c81bcc2c695e0082012a2a3d36a0eefaa51579c"
},
{
"url": "https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6"
},
{
"url": "https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e"
},
{
"url": "https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d"
},
{
"url": "https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb"
},
{
"url": "https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d"
}
],
"title": "wifi: brcmfmac: validate bsscfg indices in IF events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43110",
"datePublished": "2026-05-06T07:40:37.250Z",
"dateReserved": "2026-05-01T14:12:55.986Z",
"dateUpdated": "2026-06-01T16:14:59.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43088 (GCVE-0-2026-43088)
Vulnerability from cvelistv5
Published
2026-05-06 07:40
Modified
2026-05-14 14:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: af_key: zero aligned sockaddr tail in PF_KEY exports
PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr
payload space, so IPv6 addresses occupy 32 bytes on the wire. However,
`pfkey_sockaddr_fill()` initializes only the first 28 bytes of
`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.
Not every PF_KEY message is affected. The state and policy dump builders
already zero the whole message buffer before filling the sockaddr
payloads. Keep the fix to the export paths that still append aligned
sockaddr payloads with plain `skb_put()`:
- `SADB_ACQUIRE`
- `SADB_X_NAT_T_NEW_MAPPING`
- `SADB_X_MIGRATE`
Fix those paths by clearing only the aligned sockaddr tail after
`pfkey_sockaddr_fill()`.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/key/af_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11cbf294bac623bd57296f231199193087f57b4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edd446ee7cd3d02cac246168063d5b3e9ea68460",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e74f974359b5382ecbe8536abbb5b837eb6c724",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "426c355742f02cf743b347d9d7dbdc1bfbfa31ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/key/af_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: af_key: zero aligned sockaddr tail in PF_KEY exports\n\nPF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr\npayload space, so IPv6 addresses occupy 32 bytes on the wire. However,\n`pfkey_sockaddr_fill()` initializes only the first 28 bytes of\n`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.\n\nNot every PF_KEY message is affected. The state and policy dump builders\nalready zero the whole message buffer before filling the sockaddr\npayloads. Keep the fix to the export paths that still append aligned\nsockaddr payloads with plain `skb_put()`:\n\n - `SADB_ACQUIRE`\n - `SADB_X_NAT_T_NEW_MAPPING`\n - `SADB_X_MIGRATE`\n\nFix those paths by clearing only the aligned sockaddr tail after\n`pfkey_sockaddr_fill()`."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T14:30:12.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11cbf294bac623bd57296f231199193087f57b4a"
},
{
"url": "https://git.kernel.org/stable/c/edd446ee7cd3d02cac246168063d5b3e9ea68460"
},
{
"url": "https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724"
},
{
"url": "https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef"
}
],
"title": "net: af_key: zero aligned sockaddr tail in PF_KEY exports",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43088",
"datePublished": "2026-05-06T07:40:21.962Z",
"dateReserved": "2026-05-01T14:12:55.983Z",
"dateUpdated": "2026-05-14T14:30:12.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23209 (GCVE-0-2026-23209)
Vulnerability from cvelistv5
Published
2026-02-14 16:27
Modified
2026-05-11 22:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix error recovery in macvlan_common_newlink()
valis provided a nice repro to crash the kernel:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
ping -c1 -I p1 1.2.3.4
He also gave a very detailed analysis:
<quote valis>
The issue is triggered when a new macvlan link is created with
MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
port and register_netdevice() called from macvlan_common_newlink()
fails (e.g. because of the invalid link name).
In this case macvlan_hash_add_source is called from
macvlan_change_sources() / macvlan_common_newlink():
This adds a reference to vlan to the port's vlan_source_hash using
macvlan_source_entry.
vlan is a pointer to the priv data of the link that is being created.
When register_netdevice() fails, the error is returned from
macvlan_newlink() to rtnl_newlink_create():
if (ops->newlink)
err = ops->newlink(dev, ¶ms, extack);
else
err = register_netdevice(dev);
if (err < 0) {
free_netdev(dev);
goto out;
}
and free_netdev() is called, causing a kvfree() on the struct
net_device that is still referenced in the source entry attached to
the lower device's macvlan port.
Now all packets sent on the macvlan port with a matching source mac
address will trigger a use-after-free in macvlan_forward_source().
</quote valis>
With all that, my fix is to make sure we call macvlan_flush_sources()
regardless of @create value whenever "goto destroy_macvlan_port;"
path is taken.
Many thanks to valis for following up on this issue.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "986967a162142710076782d5b93daab93a892980",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "f8db6475a83649689c087a8f52486fcc53e627e9",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix error recovery in macvlan_common_newlink()\n\nvalis provided a nice repro to crash the kernel:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\n\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\n\nping -c1 -I p1 1.2.3.4\n\nHe also gave a very detailed analysis:\n\n\u003cquote valis\u003e\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\n\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\n\nThis adds a reference to vlan to the port\u0027s vlan_source_hash using\nmacvlan_source_entry.\n\nvlan is a pointer to the priv data of the link that is being created.\n\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\n\n if (ops-\u003enewlink)\n err = ops-\u003enewlink(dev, \u0026params, extack);\n else\n err = register_netdevice(dev);\n if (err \u003c 0) {\n free_netdev(dev);\n goto out;\n }\n\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device\u0027s macvlan port.\n\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\n\u003c/quote valis\u003e\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\n\nMany thanks to valis for following up on this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:25.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc"
},
{
"url": "https://git.kernel.org/stable/c/5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a"
},
{
"url": "https://git.kernel.org/stable/c/c43d0e787cbba569ec9d11579ed370b50fab6c9c"
},
{
"url": "https://git.kernel.org/stable/c/11ba9f0dc865136174cb98834280fb21bbc950c7"
},
{
"url": "https://git.kernel.org/stable/c/986967a162142710076782d5b93daab93a892980"
},
{
"url": "https://git.kernel.org/stable/c/cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66"
},
{
"url": "https://git.kernel.org/stable/c/f8db6475a83649689c087a8f52486fcc53e627e9"
}
],
"title": "macvlan: fix error recovery in macvlan_common_newlink()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23209",
"datePublished": "2026-02-14T16:27:31.175Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-05-11T22:02:25.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23404 (GCVE-0-2026-23404)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-05-11 22:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: replace recursive profile removal with iterative approach
The profile removal code uses recursion when removing nested profiles,
which can lead to kernel stack exhaustion and system crashes.
Reproducer:
$ pf='a'; for ((i=0; i<1024; i++)); do
echo -e "profile $pf { \n }" | apparmor_parser -K -a;
pf="$pf//x";
done
$ echo -n a > /sys/kernel/security/apparmor/.remove
Replace the recursive __aa_profile_list_release() approach with an
iterative approach in __remove_profile(). The function repeatedly
finds and removes leaf profiles until the entire subtree is removed,
maintaining the same removal semantic without recursion.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea854f032190cc9f26dc4a0e727090c89e55e342",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "4fdc847b107321dec22bf8ecd6019b7af76d7886",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "b36a04284d0208be94e5e401409caa00e2bf1be1",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "33959a491e9fd557abfa5fce5ae4637d400915d3",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "999bd704b0b641527a5ed46f0d969deff8cfa68b",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "7eade846e013cbe8d2dc4a484463aa19e6515c7f",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "a6a941a1294ac5abe22053dc501d25aed96e48fe",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "ab09264660f9de5d05d1ef4e225aa447c63a8747",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: replace recursive profile removal with iterative approach\n\nThe profile removal code uses recursion when removing nested profiles,\nwhich can lead to kernel stack exhaustion and system crashes.\n\nReproducer:\n $ pf=\u0027a\u0027; for ((i=0; i\u003c1024; i++)); do\n echo -e \"profile $pf { \\n }\" | apparmor_parser -K -a;\n pf=\"$pf//x\";\n done\n $ echo -n a \u003e /sys/kernel/security/apparmor/.remove\n\nReplace the recursive __aa_profile_list_release() approach with an\niterative approach in __remove_profile(). The function repeatedly\nfinds and removes leaf profiles until the entire subtree is removed,\nmaintaining the same removal semantic without recursion."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:15.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea854f032190cc9f26dc4a0e727090c89e55e342"
},
{
"url": "https://git.kernel.org/stable/c/4fdc847b107321dec22bf8ecd6019b7af76d7886"
},
{
"url": "https://git.kernel.org/stable/c/b36a04284d0208be94e5e401409caa00e2bf1be1"
},
{
"url": "https://git.kernel.org/stable/c/33959a491e9fd557abfa5fce5ae4637d400915d3"
},
{
"url": "https://git.kernel.org/stable/c/999bd704b0b641527a5ed46f0d969deff8cfa68b"
},
{
"url": "https://git.kernel.org/stable/c/7eade846e013cbe8d2dc4a484463aa19e6515c7f"
},
{
"url": "https://git.kernel.org/stable/c/a6a941a1294ac5abe22053dc501d25aed96e48fe"
},
{
"url": "https://git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747"
}
],
"title": "apparmor: replace recursive profile removal with iterative approach",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23404",
"datePublished": "2026-04-01T08:36:35.032Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-05-11T22:06:15.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23461 (GCVE-0-2026-23461)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-23 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
conn->users. However, l2cap_register_user() and l2cap_unregister_user()
don't use conn->lock, creating a race condition where these functions can
access conn->users and conn->hchan concurrently with l2cap_conn_del().
This can lead to use-after-free and list corruption bugs, as reported
by syzbot.
Fix this by changing l2cap_register_user() and l2cap_unregister_user()
to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
for the l2cap_conn structure.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: efc30877bd4bc85fefe98d80af60fafc86e5775e Version: f87271d21dd4ee83857ca11b94e7b4952749bbae Version: ab4eedb790cae44313759b50fe47da285e2519d5 Version: ab4eedb790cae44313759b50fe47da285e2519d5 Version: ab4eedb790cae44313759b50fe47da285e2519d5 Version: 18ab6b6078fa8191ca30a3065d57bf35d5635761 Version: 6.6.84 ≤ Version: 6.12.20 ≤ Version: 6.13.8 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11a87dd5df428a4b79a84d2790cac7f3c73f1f0d",
"status": "affected",
"version": "efc30877bd4bc85fefe98d80af60fafc86e5775e",
"versionType": "git"
},
{
"lessThan": "c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf",
"status": "affected",
"version": "f87271d21dd4ee83857ca11b94e7b4952749bbae",
"versionType": "git"
},
{
"lessThan": "da3000cbe4851458a22be38bb18c0689c39fdd5f",
"status": "affected",
"version": "ab4eedb790cae44313759b50fe47da285e2519d5",
"versionType": "git"
},
{
"lessThan": "71030f3b3015a412133a805ff47970cdcf30c2b8",
"status": "affected",
"version": "ab4eedb790cae44313759b50fe47da285e2519d5",
"versionType": "git"
},
{
"lessThan": "752a6c9596dd25efd6978a73ff21f3b592668f4a",
"status": "affected",
"version": "ab4eedb790cae44313759b50fe47da285e2519d5",
"versionType": "git"
},
{
"status": "affected",
"version": "18ab6b6078fa8191ca30a3065d57bf35d5635761",
"versionType": "git"
},
{
"lessThan": "6.6.130",
"status": "affected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThan": "6.12.78",
"status": "affected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn-\u003elock to protect access to\nconn-\u003eusers. However, l2cap_register_user() and l2cap_unregister_user()\ndon\u0027t use conn-\u003elock, creating a race condition where these functions can\naccess conn-\u003eusers and conn-\u003ehchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn-\u003elock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:53.093Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d"
},
{
"url": "https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf"
},
{
"url": "https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f"
},
{
"url": "https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8"
},
{
"url": "https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23461",
"datePublished": "2026-04-03T15:15:41.051Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-05-23T16:04:53.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31402 (GCVE-0-2026-31402)
Vulnerability from cvelistv5
Published
2026-04-03 15:16
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.
We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.
Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9fcb4441f6c02bb20c2eb340101e27dfe23607c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9452c0797c95cf2378170df96cf4f4b3bca7eff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8afb437ea1f70cacb4bbdf11771fb5c4d720b965",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f0e2a54a31a7f9ad2915db99156114872317388",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8498337dfdfda71bdd0b807c9a23a126011d76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5133b61aaf437e5f25b1b396b14242a6bb0508e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:00.380Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9fcb4441f6c02bb20c2eb340101e27dfe23607c"
},
{
"url": "https://git.kernel.org/stable/c/c9452c0797c95cf2378170df96cf4f4b3bca7eff"
},
{
"url": "https://git.kernel.org/stable/c/8afb437ea1f70cacb4bbdf11771fb5c4d720b965"
},
{
"url": "https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0"
},
{
"url": "https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad2915db99156114872317388"
},
{
"url": "https://git.kernel.org/stable/c/ae8498337dfdfda71bdd0b807c9a23a126011d76"
},
{
"url": "https://git.kernel.org/stable/c/5133b61aaf437e5f25b1b396b14242a6bb0508e2"
}
],
"title": "nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31402",
"datePublished": "2026-04-03T15:16:05.724Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:00.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23458 (GCVE-0-2026-23458)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
conntrack reference immediately after netlink_dump_start(). When the
dump spans multiple rounds, the second recvmsg() triggers the dump
callback which dereferences the now-freed conntrack via nfct_help(ct),
leading to a use-after-free on ct->ext.
The bug is that the netlink_dump_control has no .start or .done
callbacks to manage the conntrack reference across dump rounds. Other
dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
use .start/.done callbacks for this purpose.
Fix this by adding .start and .done callbacks that hold and release the
conntrack reference for the duration of the dump, and move the
nfct_help() call after the cb->args[0] early-return check in the dump
callback to avoid dereferencing ct->ext unnecessarily.
BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
Call Trace:
<TASK>
ctnetlink_exp_ct_dump_table+0x4f/0x2e0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
? aa_sk_perm+0x184/0x450
sock_recvmsg+0xde/0xf0
Allocated by task 133:
kmem_cache_alloc_noprof+0x134/0x440
__nf_conntrack_alloc+0xa8/0x2b0
ctnetlink_create_conntrack+0xa1/0x900
ctnetlink_new_conntrack+0x3cf/0x7d0
nfnetlink_rcv_msg+0x48e/0x510
netlink_rcv_skb+0xc9/0x1f0
nfnetlink_rcv+0xdb/0x220
netlink_unicast+0x3ec/0x590
netlink_sendmsg+0x397/0x690
__sys_sendmsg+0xf4/0x180
Freed by task 0:
slab_free_after_rcu_debug+0xad/0x1e0
rcu_core+0x5c3/0x9c0
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 Version: e844a928431fa8f1359d1f4f2cef53d9b446bf52 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8cd0efbccc5cfb0a80da744a7da76e1333ab925",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "9821b47f669eb82791fa0b1a6ebaf9aa219bea72",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "bdf2724eefd4455a66863abb025bab8d3aa98c57",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "f04cc86d59906513d2d62183b882966fc0ae0390",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "f025171feef2ac65663d7986f1d5ff0c28d6b2a9",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "cd541f15b60e2257441398cf495d978f816d09f8",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "5cb81eeda909dbb2def209dd10636b51549a3f8a",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb-\u003edata for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start(). When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct-\u003eext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds. Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb-\u003eargs[0] early-return check in the dump\ncallback to avoid dereferencing ct-\u003eext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n \u003cTASK\u003e\n ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n ? aa_sk_perm+0x184/0x450\n sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n kmem_cache_alloc_noprof+0x134/0x440\n __nf_conntrack_alloc+0xa8/0x2b0\n ctnetlink_create_conntrack+0xa1/0x900\n ctnetlink_new_conntrack+0x3cf/0x7d0\n nfnetlink_rcv_msg+0x48e/0x510\n netlink_rcv_skb+0xc9/0x1f0\n nfnetlink_rcv+0xdb/0x220\n netlink_unicast+0x3ec/0x590\n netlink_sendmsg+0x397/0x690\n __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n slab_free_after_rcu_debug+0xad/0x1e0\n rcu_core+0x5c3/0x9c0"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:22.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925"
},
{
"url": "https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72"
},
{
"url": "https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57"
},
{
"url": "https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390"
},
{
"url": "https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9"
},
{
"url": "https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"
},
{
"url": "https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8"
},
{
"url": "https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a"
}
],
"title": "netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23458",
"datePublished": "2026-04-03T15:15:39.041Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-05-11T22:07:22.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31411 (GCVE-0-2026-31411)
Vulnerability from cvelistv5
Published
2026-04-08 13:06
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
Reproducer available at [1].
The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc
pointer from msg->vcc and uses it directly without any validation. This
pointer comes from userspace via sendmsg() and can be arbitrarily forged:
int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);
ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon
struct msghdr msg = { .msg_iov = &iov, ... };
*(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer
sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef
In normal operation, the kernel sends the vcc pointer to the signaling
daemon via sigd_enq() when processing operations like connect(), bind(),
or listen(). The daemon is expected to return the same pointer when
responding. However, a malicious daemon can send arbitrary pointer values.
Fix this by introducing find_get_vcc() which validates the pointer by
searching through vcc_hash (similar to how sigd_close() iterates over
all VCCs), and acquires a reference via sock_hold() if found.
Since struct atm_vcc embeds struct sock as its first member, they share
the same lifetime. Therefore using sock_hold/sock_put is sufficient to
keep the vcc alive while it is being used.
Note that there may be a race with sigd_close() which could mark the vcc
with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.
However, sock_hold() guarantees the memory remains valid, so this race
only affects the logical state, not memory safety.
[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/signaling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c96549d07dfdd51aadf0722cfb40711574424840",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1c8bda3df028d5e54134077dcd09f46ca8cfceb5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e3f80666c2739296c3b69a127300455c43aa1067",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "21c303fec138c002f90ed33bce60e807d53072bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "69d3f9ee5489e6e8b66defcfa226e91d82393297",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "440c9a5fc477a8ee259d8bf669531250b8398651",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae88a5d2f29b69819dc7b04086734439d074a643",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/signaling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -\u003e vcc_sendmsg -\u003e sigd_send) reads the vcc\npointer from msg-\u003evcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\n struct msghdr msg = { .msg_iov = \u0026iov, ... };\n *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\n sendmsg(fd, \u0026msg, 0); // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:11.432Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840"
},
{
"url": "https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5"
},
{
"url": "https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2"
},
{
"url": "https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067"
},
{
"url": "https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb"
},
{
"url": "https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297"
},
{
"url": "https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651"
},
{
"url": "https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643"
}
],
"title": "net: atm: fix crash due to unvalidated vcc pointer in sigd_send()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31411",
"datePublished": "2026-04-08T13:06:17.800Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-05-11T22:08:11.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23442 (GCVE-0-2026-23442)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-06-01 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: add NULL checks for idev in SRv6 paths
__in6_dev_get() can return NULL when the device has no IPv6 configuration
(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).
Add NULL checks for idev returned by __in6_dev_get() in both
seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL
pointer dereferences.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 Version: 1ababeba4a21f3dba3da3523c670b207fb2feb62 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c",
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0348fa0ada37cef7c6b5ab2a428bb2c6aee784e4",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
},
{
"lessThan": "83d705d35e583cb1b1eacf196dfe7b77d442018e",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
},
{
"lessThan": "d1bd8b9edc6752d10f84d28ff64f842401ce336d",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
},
{
"lessThan": "50352fc103928e10e8729abc79a0d05abef26c4d",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
},
{
"lessThan": "bc9843c39f9932a8b36efd1d362ea00bb88e4e78",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
},
{
"lessThan": "c5cedee5d97382176573bbe21e1724e737a5eb64",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
},
{
"lessThan": "a25853c9feea7bbf31d157ff6e004d2d3b4f7f13",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
},
{
"lessThan": "06413793526251870e20402c39930804f14d59c0",
"status": "affected",
"version": "1ababeba4a21f3dba3da3523c670b207fb2feb62",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c",
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: add NULL checks for idev in SRv6 paths\n\n__in6_dev_get() can return NULL when the device has no IPv6 configuration\n(e.g. MTU \u003c IPV6_MIN_MTU or after NETDEV_UNREGISTER).\n\nAdd NULL checks for idev returned by __in6_dev_get() in both\nseg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL\npointer dereferences."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:11.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0348fa0ada37cef7c6b5ab2a428bb2c6aee784e4"
},
{
"url": "https://git.kernel.org/stable/c/83d705d35e583cb1b1eacf196dfe7b77d442018e"
},
{
"url": "https://git.kernel.org/stable/c/d1bd8b9edc6752d10f84d28ff64f842401ce336d"
},
{
"url": "https://git.kernel.org/stable/c/50352fc103928e10e8729abc79a0d05abef26c4d"
},
{
"url": "https://git.kernel.org/stable/c/bc9843c39f9932a8b36efd1d362ea00bb88e4e78"
},
{
"url": "https://git.kernel.org/stable/c/c5cedee5d97382176573bbe21e1724e737a5eb64"
},
{
"url": "https://git.kernel.org/stable/c/a25853c9feea7bbf31d157ff6e004d2d3b4f7f13"
},
{
"url": "https://git.kernel.org/stable/c/06413793526251870e20402c39930804f14d59c0"
}
],
"title": "ipv6: add NULL checks for idev in SRv6 paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23442",
"datePublished": "2026-04-03T15:15:26.851Z",
"dateReserved": "2026-01-13T15:37:46.018Z",
"dateUpdated": "2026-06-01T16:11:11.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71118 (GCVE-0-2025-71118)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-05-11 21:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Avoid walking the Namespace if start_node is NULL
Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace
if it is not there") fixed the situation when both start_node and
acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed
on Honor Magicbook 14 Pro [1].
That happens due to the access to the member of parent_node in
acpi_ns_get_next_node(). The NULL pointer dereference will always
happen, no matter whether or not the start_node is equal to
ACPI_ROOT_OBJECT, so move the check of start_node being NULL
out of the if block.
Unfortunately, all the attempts to contact Honor have failed, they
refused to provide any technical support for Linux.
The bad DSDT table's dump could be found on GitHub [2].
DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025
[ rjw: Subject adjustment, changelog edits ]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b84edef48cc8afb41150949a87dcfa81bc95b53e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ecb296286c8787895625bd4c53e9478db4ae139c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f9b951ed11842373851dd3c91860778356d62d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bc34293dfbd266c29875206849b4f8e8177e6df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0d8bb08126920fd4b12dbf32d9250757c9064b36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f91dad0a3b381244183ffbea4cec5a7a69d6f41e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d6c58dae8f6590c746ac5d0012ffe14a77539f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid walking the Namespace if start_node is NULL\n\nAlthough commit 0c9992315e73 (\"ACPICA: Avoid walking the ACPI Namespace\nif it is not there\") fixed the situation when both start_node and\nacpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed\non Honor Magicbook 14 Pro [1].\n\nThat happens due to the access to the member of parent_node in\nacpi_ns_get_next_node(). The NULL pointer dereference will always\nhappen, no matter whether or not the start_node is equal to\nACPI_ROOT_OBJECT, so move the check of start_node being NULL\nout of the if block.\n\nUnfortunately, all the attempts to contact Honor have failed, they\nrefused to provide any technical support for Linux.\n\nThe bad DSDT table\u0027s dump could be found on GitHub [2].\n\nDMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025\n\n[ rjw: Subject adjustment, changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:12.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e"
},
{
"url": "https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c"
},
{
"url": "https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3"
},
{
"url": "https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df"
},
{
"url": "https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36"
},
{
"url": "https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e"
},
{
"url": "https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0"
}
],
"title": "ACPICA: Avoid walking the Namespace if start_node is NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71118",
"datePublished": "2026-01-14T15:06:05.861Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-05-11T21:55:12.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31667 (GCVE-0-2026-31667)
Vulnerability from cvelistv5
Published
2026-04-24 14:45
Modified
2026-05-11 22:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - fix circular locking dependency with ff-core
A lockdep circular locking dependency warning can be triggered
reproducibly when using a force-feedback gamepad with uinput (for
example, playing ELDEN RING under Wine with a Flydigi Vader 5
controller):
ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex
The cycle is caused by four lock acquisition paths:
1. ff upload: input_ff_upload() holds ff->mutex and calls
uinput_dev_upload_effect() -> uinput_request_submit() ->
uinput_request_send(), which acquires udev->mutex.
2. device create: uinput_ioctl_handler() holds udev->mutex and calls
uinput_create_device() -> input_register_device(), which acquires
input_mutex.
3. device register: input_register_device() holds input_mutex and
calls kbd_connect() -> input_register_handle(), which acquires
dev->mutex.
4. evdev release: evdev_release() calls input_flush_device() under
dev->mutex, which calls input_ff_flush() acquiring ff->mutex.
Fix this by introducing a new state_lock spinlock to protect
udev->state and udev->dev access in uinput_request_send() instead of
acquiring udev->mutex. The function only needs to atomically check
device state and queue an input event into the ring buffer via
uinput_dev_event() -- both operations are safe under a spinlock
(ktime_get_ts64() and wake_up_interruptible() do not sleep). This
breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in
the lock ordering and cannot form cycles with mutexes.
To keep state transitions visible to uinput_request_send(), protect
writes to udev->state in uinput_create_device() and
uinput_destroy_device() with the same state_lock spinlock.
Additionally, move init_completion(&request->done) from
uinput_request_send() to uinput_request_submit() before
uinput_request_reserve_slot(). Once the slot is allocated,
uinput_flush_requests() may call complete() on it at any time from
the destroy path, so the completion must be initialised before the
request becomes visible.
Lock ordering after the fix:
ff->mutex -> state_lock (spinlock, leaf)
udev->mutex -> state_lock (spinlock, leaf)
udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ff462551235d8d7d843a005950bc90924fcedede Version: ff462551235d8d7d843a005950bc90924fcedede Version: ff462551235d8d7d843a005950bc90924fcedede Version: ff462551235d8d7d843a005950bc90924fcedede Version: ff462551235d8d7d843a005950bc90924fcedede Version: ff462551235d8d7d843a005950bc90924fcedede Version: ff462551235d8d7d843a005950bc90924fcedede Version: ff462551235d8d7d843a005950bc90924fcedede |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71a9729f412e2c692a35c542e14b706fb342927f",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "271ee71a1917b89f6d73ec82dd091c33d92ee617",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "974f7b138c3a96dd5cd53d1b33409cd7b2229dc6",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "546c18a14924eb521fe168d916d7ce28f1e13c1d",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "a3d6c9c053c9c605651508569230ead633b13f76",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "1e09dfbb4f5d20ee111f92325a00f85778a5f328",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "1534661043c434b81cfde26b97a2fb2460329cf0",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "4cda78d6f8bf2b700529f2fbccb994c3e826d7c2",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n ff-\u003emutex -\u003e udev-\u003emutex -\u003e input_mutex -\u003e dev-\u003emutex -\u003e ff-\u003emutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff-\u003emutex and calls\n uinput_dev_upload_effect() -\u003e uinput_request_submit() -\u003e\n uinput_request_send(), which acquires udev-\u003emutex.\n\n2. device create: uinput_ioctl_handler() holds udev-\u003emutex and calls\n uinput_create_device() -\u003e input_register_device(), which acquires\n input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n calls kbd_connect() -\u003e input_register_handle(), which acquires\n dev-\u003emutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n dev-\u003emutex, which calls input_ff_flush() acquiring ff-\u003emutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev-\u003estate and udev-\u003edev access in uinput_request_send() instead of\nacquiring udev-\u003emutex. The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep). This\nbreaks the ff-\u003emutex -\u003e udev-\u003emutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev-\u003estate in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(\u0026request-\u003edone) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot(). Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n ff-\u003emutex -\u003e state_lock (spinlock, leaf)\n udev-\u003emutex -\u003e state_lock (spinlock, leaf)\n udev-\u003emutex -\u003e input_mutex -\u003e dev-\u003emutex -\u003e ff-\u003emutex (no back-edge)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:13:16.401Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71a9729f412e2c692a35c542e14b706fb342927f"
},
{
"url": "https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617"
},
{
"url": "https://git.kernel.org/stable/c/974f7b138c3a96dd5cd53d1b33409cd7b2229dc6"
},
{
"url": "https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d"
},
{
"url": "https://git.kernel.org/stable/c/a3d6c9c053c9c605651508569230ead633b13f76"
},
{
"url": "https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328"
},
{
"url": "https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0"
},
{
"url": "https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2"
}
],
"title": "Input: uinput - fix circular locking dependency with ff-core",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31667",
"datePublished": "2026-04-24T14:45:15.937Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-05-11T22:13:16.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43334 (GCVE-0-2026-43334)
Vulnerability from cvelistv5
Published
2026-05-08 13:31
Modified
2026-05-11 22:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SMP: force responder MITM requirements before building the pairing response
smp_cmd_pairing_req() currently builds the pairing response from the
initiator auth_req before enforcing the local BT_SECURITY_HIGH
requirement. If the initiator omits SMP_AUTH_MITM, the response can
also omit it even though the local side still requires MITM.
tk_request() then sees an auth value without SMP_AUTH_MITM and may
select JUST_CFM, making method selection inconsistent with the pairing
policy the responder already enforces.
When the local side requires HIGH security, first verify that MITM can
be achieved from the IO capabilities and then force SMP_AUTH_MITM in the
response in both rsp.auth_req and auth. This keeps the responder auth bits
and later method selection aligned.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 Version: 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/smp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "425a22c5373d4e1b46492ab869074ebeeade61f3",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
},
{
"lessThan": "7ab69426e7ecbd18a222ee2ec87ca612d30197d7",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
},
{
"lessThan": "01bb4045d2306c266178f49ce0c3576d237a3040",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
},
{
"lessThan": "91649c02c1baaa18cedf7fb425fa1f0f852c8183",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
},
{
"lessThan": "c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
},
{
"lessThan": "fa14e0e19820b1bbdb42185c9c4efa950bcffef9",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
},
{
"lessThan": "ec17efb1ef91506cfd17a77692eaf4bbacb520ea",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
},
{
"lessThan": "d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7",
"status": "affected",
"version": "2b64d153a0cc9d2b60e47be013cde8490f16e0a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/smp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: force responder MITM requirements before building the pairing response\n\nsmp_cmd_pairing_req() currently builds the pairing response from the\ninitiator auth_req before enforcing the local BT_SECURITY_HIGH\nrequirement. If the initiator omits SMP_AUTH_MITM, the response can\nalso omit it even though the local side still requires MITM.\n\ntk_request() then sees an auth value without SMP_AUTH_MITM and may\nselect JUST_CFM, making method selection inconsistent with the pairing\npolicy the responder already enforces.\n\nWhen the local side requires HIGH security, first verify that MITM can\nbe achieved from the IO capabilities and then force SMP_AUTH_MITM in the\nresponse in both rsp.auth_req and auth. This keeps the responder auth bits\nand later method selection aligned."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:33.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3"
},
{
"url": "https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7"
},
{
"url": "https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040"
},
{
"url": "https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183"
},
{
"url": "https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb"
},
{
"url": "https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9"
},
{
"url": "https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea"
},
{
"url": "https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7"
}
],
"title": "Bluetooth: SMP: force responder MITM requirements before building the pairing response",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43334",
"datePublished": "2026-05-08T13:31:20.923Z",
"dateReserved": "2026-05-01T14:12:56.002Z",
"dateUpdated": "2026-05-11T22:22:33.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43437 (GCVE-0-2026-43437)
Vulnerability from cvelistv5
Published
2026-05-08 14:22
Modified
2026-05-11 22:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.
A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
No synchronization prevents kfree(runtime) from completing while the
drain path dereferences the stale pointer.
Fix by caching the needed runtime fields (no_period_wakeup, rate,
buffer_size) into local variables while still holding the stream lock,
and using the cached values after the lock is released.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f2b3614cefb61ee6046a0aaee503ee37f227d310 Version: f2b3614cefb61ee6046a0aaee503ee37f227d310 Version: f2b3614cefb61ee6046a0aaee503ee37f227d310 Version: f2b3614cefb61ee6046a0aaee503ee37f227d310 Version: f2b3614cefb61ee6046a0aaee503ee37f227d310 Version: f2b3614cefb61ee6046a0aaee503ee37f227d310 Version: f2b3614cefb61ee6046a0aaee503ee37f227d310 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9baee36e8c5443411c4629afabafaff8a46a23fd",
"status": "affected",
"version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
"versionType": "git"
},
{
"lessThan": "fc71f888994569f87d5bee20b1ac6c9c1e3a7a79",
"status": "affected",
"version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
"versionType": "git"
},
{
"lessThan": "629cf09464cf98670996ea5c191dc9743e6f3f00",
"status": "affected",
"version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
"versionType": "git"
},
{
"lessThan": "ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432",
"status": "affected",
"version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
"versionType": "git"
},
{
"lessThan": "4a758e9a1f5ed722f83c4dd35f867fe811553bcb",
"status": "affected",
"version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
"versionType": "git"
},
{
"lessThan": "c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694",
"status": "affected",
"version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
"versionType": "git"
},
{
"lessThan": "9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6",
"status": "affected",
"version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()\n\nIn the drain loop, the local variable \u0027runtime\u0027 is reassigned to a\nlinked stream\u0027s runtime (runtime = s-\u003eruntime at line 2157). After\nreleasing the stream lock at line 2169, the code accesses\nruntime-\u003eno_period_wakeup, runtime-\u003erate, and runtime-\u003ebuffer_size\n(lines 2170-2178) \u2014 all referencing the linked stream\u0027s runtime without\nany lock or refcount protecting its lifetime.\n\nA concurrent close() on the linked stream\u0027s fd triggers\nsnd_pcm_release_substream() \u2192 snd_pcm_drop() \u2192 pcm_release_private()\n\u2192 snd_pcm_unlink() \u2192 snd_pcm_detach_substream() \u2192 kfree(runtime).\nNo synchronization prevents kfree(runtime) from completing while the\ndrain path dereferences the stale pointer.\n\nFix by caching the needed runtime fields (no_period_wakeup, rate,\nbuffer_size) into local variables while still holding the stream lock,\nand using the cached values after the lock is released."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:34.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9baee36e8c5443411c4629afabafaff8a46a23fd"
},
{
"url": "https://git.kernel.org/stable/c/fc71f888994569f87d5bee20b1ac6c9c1e3a7a79"
},
{
"url": "https://git.kernel.org/stable/c/629cf09464cf98670996ea5c191dc9743e6f3f00"
},
{
"url": "https://git.kernel.org/stable/c/ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432"
},
{
"url": "https://git.kernel.org/stable/c/4a758e9a1f5ed722f83c4dd35f867fe811553bcb"
},
{
"url": "https://git.kernel.org/stable/c/c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694"
},
{
"url": "https://git.kernel.org/stable/c/9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6"
}
],
"title": "ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43437",
"datePublished": "2026-05-08T14:22:07.314Z",
"dateReserved": "2026-05-01T14:12:56.009Z",
"dateUpdated": "2026-05-11T22:24:34.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31416 (GCVE-0-2026-31416)
Vulnerability from cvelistv5
Published
2026-04-13 13:21
Modified
2026-05-23 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_log: account for netlink header size
This is a followup to an old bug fix: NLMSG_DONE needs to account
for the netlink header size, not just the attribute size.
This can result in a WARN splat + drop of the netlink message,
but other than this there are no ill effects.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Version: 3a758a2b78da2f49f7165678faf999e946a0c4b5 Version: 131172845aa2c804ffa9423455aee585061ea35e Version: b1fef6b81871a396f3b8702077333e769673c87b Version: add9183d993c12fb61ce0a674a424341d5be5b36 Version: 3.10.61 ≤ Version: 3.12.34 ≤ Version: 3.14.25 ≤ Version: 3.17.4 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ec216410fac9de83c99177a160ebb8d42fad075",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "09883bf257f4243ed5a1fd35078ec6f0d0f3696a",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "761b45c661af48da6a065868d59ab1e1f64fd9b6",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "607245c4dbb86d9a10dd8388da0fb82170a99b61",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "6b419700e459fbf707ca1543b7c1b57a60fedb73",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "88a8f56e6276f616baad4274c6b8e4683e26e520",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "f08ffa3e1c8e36b6131f69c5eb23700c28cbd262",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "6d52a4a0520a6696bdde51caa11f2d6821cd0c01",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"status": "affected",
"version": "3a758a2b78da2f49f7165678faf999e946a0c4b5",
"versionType": "git"
},
{
"status": "affected",
"version": "131172845aa2c804ffa9423455aee585061ea35e",
"versionType": "git"
},
{
"status": "affected",
"version": "b1fef6b81871a396f3b8702077333e769673c87b",
"versionType": "git"
},
{
"status": "affected",
"version": "add9183d993c12fb61ce0a674a424341d5be5b36",
"versionType": "git"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.61",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.34",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.25",
"versionType": "semver"
},
{
"lessThan": "3.18",
"status": "affected",
"version": "3.17.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: account for netlink header size\n\nThis is a followup to an old bug fix: NLMSG_DONE needs to account\nfor the netlink header size, not just the attribute size.\n\nThis can result in a WARN splat + drop of the netlink message,\nbut other than this there are no ill effects."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:56.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ec216410fac9de83c99177a160ebb8d42fad075"
},
{
"url": "https://git.kernel.org/stable/c/09883bf257f4243ed5a1fd35078ec6f0d0f3696a"
},
{
"url": "https://git.kernel.org/stable/c/761b45c661af48da6a065868d59ab1e1f64fd9b6"
},
{
"url": "https://git.kernel.org/stable/c/607245c4dbb86d9a10dd8388da0fb82170a99b61"
},
{
"url": "https://git.kernel.org/stable/c/6b419700e459fbf707ca1543b7c1b57a60fedb73"
},
{
"url": "https://git.kernel.org/stable/c/88a8f56e6276f616baad4274c6b8e4683e26e520"
},
{
"url": "https://git.kernel.org/stable/c/f08ffa3e1c8e36b6131f69c5eb23700c28cbd262"
},
{
"url": "https://git.kernel.org/stable/c/6d52a4a0520a6696bdde51caa11f2d6821cd0c01"
}
],
"title": "netfilter: nfnetlink_log: account for netlink header size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31416",
"datePublished": "2026-04-13T13:21:03.974Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-05-23T16:04:56.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31393 (GCVE-0-2026-31393)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
l2cap_information_rsp() checks that cmd_len covers the fixed
l2cap_info_rsp header (type + result, 4 bytes) but then reads
rsp->data without verifying that the payload is present:
- L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads
4 bytes past the header (needs cmd_len >= 8).
- L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header
(needs cmd_len >= 5).
A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an
out-of-bounds read of adjacent skb data.
Guard each data access with the required payload length check. If the
payload is too short, skip the read and let the state machine complete
with safe defaults (feat_mask and remote_fixed_chan remain zero from
kzalloc), so the info timer cleanup and l2cap_conn_start() still run
and the connection is not stalled.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4e8402a3f884427f9233ba436459c158d1f2e114 Version: 4e8402a3f884427f9233ba436459c158d1f2e114 Version: 4e8402a3f884427f9233ba436459c158d1f2e114 Version: 4e8402a3f884427f9233ba436459c158d1f2e114 Version: 4e8402a3f884427f9233ba436459c158d1f2e114 Version: 4e8402a3f884427f9233ba436459c158d1f2e114 Version: 4e8402a3f884427f9233ba436459c158d1f2e114 Version: 4e8402a3f884427f9233ba436459c158d1f2e114 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "187e6fe939295be36063a1d91f8bebee04399a8c",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "5229e7d15771eac2b5886bfb1f976aea0c1eec14",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "3b646516cba2ebc4b51a72954903326e7c1e443f",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "807bd1258453c4c83f6ae9dbc1e7b44860ff40d0",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "9aeacde4da0f02d42fd968fd32f245828b230171",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "e7ff754e339e3d5ce29aa9f95352d0186df8fbd9",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "db2872d054e467810078e2b9f440a5b326a601b2",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "dd815e6e3918dc75a49aaabac36e4f024d675101",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access\n\nl2cap_information_rsp() checks that cmd_len covers the fixed\nl2cap_info_rsp header (type + result, 4 bytes) but then reads\nrsp-\u003edata without verifying that the payload is present:\n\n - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp-\u003edata), which reads\n 4 bytes past the header (needs cmd_len \u003e= 8).\n\n - L2CAP_IT_FIXED_CHAN reads rsp-\u003edata[0], 1 byte past the header\n (needs cmd_len \u003e= 5).\n\nA truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an\nout-of-bounds read of adjacent skb data.\n\nGuard each data access with the required payload length check. If the\npayload is too short, skip the read and let the state machine complete\nwith safe defaults (feat_mask and remote_fixed_chan remain zero from\nkzalloc), so the info timer cleanup and l2cap_conn_start() still run\nand the connection is not stalled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:49.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/187e6fe939295be36063a1d91f8bebee04399a8c"
},
{
"url": "https://git.kernel.org/stable/c/5229e7d15771eac2b5886bfb1f976aea0c1eec14"
},
{
"url": "https://git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443f"
},
{
"url": "https://git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0"
},
{
"url": "https://git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171"
},
{
"url": "https://git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9"
},
{
"url": "https://git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2"
},
{
"url": "https://git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101"
}
],
"title": "Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31393",
"datePublished": "2026-04-03T15:15:58.142Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-05-11T22:07:49.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71238 (GCVE-0-2025-71238)
Vulnerability from cvelistv5
Published
2026-03-04 14:36
Modified
2026-05-11 21:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix bsg_done() causing double free
Kernel panic observed on system,
[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
[5353358.825194] #PF: supervisor write access in kernel mode
[5353358.825195] #PF: error_code(0x0002) - not-present page
[5353358.825196] PGD 100006067 P4D 0
[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
[5353358.825221] PKRU: 55555554
[5353358.825222] Call Trace:
[5353358.825223] <TASK>
[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825232] ? sg_copy_buffer+0xc8/0x110
[5353358.825236] ? __die_body.cold+0x8/0xd
[5353358.825238] ? page_fault_oops+0x134/0x170
[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
[5353358.825244] ? exc_page_fault+0xa8/0x150
[5353358.825247] ? asm_exc_page_fault+0x22/0x30
[5353358.825252] ? memcpy_erms+0x6/0x10
[5353358.825253] sg_copy_buffer+0xc8/0x110
[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
Most routines in qla_bsg.c call bsg_done() only for success cases.
However a few invoke it for failure case as well leading to a double
free. Validate before calling bsg_done().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1b81e7f3019d632a707e07927e946ffbbc102910 Version: 1b81e7f3019d632a707e07927e946ffbbc102910 Version: 1b81e7f3019d632a707e07927e946ffbbc102910 Version: 1b81e7f3019d632a707e07927e946ffbbc102910 Version: 1b81e7f3019d632a707e07927e946ffbbc102910 Version: 1b81e7f3019d632a707e07927e946ffbbc102910 Version: 1b81e7f3019d632a707e07927e946ffbbc102910 Version: 1b81e7f3019d632a707e07927e946ffbbc102910 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "057a5bdc481e58ab853117254867ffb22caf9f6e",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "27ac9679c43a09e54e2d9aae9980ada045b428e0",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "74e7458537cd9349cf019862e51491f670871707",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "871f6236da96c4a9712b8a29d7f555f767a47e95",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "31f33b856d2324d86bcaef295f4d210477a1c018",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "708003e1bc857dd014d4c44278d7d77c26f91b1c",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix bsg_done() causing double free\n\nKernel panic observed on system,\n\n[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000\n[5353358.825194] #PF: supervisor write access in kernel mode\n[5353358.825195] #PF: error_code(0x0002) - not-present page\n[5353358.825196] PGD 100006067 P4D 0\n[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1\n[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025\n[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10\n[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246\n[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000\n[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000\n[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000\n[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090\n[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000\n[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000\n[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0\n[5353358.825221] PKRU: 55555554\n[5353358.825222] Call Trace:\n[5353358.825223] \u003cTASK\u003e\n[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825232] ? sg_copy_buffer+0xc8/0x110\n[5353358.825236] ? __die_body.cold+0x8/0xd\n[5353358.825238] ? page_fault_oops+0x134/0x170\n[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110\n[5353358.825244] ? exc_page_fault+0xa8/0x150\n[5353358.825247] ? asm_exc_page_fault+0x22/0x30\n[5353358.825252] ? memcpy_erms+0x6/0x10\n[5353358.825253] sg_copy_buffer+0xc8/0x110\n[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]\n[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]\n\nMost routines in qla_bsg.c call bsg_done() only for success cases.\nHowever a few invoke it for failure case as well leading to a double\nfree. Validate before calling bsg_done()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:00.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/057a5bdc481e58ab853117254867ffb22caf9f6e"
},
{
"url": "https://git.kernel.org/stable/c/f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720"
},
{
"url": "https://git.kernel.org/stable/c/27ac9679c43a09e54e2d9aae9980ada045b428e0"
},
{
"url": "https://git.kernel.org/stable/c/74e7458537cd9349cf019862e51491f670871707"
},
{
"url": "https://git.kernel.org/stable/c/871f6236da96c4a9712b8a29d7f555f767a47e95"
},
{
"url": "https://git.kernel.org/stable/c/31f33b856d2324d86bcaef295f4d210477a1c018"
},
{
"url": "https://git.kernel.org/stable/c/708003e1bc857dd014d4c44278d7d77c26f91b1c"
},
{
"url": "https://git.kernel.org/stable/c/c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0"
}
],
"title": "scsi: qla2xxx: Fix bsg_done() causing double free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71238",
"datePublished": "2026-03-04T14:36:36.579Z",
"dateReserved": "2026-02-18T14:25:13.845Z",
"dateUpdated": "2026-05-11T21:57:00.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50053 (GCVE-0-2022-50053)
Vulnerability from cvelistv5
Published
2025-06-18 11:01
Modified
2026-05-11 19:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Fix reset error handling
Do not call iavf_close in iavf_reset_task error handling. Doing so can
lead to double call of napi_disable, which can lead to deadlock there.
Removing VF would lead to iavf_remove task being stuck, because it
requires crit_lock, which is held by iavf_close.
Call iavf_disable_vf if reset fail, so that driver will clean up
remaining invalid resources.
During rapid VF resets, HW can fail to setup VF mailbox. Wrong
error handling can lead to iavf_remove being stuck with:
[ 5218.999087] iavf 0000:82:01.0: Failed to init adminq: -53
...
[ 5267.189211] INFO: task repro.sh:11219 blocked for more than 30 seconds.
[ 5267.189520] Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1
[ 5267.189764] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 5267.190062] task:repro.sh state:D stack: 0 pid:11219 ppid: 8162 flags:0x00000000
[ 5267.190347] Call Trace:
[ 5267.190647] <TASK>
[ 5267.190927] __schedule+0x460/0x9f0
[ 5267.191264] schedule+0x44/0xb0
[ 5267.191563] schedule_preempt_disabled+0x14/0x20
[ 5267.191890] __mutex_lock.isra.12+0x6e3/0xac0
[ 5267.192237] ? iavf_remove+0xf9/0x6c0 [iavf]
[ 5267.192565] iavf_remove+0x12a/0x6c0 [iavf]
[ 5267.192911] ? _raw_spin_unlock_irqrestore+0x1e/0x40
[ 5267.193285] pci_device_remove+0x36/0xb0
[ 5267.193619] device_release_driver_internal+0xc1/0x150
[ 5267.193974] pci_stop_bus_device+0x69/0x90
[ 5267.194361] pci_stop_and_remove_bus_device+0xe/0x20
[ 5267.194735] pci_iov_remove_virtfn+0xba/0x120
[ 5267.195130] sriov_disable+0x2f/0xe0
[ 5267.195506] ice_free_vfs+0x7d/0x2f0 [ice]
[ 5267.196056] ? pci_get_device+0x4f/0x70
[ 5267.196496] ice_sriov_configure+0x78/0x1a0 [ice]
[ 5267.196995] sriov_numvfs_store+0xfe/0x140
[ 5267.197466] kernfs_fop_write_iter+0x12e/0x1c0
[ 5267.197918] new_sync_write+0x10c/0x190
[ 5267.198404] vfs_write+0x24e/0x2d0
[ 5267.198886] ksys_write+0x5c/0xd0
[ 5267.199367] do_syscall_64+0x3a/0x80
[ 5267.199827] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 5267.200317] RIP: 0033:0x7f5b381205c8
[ 5267.200814] RSP: 002b:00007fff8c7e8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 5267.201981] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f5b381205c8
[ 5267.202620] RDX: 0000000000000002 RSI: 00005569420ee900 RDI: 0000000000000001
[ 5267.203426] RBP: 00005569420ee900 R08: 000000000000000a R09: 00007f5b38180820
[ 5267.204327] R10: 000000000000000a R11: 0000000000000246 R12: 00007f5b383c06e0
[ 5267.205193] R13: 0000000000000002 R14: 00007f5b383bb880 R15: 0000000000000002
[ 5267.206041] </TASK>
[ 5267.206970] Kernel panic - not syncing: hung_task: blocked tasks
[ 5267.207809] CPU: 48 PID: 551 Comm: khungtaskd Kdump: loaded Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1
[ 5267.208726] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.11.0 11/02/2019
[ 5267.209623] Call Trace:
[ 5267.210569] <TASK>
[ 5267.211480] dump_stack_lvl+0x33/0x42
[ 5267.212472] panic+0x107/0x294
[ 5267.213467] watchdog.cold.8+0xc/0xbb
[ 5267.214413] ? proc_dohung_task_timeout_secs+0x30/0x30
[ 5267.215511] kthread+0xf4/0x120
[ 5267.216459] ? kthread_complete_and_exit+0x20/0x20
[ 5267.217505] ret_from_fork+0x22/0x30
[ 5267.218459] </TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "743dc4377bbac06a6fe44c3c5baf75a49439678a",
"status": "affected",
"version": "f0db78928783f0a4cce4940e8c03c2e9a760e629",
"versionType": "git"
},
{
"lessThan": "0828e27971f18ea317710acb228afe6e72606082",
"status": "affected",
"version": "f0db78928783f0a4cce4940e8c03c2e9a760e629",
"versionType": "git"
},
{
"lessThan": "31071173771e079f7bc08dacd61e0db913262fbf",
"status": "affected",
"version": "f0db78928783f0a4cce4940e8c03c2e9a760e629",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.63",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix reset error handling\n\nDo not call iavf_close in iavf_reset_task error handling. Doing so can\nlead to double call of napi_disable, which can lead to deadlock there.\nRemoving VF would lead to iavf_remove task being stuck, because it\nrequires crit_lock, which is held by iavf_close.\nCall iavf_disable_vf if reset fail, so that driver will clean up\nremaining invalid resources.\nDuring rapid VF resets, HW can fail to setup VF mailbox. Wrong\nerror handling can lead to iavf_remove being stuck with:\n[ 5218.999087] iavf 0000:82:01.0: Failed to init adminq: -53\n...\n[ 5267.189211] INFO: task repro.sh:11219 blocked for more than 30 seconds.\n[ 5267.189520] Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1\n[ 5267.189764] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 5267.190062] task:repro.sh state:D stack: 0 pid:11219 ppid: 8162 flags:0x00000000\n[ 5267.190347] Call Trace:\n[ 5267.190647] \u003cTASK\u003e\n[ 5267.190927] __schedule+0x460/0x9f0\n[ 5267.191264] schedule+0x44/0xb0\n[ 5267.191563] schedule_preempt_disabled+0x14/0x20\n[ 5267.191890] __mutex_lock.isra.12+0x6e3/0xac0\n[ 5267.192237] ? iavf_remove+0xf9/0x6c0 [iavf]\n[ 5267.192565] iavf_remove+0x12a/0x6c0 [iavf]\n[ 5267.192911] ? _raw_spin_unlock_irqrestore+0x1e/0x40\n[ 5267.193285] pci_device_remove+0x36/0xb0\n[ 5267.193619] device_release_driver_internal+0xc1/0x150\n[ 5267.193974] pci_stop_bus_device+0x69/0x90\n[ 5267.194361] pci_stop_and_remove_bus_device+0xe/0x20\n[ 5267.194735] pci_iov_remove_virtfn+0xba/0x120\n[ 5267.195130] sriov_disable+0x2f/0xe0\n[ 5267.195506] ice_free_vfs+0x7d/0x2f0 [ice]\n[ 5267.196056] ? pci_get_device+0x4f/0x70\n[ 5267.196496] ice_sriov_configure+0x78/0x1a0 [ice]\n[ 5267.196995] sriov_numvfs_store+0xfe/0x140\n[ 5267.197466] kernfs_fop_write_iter+0x12e/0x1c0\n[ 5267.197918] new_sync_write+0x10c/0x190\n[ 5267.198404] vfs_write+0x24e/0x2d0\n[ 5267.198886] ksys_write+0x5c/0xd0\n[ 5267.199367] do_syscall_64+0x3a/0x80\n[ 5267.199827] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 5267.200317] RIP: 0033:0x7f5b381205c8\n[ 5267.200814] RSP: 002b:00007fff8c7e8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 5267.201981] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f5b381205c8\n[ 5267.202620] RDX: 0000000000000002 RSI: 00005569420ee900 RDI: 0000000000000001\n[ 5267.203426] RBP: 00005569420ee900 R08: 000000000000000a R09: 00007f5b38180820\n[ 5267.204327] R10: 000000000000000a R11: 0000000000000246 R12: 00007f5b383c06e0\n[ 5267.205193] R13: 0000000000000002 R14: 00007f5b383bb880 R15: 0000000000000002\n[ 5267.206041] \u003c/TASK\u003e\n[ 5267.206970] Kernel panic - not syncing: hung_task: blocked tasks\n[ 5267.207809] CPU: 48 PID: 551 Comm: khungtaskd Kdump: loaded Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1\n[ 5267.208726] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.11.0 11/02/2019\n[ 5267.209623] Call Trace:\n[ 5267.210569] \u003cTASK\u003e\n[ 5267.211480] dump_stack_lvl+0x33/0x42\n[ 5267.212472] panic+0x107/0x294\n[ 5267.213467] watchdog.cold.8+0xc/0xbb\n[ 5267.214413] ? proc_dohung_task_timeout_secs+0x30/0x30\n[ 5267.215511] kthread+0xf4/0x120\n[ 5267.216459] ? kthread_complete_and_exit+0x20/0x20\n[ 5267.217505] ret_from_fork+0x22/0x30\n[ 5267.218459] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:11:56.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/743dc4377bbac06a6fe44c3c5baf75a49439678a"
},
{
"url": "https://git.kernel.org/stable/c/0828e27971f18ea317710acb228afe6e72606082"
},
{
"url": "https://git.kernel.org/stable/c/31071173771e079f7bc08dacd61e0db913262fbf"
}
],
"title": "iavf: Fix reset error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50053",
"datePublished": "2025-06-18T11:01:58.164Z",
"dateReserved": "2025-06-18T10:57:27.403Z",
"dateUpdated": "2026-05-11T19:11:56.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43190 (GCVE-0-2026-43190)
Vulnerability from cvelistv5
Published
2026-05-06 11:27
Modified
2026-05-11 22:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_tcpmss: check remaining length before reading optlen
Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.
If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_tcpmss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f895191dc32c53eaf443b6443fe40945b2f92287",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd5beda7e0e32865e214f28034bb92c1cecff885",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eaedc0bc18be46fe7f58170e967959a932c4f824",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07a9b32eaae792ff7d0fcac14d8920c937c0a9c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8b300f726640c48c3edfe9c453334dd801f4b74e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e13d0a37666955b6cfddc0f73cb40ed645b8a05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6c412dcfd76b0516d51aa847d8f4c7b70381b09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "735ee8582da3d239eb0c7a53adca61b79fb228b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_tcpmss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_tcpmss: check remaining length before reading optlen\n\nQuoting reporter:\n In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads\n op[i+1] directly without validating the remaining option length.\n\n If the last byte of the option field is not EOL/NOP (0/1), the code attempts\n to index op[i+1]. In the case where i + 1 == optlen, this causes an\n out-of-bounds read, accessing memory past the optlen boundary\n (either reading beyond the stack buffer _opt or the\n following payload)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:35.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287"
},
{
"url": "https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885"
},
{
"url": "https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824"
},
{
"url": "https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3"
},
{
"url": "https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e"
},
{
"url": "https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05"
},
{
"url": "https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09"
},
{
"url": "https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3"
}
],
"title": "netfilter: xt_tcpmss: check remaining length before reading optlen",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43190",
"datePublished": "2026-05-06T11:27:59.798Z",
"dateReserved": "2026-05-01T14:12:55.992Z",
"dateUpdated": "2026-05-11T22:19:35.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31422 (GCVE-0-2026-31422)
Vulnerability from cvelistv5
Published
2026-04-13 13:40
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_flow: fix NULL pointer dereference on shared blocks
flow_change() calls tcf_block_q() and dereferences q->handle to derive
a default baseclass. Shared blocks leave block->q NULL, causing a NULL
deref when a flow filter without a fully qualified baseclass is created
on a shared block.
Check tcf_block_shared() before accessing block->q and return -EINVAL
for shared blocks. This avoids the null-deref shown below:
=======================================================================
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:flow_change (net/sched/cls_flow.c:508)
Call Trace:
tc_new_tfilter (net/sched/cls_api.c:2432)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)
[...]
=======================================================================
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1abf272022cf1d18469405f47b4ec49c6a3125db Version: 1abf272022cf1d18469405f47b4ec49c6a3125db Version: 1abf272022cf1d18469405f47b4ec49c6a3125db Version: 1abf272022cf1d18469405f47b4ec49c6a3125db Version: 1abf272022cf1d18469405f47b4ec49c6a3125db Version: 1abf272022cf1d18469405f47b4ec49c6a3125db Version: 1abf272022cf1d18469405f47b4ec49c6a3125db Version: 1abf272022cf1d18469405f47b4ec49c6a3125db |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_flow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57f94ac7e953eece5ed4819605a18f3cdfc63dcc",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "942813276edeb1741fa5b0a73471beb4e495fa08",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "cc707a4fd4c3b6ab2722e06bc359aa010e13d408",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "4a09f72007201c9f667dc47f64517ec23eea65e5",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "a208c3e1232997e9317887294c20008dfcb75449",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "415ea0c973c754b9f375225807810eb9045f4293",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "1a280dd4bd1d616a01d6ffe0de284c907b555504",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_flow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q-\u003ehandle to derive\na default baseclass. Shared blocks leave block-\u003eq NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block-\u003eq and return -EINVAL\nfor shared blocks. This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n======================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:24.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc"
},
{
"url": "https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08"
},
{
"url": "https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408"
},
{
"url": "https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5"
},
{
"url": "https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e"
},
{
"url": "https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449"
},
{
"url": "https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293"
},
{
"url": "https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504"
}
],
"title": "net/sched: cls_flow: fix NULL pointer dereference on shared blocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31422",
"datePublished": "2026-04-13T13:40:25.911Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:24.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43126 (GCVE-0-2026-43126)
Vulnerability from cvelistv5
Published
2026-05-06 11:27
Modified
2026-05-11 22:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: mixer: oss: Add card disconnect checkpoints
ALSA OSS mixer layer calls the kcontrol ops rather individually, and
pending calls might be not always caught at disconnecting the device.
For avoiding the potential UAF scenarios, add sanity checks of the
card disconnection at each entry point of OSS mixer accesses. The
rwsem is taken just before that check, hence the rest context should
be covered by that properly.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/oss/mixer_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae583f113d15fa97e5234133c20d09f8e6214e47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6645e625480cdf1079a4265f758d13b70721029",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c097cf736993454acf3f711a3b376d6c7ad8965",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "084d5d44418148662365eced3e126ad1a81ee3e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/oss/mixer_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: mixer: oss: Add card disconnect checkpoints\n\nALSA OSS mixer layer calls the kcontrol ops rather individually, and\npending calls might be not always caught at disconnecting the device.\n\nFor avoiding the potential UAF scenarios, add sanity checks of the\ncard disconnection at each entry point of OSS mixer accesses. The\nrwsem is taken just before that check, hence the rest context should\nbe covered by that properly."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:18:15.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae583f113d15fa97e5234133c20d09f8e6214e47"
},
{
"url": "https://git.kernel.org/stable/c/e6645e625480cdf1079a4265f758d13b70721029"
},
{
"url": "https://git.kernel.org/stable/c/8c097cf736993454acf3f711a3b376d6c7ad8965"
},
{
"url": "https://git.kernel.org/stable/c/084d5d44418148662365eced3e126ad1a81ee3e2"
}
],
"title": "ALSA: mixer: oss: Add card disconnect checkpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43126",
"datePublished": "2026-05-06T11:27:15.765Z",
"dateReserved": "2026-05-01T14:12:55.988Z",
"dateUpdated": "2026-05-11T22:18:15.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31424 (GCVE-0-2026-31424)
Vulnerability from cvelistv5
Published
2026-04-13 13:40
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
Weiming Shi says:
xt_match and xt_target structs registered with NFPROTO_UNSPEC can be
loaded by any protocol family through nft_compat. When such a
match/target sets .hooks to restrict which hooks it may run on, the
bitmask uses NF_INET_* constants. This is only correct for families
whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge
all share the same five hooks (PRE_ROUTING ... POST_ROUTING).
ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different
semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks
validation silently passes for the wrong reasons, allowing matches to
run on ARP chains where the hook assumptions (e.g. state->in being
set on input hooks) do not hold. This leads to NULL pointer
dereferences; xt_devgroup is one concrete example:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]
RIP: 0010:devgroup_mt+0xff/0x350
Call Trace:
<TASK>
nft_match_eval (net/netfilter/nft_compat.c:407)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)
nf_hook_slow (net/netfilter/core.c:623)
arp_xmit (net/ipv4/arp.c:666)
</TASK>
Kernel panic - not syncing: Fatal exception in interrupt
Fix it by restricting arptables to NFPROTO_ARP extensions only.
Note that arptables-legacy only supports:
- arpt_CLASSIFY
- arpt_mangle
- arpt_MARK
that provide explicit NFPROTO_ARP match/target declarations.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9291747f118d6404e509747b85ff5f6dfec368d2 Version: 9291747f118d6404e509747b85ff5f6dfec368d2 Version: 9291747f118d6404e509747b85ff5f6dfec368d2 Version: 9291747f118d6404e509747b85ff5f6dfec368d2 Version: 9291747f118d6404e509747b85ff5f6dfec368d2 Version: 9291747f118d6404e509747b85ff5f6dfec368d2 Version: 9291747f118d6404e509747b85ff5f6dfec368d2 Version: 9291747f118d6404e509747b85ff5f6dfec368d2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/x_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80e3c75f71c3ea1e62fcb032382de13e00a68f8b",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "d9a0af9e43416aa50c0595e15fa01365a1c72c49",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "1cd6313c8644bfebbd813a05da9daa21b09dd68c",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "f00ac65c90ea475719e08d629e2e26c8b4e6999b",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "e7e1b6bcb389c8708003d40613a59ff2496f6b1f",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "dc3e27dd7d76e21106b8f9bbdc31f5da74a89014",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "3d5d488f11776738deab9da336038add95d342d1",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/x_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state-\u003ein being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n \u003cTASK\u003e\n nft_match_eval (net/netfilter/nft_compat.c:407)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n nf_hook_slow (net/netfilter/core.c:623)\n arp_xmit (net/ipv4/arp.c:666)\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:26.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b"
},
{
"url": "https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49"
},
{
"url": "https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c"
},
{
"url": "https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b"
},
{
"url": "https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f"
},
{
"url": "https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014"
},
{
"url": "https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a"
},
{
"url": "https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1"
}
],
"title": "netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31424",
"datePublished": "2026-04-13T13:40:27.957Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:26.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31787 (GCVE-0-2026-31787)
Vulnerability from cvelistv5
Published
2026-04-30 10:31
Modified
2026-05-11 22:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d71f513985c22f1050295d1a7e4327cf9fb060da Version: d71f513985c22f1050295d1a7e4327cf9fb060da Version: d71f513985c22f1050295d1a7e4327cf9fb060da Version: d71f513985c22f1050295d1a7e4327cf9fb060da Version: d71f513985c22f1050295d1a7e4327cf9fb060da Version: d71f513985c22f1050295d1a7e4327cf9fb060da Version: d71f513985c22f1050295d1a7e4327cf9fb060da Version: d71f513985c22f1050295d1a7e4327cf9fb060da |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:37.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/14"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-487.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf862ce9f009128ab86b234d91413a3e450beb4",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2b985d3a024b9e8c24e21671b34e855569763808",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "1576ff3869cbd3620717195f971c85b7d7fd62b5",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "402d84ad9e89bd4cbfd07ca8598532b7021daf95",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2894a351fe2ea8684919d36df3188b9a35e3926f",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "446ee446d9ae66f36e95c3c90bbcc4e56b94cde0",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "71bf829800758a6e3889096e4754ef47ba7fc850",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "24daca4fc07f3ff8cd0e3f629cd982187f48436a",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n - xen_unmap_domain_gfn_range()\n - xen_free_unpopulated_pages()\n - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:15:48.239Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"
},
{
"url": "https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"
},
{
"url": "https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"
},
{
"url": "https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"
},
{
"url": "https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"
},
{
"url": "https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"
},
{
"url": "https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"
},
{
"url": "https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"
}
],
"title": "xen/privcmd: fix double free via VMA splitting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31787",
"datePublished": "2026-04-30T10:31:28.992Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-05-11T22:15:48.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31496 (GCVE-0-2026-31496)
Vulnerability from cvelistv5
Published
2026-04-22 13:54
Modified
2026-05-11 22:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_expect: skip expectations in other netns via proc
Skip expectations that do not reside in this netns.
Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's
conntrack entries via proc").
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9b03f38d0487f3908696242286d934c9b38f9d2a Version: 9b03f38d0487f3908696242286d934c9b38f9d2a Version: 9b03f38d0487f3908696242286d934c9b38f9d2a Version: 9b03f38d0487f3908696242286d934c9b38f9d2a Version: 9b03f38d0487f3908696242286d934c9b38f9d2a Version: 9b03f38d0487f3908696242286d934c9b38f9d2a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_expect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2028405ea6987b4448784e439413202cfe19f43f",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "168145c87444619e3e649322bbe7719ecd00d411",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "dcfcd95b3ae7683e8ae55c92284b3430ce614bc7",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "9ca8c7452493d915f9bbf2f39331e6c583d07a23",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "3265ad619987cb551edaf797ed056d80ac450225",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "3db5647984de03d9cae0dcddb509b058351f0ee4",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_expect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: skip expectations in other netns via proc\n\nSkip expectations that do not reside in this netns.\n\nSimilar to e77e6ff502ea (\"netfilter: conntrack: do not dump other netns\u0027s\nconntrack entries via proc\")."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:51.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2028405ea6987b4448784e439413202cfe19f43f"
},
{
"url": "https://git.kernel.org/stable/c/168145c87444619e3e649322bbe7719ecd00d411"
},
{
"url": "https://git.kernel.org/stable/c/dcfcd95b3ae7683e8ae55c92284b3430ce614bc7"
},
{
"url": "https://git.kernel.org/stable/c/9ca8c7452493d915f9bbf2f39331e6c583d07a23"
},
{
"url": "https://git.kernel.org/stable/c/3265ad619987cb551edaf797ed056d80ac450225"
},
{
"url": "https://git.kernel.org/stable/c/3db5647984de03d9cae0dcddb509b058351f0ee4"
}
],
"title": "netfilter: nf_conntrack_expect: skip expectations in other netns via proc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31496",
"datePublished": "2026-04-22T13:54:18.287Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-05-11T22:09:51.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31512 (GCVE-0-2026-31512)
Vulnerability from cvelistv5
Published
2026-04-22 13:54
Modified
2026-05-11 22:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
l2cap_ecred_data_rcv() reads the SDU length field from skb->data using
get_unaligned_le16() without first verifying that skb contains at least
L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads
past the valid data in the skb.
The ERTM reassembly path correctly calls pskb_may_pull() before reading
the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the
same validation to the Enhanced Credit Based Flow Control data path.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 Version: aac23bf636593cc2d67144aed373a46a1a5f76b1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cef09691cfb61f6c91cc27c3d69634f81c8ab949",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "3340be2bafdcc806f048273ea6d8e82a6597aa1b",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "e47315b84d0eb188772c3ff5cf073cdbdefca6b4",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "477ad4976072056c348937e94f24583321938df4",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "40c7f7eea2f4d9cb0b3e924254c8c9053372168f",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "8c96f3bd4ae0802db90630be8e9851827e9c9209",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "5ad981249be52f5e4e92e0e97b436b569071cb86",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "c65bd945d1c08c3db756821b6bf9f1c4a77b29c6",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb-\u003edata using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb-\u003elen is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:13.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"
},
{
"url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"
},
{
"url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"
},
{
"url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"
},
{
"url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"
},
{
"url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"
},
{
"url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"
},
{
"url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"
}
],
"title": "Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31512",
"datePublished": "2026-04-22T13:54:30.171Z",
"dateReserved": "2026-03-09T15:48:24.107Z",
"dateUpdated": "2026-05-11T22:10:13.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31428 (GCVE-0-2026-31428)
Vulnerability from cvelistv5
Published
2026-04-13 13:40
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
__build_packet_message() manually constructs the NFULA_PAYLOAD netlink
attribute using skb_put() and skb_copy_bits(), bypassing the standard
nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes
are allocated (including NLA alignment padding), only data_len bytes
of actual packet data are copied. The trailing nla_padlen(data_len)
bytes (1-3 when data_len is not 4-byte aligned) are never initialized,
leaking stale heap contents to userspace via the NFLOG netlink socket.
Replace the manual attribute construction with nla_reserve(), which
handles the tailroom check, header setup, and padding zeroing via
__nla_reserve(). The subsequent skb_copy_bits() fills in the payload
data on top of the properly initialized attribute.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: df6fb868d6118686805c2fa566e213a8f31c8e4f Version: df6fb868d6118686805c2fa566e213a8f31c8e4f Version: df6fb868d6118686805c2fa566e213a8f31c8e4f Version: df6fb868d6118686805c2fa566e213a8f31c8e4f Version: df6fb868d6118686805c2fa566e213a8f31c8e4f Version: df6fb868d6118686805c2fa566e213a8f31c8e4f Version: df6fb868d6118686805c2fa566e213a8f31c8e4f Version: df6fb868d6118686805c2fa566e213a8f31c8e4f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f3e5d72455936f42709116fabeca3bb216cda62",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "21d8efda029948d3666b0db5afcc0d36c0984aae",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "fc961dd7272b5e4a462999635e44a4770d7f2482",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "a8365d1064ded323797c5e28e91070c52f44b76c",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "a2f6ff3444b663d6cfa63eadd61327a18592885a",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "c9f6c51d36482805ac3ffadb9663fe775a13e926",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "7eff72968161fb8ddb26113344de3b92fb7d7ef5",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD\n\n__build_packet_message() manually constructs the NFULA_PAYLOAD netlink\nattribute using skb_put() and skb_copy_bits(), bypassing the standard\nnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes\nare allocated (including NLA alignment padding), only data_len bytes\nof actual packet data are copied. The trailing nla_padlen(data_len)\nbytes (1-3 when data_len is not 4-byte aligned) are never initialized,\nleaking stale heap contents to userspace via the NFLOG netlink socket.\n\nReplace the manual attribute construction with nla_reserve(), which\nhandles the tailroom check, header setup, and padding zeroing via\n__nla_reserve(). The subsequent skb_copy_bits() fills in the payload\ndata on top of the properly initialized attribute."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:31.017Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f3e5d72455936f42709116fabeca3bb216cda62"
},
{
"url": "https://git.kernel.org/stable/c/21d8efda029948d3666b0db5afcc0d36c0984aae"
},
{
"url": "https://git.kernel.org/stable/c/fc961dd7272b5e4a462999635e44a4770d7f2482"
},
{
"url": "https://git.kernel.org/stable/c/a8365d1064ded323797c5e28e91070c52f44b76c"
},
{
"url": "https://git.kernel.org/stable/c/a2f6ff3444b663d6cfa63eadd61327a18592885a"
},
{
"url": "https://git.kernel.org/stable/c/c9f6c51d36482805ac3ffadb9663fe775a13e926"
},
{
"url": "https://git.kernel.org/stable/c/7eff72968161fb8ddb26113344de3b92fb7d7ef5"
},
{
"url": "https://git.kernel.org/stable/c/52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7"
}
],
"title": "netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31428",
"datePublished": "2026-04-13T13:40:30.987Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-05-11T22:08:31.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31504 (GCVE-0-2026-31504)
Vulnerability from cvelistv5
Published
2026-04-22 13:54
Modified
2026-05-11 22:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix fanout UAF in packet_release() via NETDEV_UP race
`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.
The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.
This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 Version: ce06b03e60fc19c680d1bf873e779bf11c2fc518 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee642b1962caa9aa231c01abbd58bc453ae6b66e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42cfd7898eeed290c9fb73f732af1f7d6b0a703e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "1b4c03f8892d955385c202009af7485364731bb9",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "654386baef228c2992dbf604c819e4c7c35fc71b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "75fe6db23705a1d55160081f7b37db9665b1880b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "ceccbfc6de720ad633519a226715989cfb065af1",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42156f93d123436f2a27c468f18c966b7e5db796",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group\u0027s `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po-\u003enum` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po-\u003enum` is still non-zero and `po-\u003eifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f-\u003earr[]` and increments `f-\u003enum_members`,\nbut does NOT increment `f-\u003esk_ref`.\n\nThe fix sets `po-\u003enum` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:01.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"
},
{
"url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"
},
{
"url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"
},
{
"url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"
},
{
"url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"
},
{
"url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"
},
{
"url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"
},
{
"url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"
}
],
"title": "net: fix fanout UAF in packet_release() via NETDEV_UP race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31504",
"datePublished": "2026-04-22T13:54:23.862Z",
"dateReserved": "2026-03-09T15:48:24.105Z",
"dateUpdated": "2026-05-11T22:10:01.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23193 (GCVE-0-2026-23193)
Vulnerability from cvelistv5
Published
2026-02-14 16:27
Modified
2026-05-11 22:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b64015550a13bcc72910be0565548d9a754d46d",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "fd8b0900173307039d3a84644c2fee041a7ed4fb",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "d8dbdc146e9e9a976931b78715be2e91299049f9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "11ebafffce31efc6abeb28c509017976fc49f1ca",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "41b86a9ec037bd3435d68dd3692f0891a207e7e7",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "4530f4e4d0e6a207110b0ffed0c911bca43531a4",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "84dc6037390b8607c5551047d3970336cb51ba9a",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()\n\nIn iscsit_dec_session_usage_count(), the function calls complete() while\nholding the sess-\u003esession_usage_lock. Similar to the connection usage count\nlogic, the waiter signaled by complete() (e.g., in the session release\npath) may wake up and free the iscsit_session structure immediately.\n\nThis creates a race condition where the current thread may attempt to\nexecute spin_unlock_bh() on a session structure that has already been\ndeallocated, resulting in a KASAN slab-use-after-free.\n\nTo resolve this, release the session_usage_lock before calling complete()\nto ensure all dereferences of the sess pointer are finished before the\nwaiter is allowed to proceed with deallocation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:07.544Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b64015550a13bcc72910be0565548d9a754d46d"
},
{
"url": "https://git.kernel.org/stable/c/fd8b0900173307039d3a84644c2fee041a7ed4fb"
},
{
"url": "https://git.kernel.org/stable/c/d8dbdc146e9e9a976931b78715be2e91299049f9"
},
{
"url": "https://git.kernel.org/stable/c/11ebafffce31efc6abeb28c509017976fc49f1ca"
},
{
"url": "https://git.kernel.org/stable/c/41b86a9ec037bd3435d68dd3692f0891a207e7e7"
},
{
"url": "https://git.kernel.org/stable/c/4530f4e4d0e6a207110b0ffed0c911bca43531a4"
},
{
"url": "https://git.kernel.org/stable/c/84dc6037390b8607c5551047d3970336cb51ba9a"
}
],
"title": "scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23193",
"datePublished": "2026-02-14T16:27:20.251Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-05-11T22:02:07.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31607 (GCVE-0-2026-31607)
Vulnerability from cvelistv5
Published
2026-04-24 14:42
Modified
2026-06-01 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbip: validate number_of_packets in usbip_pack_ret_submit()
When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb->number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.
A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb->iso_frame_desc[i] beyond the allocated region.
KASAN confirmed this with kernel 7.0.0-rc5:
BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
Write of size 4 at addr ffff888106351d40 by task vhci_rx/69
The buggy address is located 0 bytes to the right of
allocated 320-byte region [ffff888106351c00, ffff888106351d40)
The server side (stub_rx.c) and gadget side (vudc_rx.c) already
validate number_of_packets in the CMD_SUBMIT path since commits
c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden
CMD_SUBMIT path to handle malicious input"). The server side validates
against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
On the client side we have the original URB, so we can use the tighter
bound: the response must not exceed the original number_of_packets.
This mirrors the existing validation of actual_length against
transfer_buffer_length in usbip_recv_xbuff(), which checks the
response value against the original allocation size.
Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
usbip_recv_iso()", v2) hardens the receive-side functions themselves;
this patch complements that work by catching the bad value at its
source -- in usbip_pack_ret_submit() before the overwrite -- and
using the tighter per-URB allocation bound rather than the global
USBIP_MAX_ISO_PACKETS limit.
Fix this by checking rpdu->number_of_packets against
urb->number_of_packets in usbip_pack_ret_submit() before the
overwrite. On violation, clamp to zero so that usbip_recv_iso() and
usbip_pad_iso() safely return early.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: 1325f85fa49f57df034869de430f7c302ae23109 Version: d9638d9236eed035a575feddec61d036dacc2676 Version: ca7d3501b7a287c18b5b470e871d3029b0f4842a Version: 1ce528277e1a66856ed3f7526c1e3458c0ed4a70 Version: db898d0c5c493ce4177d5e1d3a953e079a56a24b Version: 5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a Version: 2.6.32.37 ≤ Version: 2.6.33.10 ≤ Version: 2.6.34.11 ≤ Version: 2.6.35.13 ≤ Version: 2.6.38.3 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/usbip/usbip_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "324262c38438255bf6bdbf6342ca47c0badaab76",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "973f2c250289f5bf6cc146b98aa6fdde11fe50d6",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "ce744264b06b97069b3722511ab355738311fee0",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "885c8591784da6314f9aa82fa460ac69f9f79e5f",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "8d155e2d1c4102f74f82a2bf9c016164bb0f7384",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "906f16a836de13fe61f49cdce2f66f2dbd14caf4",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "ef8ebb1c637b4cfb61a9dd2e013376774ee2033b",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "5e1c4ece08ccdc197177631f111845a2c68eede3",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "2ab833a16a825373aad2ba7d54b572b277e95b71",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"status": "affected",
"version": "d9638d9236eed035a575feddec61d036dacc2676",
"versionType": "git"
},
{
"status": "affected",
"version": "ca7d3501b7a287c18b5b470e871d3029b0f4842a",
"versionType": "git"
},
{
"status": "affected",
"version": "1ce528277e1a66856ed3f7526c1e3458c0ed4a70",
"versionType": "git"
},
{
"status": "affected",
"version": "db898d0c5c493ce4177d5e1d3a953e079a56a24b",
"versionType": "git"
},
{
"status": "affected",
"version": "5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.37",
"versionType": "semver"
},
{
"lessThan": "2.6.34",
"status": "affected",
"version": "2.6.33.10",
"versionType": "semver"
},
{
"lessThan": "2.6.35",
"status": "affected",
"version": "2.6.34.11",
"versionType": "semver"
},
{
"lessThan": "2.6.36",
"status": "affected",
"version": "2.6.35.13",
"versionType": "semver"
},
{
"lessThan": "2.6.39",
"status": "affected",
"version": "2.6.38.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/usbip/usbip_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.34.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.35.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.38.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb-\u003enumber_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb-\u003eiso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb-\u003eiso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n The buggy address is located 0 bytes to the right of\n allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo\u0027s series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu-\u003enumber_of_packets against\nurb-\u003enumber_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:12:29.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76"
},
{
"url": "https://git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6"
},
{
"url": "https://git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0"
},
{
"url": "https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f"
},
{
"url": "https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384"
},
{
"url": "https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4"
},
{
"url": "https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b"
},
{
"url": "https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3"
},
{
"url": "https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71"
}
],
"title": "usbip: validate number_of_packets in usbip_pack_ret_submit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31607",
"datePublished": "2026-04-24T14:42:29.468Z",
"dateReserved": "2026-03-09T15:48:24.122Z",
"dateUpdated": "2026-06-01T16:12:29.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23268 (GCVE-0-2026-23268)
Vulnerability from cvelistv5
Published
2026-03-18 17:54
Modified
2026-05-11 22:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix unprivileged local user can do privileged policy management
An unprivileged local user can load, replace, and remove profiles by
opening the apparmorfs interfaces, via a confused deputy attack, by
passing the opened fd to a privileged process, and getting the
privileged process to write to the interface.
This does require a privileged target that can be manipulated to do
the write for the unprivileged process, but once such access is
achieved full policy management is possible and all the possible
implications that implies: removing confinement, DoS of system or
target applications by denying all execution, by-passing the
unprivileged user namespace restriction, to exploiting kernel bugs for
a local privilege escalation.
The policy management interface can not have its permissions simply
changed from 0666 to 0600 because non-root processes need to be able
to load policy to different policy namespaces.
Instead ensure the task writing the interface has privileges that
are a subset of the task that opened the interface. This is already
done via policy for confined processes, but unconfined can delegate
access to the opened fd, by-passing the usual policy check.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy.h",
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a407a078cd41b5261b99d822af784bd9f136eb4d",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "4cafce4d6d0a66ec27e3af5637c11901d60189fa",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "33ee909702e047c94aaf41d4eea35626d509802c",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "17debf5586020790b5717f96e5e6a3ca5bb961ab",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "0fc63dd9170643d15c25681fca792539e23f4640",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "b6a94eeca9c6c8f7c55ad44c62c98324f51ec596",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "6601e13e82841879406bf9f369032656f441a425",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy.h",
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:34.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a407a078cd41b5261b99d822af784bd9f136eb4d"
},
{
"url": "https://git.kernel.org/stable/c/4cafce4d6d0a66ec27e3af5637c11901d60189fa"
},
{
"url": "https://git.kernel.org/stable/c/33ee909702e047c94aaf41d4eea35626d509802c"
},
{
"url": "https://git.kernel.org/stable/c/17debf5586020790b5717f96e5e6a3ca5bb961ab"
},
{
"url": "https://git.kernel.org/stable/c/0fc63dd9170643d15c25681fca792539e23f4640"
},
{
"url": "https://git.kernel.org/stable/c/b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6"
},
{
"url": "https://git.kernel.org/stable/c/b6a94eeca9c6c8f7c55ad44c62c98324f51ec596"
},
{
"url": "https://git.kernel.org/stable/c/6601e13e82841879406bf9f369032656f441a425"
},
{
"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
}
],
"title": "apparmor: fix unprivileged local user can do privileged policy management",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23268",
"datePublished": "2026-03-18T17:54:41.974Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-11T22:03:34.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23456 (GCVE-0-2026-23456)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
value, then calls get_uint(bs, len) without checking that len bytes
remain in the buffer. The existing boundary check only validates the
2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
slab-out-of-bounds read.
Add a boundary check for len bytes after get_bits() and before
get_uint().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 Version: 5e35941d990123f155b02d5663e51a24f816b6f3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2cd54b9348e485d338b3c132338a4410c99afaf",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "c95dc674ebf01ecfb40388b6facfc89b81fed3b7",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "41b417ff73a24b2c68134992cc44c88db27f482d",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "52235bf88159a1ef16434ab49e47e99c8a09ab20",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "774a434f8c9c8602a976b2536f65d0172a07f4d2",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "6bce72daeccca9aa1746e92d6c3d4784e71f2ebb",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "fb6c3596823ec5dd09c2123340330d7448f51a59",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "1e3a3593162c96e8a8de48b1e14f60c3b57fca8a",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case\n\nIn decode_int(), the CONS case calls get_bits(bs, 2) to read a length\nvalue, then calls get_uint(bs, len) without checking that len bytes\nremain in the buffer. The existing boundary check only validates the\n2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()\nreads. This allows a malformed H.323/RAS packet to cause a 1-4 byte\nslab-out-of-bounds read.\n\nAdd a boundary check for len bytes after get_bits() and before\nget_uint()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:20.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf"
},
{
"url": "https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7"
},
{
"url": "https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d"
},
{
"url": "https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20"
},
{
"url": "https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2"
},
{
"url": "https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb"
},
{
"url": "https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59"
},
{
"url": "https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a"
}
],
"title": "netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23456",
"datePublished": "2026-04-03T15:15:37.534Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-05-11T22:07:20.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-20585 (GCVE-0-2023-20585)
Vulnerability from cvelistv5
Published
2026-04-16 18:42
Modified
2026-04-16 19:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-788 - Access of Memory Location After End of Buffer
Summary
Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20585",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T18:58:05.996293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T18:58:58.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7003 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "SEV FW 1.37.23"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9004 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "SEV FW 1.37.31"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 7003 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbMilanPI-SP3 1.0.0.B"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 9004 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-1.0.0.A"
}
]
}
],
"datePublic": "2026-04-16T18:42:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity."
}
],
"value": "Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-788",
"description": "CWE-788 Access of Memory Location After End of Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T19:12:06.991Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3016.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "AMD PSIRT Automation 1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2023-20585",
"datePublished": "2026-04-16T18:42:28.281Z",
"dateReserved": "2022-10-27T18:53:39.759Z",
"dateUpdated": "2026-04-16T19:12:06.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31400 (GCVE-0-2026-31400)
Vulnerability from cvelistv5
Published
2026-04-03 15:16
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix cache_request leak in cache_release
When a reader's file descriptor is closed while in the middle of reading
a cache_request (rp->offset != 0), cache_release() decrements the
request's readers count but never checks whether it should free the
request.
In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the
cache_request is removed from the queue and freed along with its buffer
and cache_head reference. cache_release() lacks this cleanup.
The only other path that frees requests with readers == 0 is
cache_dequeue(), but it runs only when CACHE_PENDING transitions from
set to clear. If that transition already happened while readers was
still non-zero, cache_dequeue() will have skipped the request, and no
subsequent call will clean it up.
Add the same cleanup logic from cache_read() to cache_release(): after
decrementing readers, check if it reached 0 with CACHE_PENDING clear,
and if so, dequeue and free the cache_request.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dfedb293943e491379c9302b428e6f920a73d12",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f18c1f2a88ca91357916997cdb0f7adaf14fc497",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bcd5e318876ac638c8ceade7a648e76ac8c48e1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41f6ba6c98a618043d2cd71030bf9a752dfab8b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "301670dcd098c1fe5c2fe90fb3c7a8f4814d2351",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "be5c35960e5ead70862736161836e2d1bc7352dc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "373457de14281c1fc7cace6fc4c8a267fc176673",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17ad31b3a43b72aec3a3d83605891e1397d0d065",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix cache_request leak in cache_release\n\nWhen a reader\u0027s file descriptor is closed while in the middle of reading\na cache_request (rp-\u003eoffset != 0), cache_release() decrements the\nrequest\u0027s readers count but never checks whether it should free the\nrequest.\n\nIn cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the\ncache_request is removed from the queue and freed along with its buffer\nand cache_head reference. cache_release() lacks this cleanup.\n\nThe only other path that frees requests with readers == 0 is\ncache_dequeue(), but it runs only when CACHE_PENDING transitions from\nset to clear. If that transition already happened while readers was\nstill non-zero, cache_dequeue() will have skipped the request, and no\nsubsequent call will clean it up.\n\nAdd the same cleanup logic from cache_read() to cache_release(): after\ndecrementing readers, check if it reached 0 with CACHE_PENDING clear,\nand if so, dequeue and free the cache_request."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:57.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dfedb293943e491379c9302b428e6f920a73d12"
},
{
"url": "https://git.kernel.org/stable/c/f18c1f2a88ca91357916997cdb0f7adaf14fc497"
},
{
"url": "https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1"
},
{
"url": "https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2"
},
{
"url": "https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351"
},
{
"url": "https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc"
},
{
"url": "https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673"
},
{
"url": "https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065"
}
],
"title": "sunrpc: fix cache_request leak in cache_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31400",
"datePublished": "2026-04-03T15:16:03.906Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:07:57.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31700 (GCVE-0-2026-31700)
Vulnerability from cvelistv5
Published
2026-05-01 13:56
Modified
2026-05-11 22:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points
directly into the mmap'd TX ring buffer shared with userspace. The
kernel validates the header via __packet_snd_vnet_parse() but then
re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent
userspace thread can modify the vnet_hdr fields between validation
and use, bypassing all safety checks.
The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr
to a stack-local variable. All other vnet_hdr consumers in the kernel
(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX
path is the only caller of virtio_net_hdr_to_skb() that reads directly
from user-controlled shared memory.
Fix this by copying vnet_hdr from the mmap'd ring buffer to a
stack-local variable before validation and use, consistent with the
approach used in packet_snd() and all other callers.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "3a1bf9116ea31470b89692585c3910dfe830dcdd",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "28324a3b62d9ce7f9bdd65a8ce63f382041d1b27",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "2c054e17d9d41f1020376806c7f750834ced4dc5",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix TOCTOU race on mmap\u0027d vnet_hdr in tpacket_snd()\n\nIn tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points\ndirectly into the mmap\u0027d TX ring buffer shared with userspace. The\nkernel validates the header via __packet_snd_vnet_parse() but then\nre-reads all fields later in virtio_net_hdr_to_skb(). A concurrent\nuserspace thread can modify the vnet_hdr fields between validation\nand use, bypassing all safety checks.\n\nThe non-TPACKET path (packet_snd()) already correctly copies vnet_hdr\nto a stack-local variable. All other vnet_hdr consumers in the kernel\n(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX\npath is the only caller of virtio_net_hdr_to_skb() that reads directly\nfrom user-controlled shared memory.\n\nFix this by copying vnet_hdr from the mmap\u0027d ring buffer to a\nstack-local variable before validation and use, consistent with the\napproach used in packet_snd() and all other callers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:14:02.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121"
},
{
"url": "https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd"
},
{
"url": "https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27"
},
{
"url": "https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b"
},
{
"url": "https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5"
}
],
"title": "net/packet: fix TOCTOU race on mmap\u0027d vnet_hdr in tpacket_snd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31700",
"datePublished": "2026-05-01T13:56:00.205Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-05-11T22:14:02.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43264 (GCVE-0-2026-43264)
Vulnerability from cvelistv5
Published
2026-05-06 11:28
Modified
2026-05-11 22:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
of_parse_phandle() returns a device_node with refcount incremented,
which is stored in 'entry' and then copied to 'native_mode'. When the
error paths at lines 184 or 192 jump to 'entryfail', native_mode's
refcount is not decremented, causing a refcount leak.
Fix this by changing the goto target from 'entryfail' to 'timingfail',
which properly calls of_node_put(native_mode) before cleanup.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 Version: cc3f414cf2e404130584b63d373161ba6fd24bc2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/of_display_timing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20881ad42e651c69d89eb38a2042838187900fd6",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "b5bdcc5afbff845834d04d651773cb6b47db5dd3",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "2b22e4fe1273c24f405ed7903349c4bbd82b6368",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "3ed019654234edb8625c05d05e15d40f74e64f70",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "d6f34bbff07476c6abb8672c89d217824871c5ed",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "c5734f9030a8b1e13868d1641b5163d8e659306e",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "eacf9840ae1285a1ef47eb0ce16d786e542bd4d7",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/of_display_timing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: of: display_timing: fix refcount leak in of_get_display_timings()\n\nof_parse_phandle() returns a device_node with refcount incremented,\nwhich is stored in \u0027entry\u0027 and then copied to \u0027native_mode\u0027. When the\nerror paths at lines 184 or 192 jump to \u0027entryfail\u0027, native_mode\u0027s\nrefcount is not decremented, causing a refcount leak.\n\nFix this by changing the goto target from \u0027entryfail\u0027 to \u0027timingfail\u0027,\nwhich properly calls of_node_put(native_mode) before cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:11.841Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20881ad42e651c69d89eb38a2042838187900fd6"
},
{
"url": "https://git.kernel.org/stable/c/b5bdcc5afbff845834d04d651773cb6b47db5dd3"
},
{
"url": "https://git.kernel.org/stable/c/2b22e4fe1273c24f405ed7903349c4bbd82b6368"
},
{
"url": "https://git.kernel.org/stable/c/3ed019654234edb8625c05d05e15d40f74e64f70"
},
{
"url": "https://git.kernel.org/stable/c/d6f34bbff07476c6abb8672c89d217824871c5ed"
},
{
"url": "https://git.kernel.org/stable/c/69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64"
},
{
"url": "https://git.kernel.org/stable/c/c5734f9030a8b1e13868d1641b5163d8e659306e"
},
{
"url": "https://git.kernel.org/stable/c/eacf9840ae1285a1ef47eb0ce16d786e542bd4d7"
}
],
"title": "fbdev: of: display_timing: fix refcount leak in of_get_display_timings()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43264",
"datePublished": "2026-05-06T11:28:50.867Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-11T22:21:11.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23276 (GCVE-0-2026-23276)
Vulnerability from cvelistv5
Published
2026-03-20 08:08
Modified
2026-05-23 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: add xmit recursion limit to tunnel xmit functions
Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own
recursion limit. When a bond device in broadcast mode has GRE tap
interfaces as slaves, and those GRE tunnels route back through the
bond, multicast/broadcast traffic triggers infinite recursion between
bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing
kernel stack overflow.
The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not
sufficient because tunnel recursion involves route lookups and full IP
output, consuming much more stack per level. Use a lower limit of 4
(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.
Add recursion detection using dev_xmit_recursion helpers directly in
iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel
paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).
Move dev_xmit_recursion helpers from net/core/dev.h to public header
include/linux/netdevice.h so they can be used by tunnel code.
BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160
Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11
Workqueue: mld mld_ifc_work
Call Trace:
<TASK>
__build_flow_key.constprop.0 (net/ipv4/route.c:515)
ip_rt_update_pmtu (net/ipv4/route.c:1073)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
ip_finish_output2 (net/ipv4/ip_output.c:237)
ip_output (net/ipv4/ip_output.c:438)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
ip_finish_output2 (net/ipv4/ip_output.c:237)
ip_output (net/ipv4/ip_output.c:438)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
mld_sendpack
mld_ifc_work
process_one_work
worker_thread
</TASK>
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 745e20f1b626b1be4b100af5d4bf7b3439392f8f Version: 745e20f1b626b1be4b100af5d4bf7b3439392f8f Version: 745e20f1b626b1be4b100af5d4bf7b3439392f8f Version: 745e20f1b626b1be4b100af5d4bf7b3439392f8f Version: 3f266b04185de51d8e6446eb1fccec3b5e7ce575 Version: 2.6.35.9 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/netdevice.h",
"include/net/ip6_tunnel.h",
"include/net/ip_tunnels.h",
"net/core/dev.h",
"net/ipv4/ip_tunnel_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "834c4f645726a25fd71ea50cdfb5c135f8f95d85",
"status": "affected",
"version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
"versionType": "git"
},
{
"lessThan": "8a57deeb256069f262957d8012418559ff66c385",
"status": "affected",
"version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
"versionType": "git"
},
{
"lessThan": "b56b8d19bd05e2a8338385c770bc2b60590bc81e",
"status": "affected",
"version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
"versionType": "git"
},
{
"lessThan": "6f1a9140ecda3baba3d945b9a6155af4268aafc4",
"status": "affected",
"version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
"versionType": "git"
},
{
"status": "affected",
"version": "3f266b04185de51d8e6446eb1fccec3b5e7ce575",
"versionType": "git"
},
{
"lessThan": "2.6.36",
"status": "affected",
"version": "2.6.35.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/netdevice.h",
"include/net/ip6_tunnel.h",
"include/net/ip_tunnels.h",
"net/core/dev.h",
"net/ipv4/ip_tunnel_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.35.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n \u003cTASK\u003e\n __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n ip_rt_update_pmtu (net/ipv4/route.c:1073)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n mld_sendpack\n mld_ifc_work\n process_one_work\n worker_thread\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:28.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85"
},
{
"url": "https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385"
},
{
"url": "https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e"
},
{
"url": "https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4"
}
],
"title": "net: add xmit recursion limit to tunnel xmit functions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23276",
"datePublished": "2026-03-20T08:08:56.575Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-05-23T16:04:28.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31407 (GCVE-0-2026-31407)
Vulnerability from cvelistv5
Published
2026-04-06 07:38
Modified
2026-06-01 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: add missing netlink policy validations
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.
Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]
and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 Version: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_proto_sctp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7b5766693477c52424cc6c79dd30a7a9c7db52c",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "78bba9f73942aa7dca47d817d8cec0fb9b443b70",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "be88a337bf07afb1ee173f1099294d1b7ab3fefe",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "c5e918390002edf0cff80a0e7ce1f86f16a9507c",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "9174d28f3f15d8c4962f5980c0be167633880443",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "67c53c1978cef3c504237275e39c857e2f6af56e",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "0fbae1e74493d5a160a70c51aeba035d8266ea7d",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_proto_sctp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct-\u003eproto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp-\u003edir = 100, the access at\n ct-\u003emaster-\u003etuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:20.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7b5766693477c52424cc6c79dd30a7a9c7db52c"
},
{
"url": "https://git.kernel.org/stable/c/78bba9f73942aa7dca47d817d8cec0fb9b443b70"
},
{
"url": "https://git.kernel.org/stable/c/be88a337bf07afb1ee173f1099294d1b7ab3fefe"
},
{
"url": "https://git.kernel.org/stable/c/c5e918390002edf0cff80a0e7ce1f86f16a9507c"
},
{
"url": "https://git.kernel.org/stable/c/9174d28f3f15d8c4962f5980c0be167633880443"
},
{
"url": "https://git.kernel.org/stable/c/67c53c1978cef3c504237275e39c857e2f6af56e"
},
{
"url": "https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d"
},
{
"url": "https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05"
}
],
"title": "netfilter: conntrack: add missing netlink policy validations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31407",
"datePublished": "2026-04-06T07:38:19.712Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-06-01T16:11:20.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68185 (GCVE-0-2025-68185)
Vulnerability from cvelistv5
Published
2025-12-16 13:43
Modified
2026-05-11 21:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
Theoretically it's an oopsable race, but I don't believe one can manage
to hit it on real hardware; might become doable on a KVM, but it still
won't be easy to attack.
Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of
put_unaligned_be64(), we can put that under ->d_lock and be done with that.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6025f641a0e30afdc5aa62017397b1860ad9f677",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6cafe71eb3b5579b245ba1bd528a181e77f3df1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa4daf7d11e45b72aad5d943a7ab991f869fff79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "504b3fb9948a9e96ebbabdee0d33966a8bab15cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eacfd08b26a062f1095b18719715bc82ad35312e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40be5b9080114f18b0cea386db415b68a7273c1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f5e570eaab36a110c6ffda32b87c51170990c2d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a890a2e339b929dbd843328f9a92a1625404fe63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing\n\nTheoretically it\u0027s an oopsable race, but I don\u0027t believe one can manage\nto hit it on real hardware; might become doable on a KVM, but it still\nwon\u0027t be easy to attack.\n\nAnyway, it\u0027s easy to deal with - since xdr_encode_hyper() is just a call of\nput_unaligned_be64(), we can put that under -\u003ed_lock and be done with that."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:48:18.325Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6025f641a0e30afdc5aa62017397b1860ad9f677"
},
{
"url": "https://git.kernel.org/stable/c/e6cafe71eb3b5579b245ba1bd528a181e77f3df1"
},
{
"url": "https://git.kernel.org/stable/c/fa4daf7d11e45b72aad5d943a7ab991f869fff79"
},
{
"url": "https://git.kernel.org/stable/c/504b3fb9948a9e96ebbabdee0d33966a8bab15cb"
},
{
"url": "https://git.kernel.org/stable/c/eacfd08b26a062f1095b18719715bc82ad35312e"
},
{
"url": "https://git.kernel.org/stable/c/40be5b9080114f18b0cea386db415b68a7273c1a"
},
{
"url": "https://git.kernel.org/stable/c/f5e570eaab36a110c6ffda32b87c51170990c2d1"
},
{
"url": "https://git.kernel.org/stable/c/a890a2e339b929dbd843328f9a92a1625404fe63"
}
],
"title": "nfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68185",
"datePublished": "2025-12-16T13:43:02.894Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2026-05-11T21:48:18.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23449 (GCVE-0-2026-23449)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: teql: Fix double-free in teql_master_xmit
Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
be called using the seq_lock to avoid racing with the datapath. Failure
to do so may cause crashes like the following:
[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
[ 238.029749][ T318]
[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 238.029910][ T318] Call Trace:
[ 238.029913][ T318] <TASK>
[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)
[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)
[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
...
[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)
[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)
[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)
[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)
...
[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)
[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
...
[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)
[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
...
[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:
[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)
[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)
[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)
[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)
[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
[ 238.081469][ T318]
[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:
[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)
[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
[ 238.085900][ T318] __kasan_slab_free (mm/
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae Version: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae Version: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae Version: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae Version: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae Version: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_generic.c",
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e8ebc4c18ea8213d28e6cb867d18fcc67daca21",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "21c89a0a8de7eadad8d385645a95b3233f23130e",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "afbc79a7770b230a9f24bd39271209d6b3682c5f",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "e9c66d3e7d8557b3308e55c613aa07254fe97611",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "4a233447b941db451ea5f5a0942cffd0f7f7eaae",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "66360460cab63c248ca5b1070a01c0c29133b960",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_generic.c",
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: Fix double-free in teql_master_xmit\n\nWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should\nbe called using the seq_lock to avoid racing with the datapath. Failure\nto do so may cause crashes like the following:\n\n[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)\n[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318\n[ 238.029749][ T318]\n[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)\n[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 238.029910][ T318] Call Trace:\n[ 238.029913][ T318] \u003cTASK\u003e\n[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)\n[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)\n[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)\n[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))\n[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)\n...\n[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)\n[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)\n[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)\n[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)\n[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)\n[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)\n[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)\n...\n[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:\n[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)\n[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)\n[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))\n[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)\n[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)\n[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)\n[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)\n[ 238.081469][ T318]\n[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:\n[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))\n[ 238.085900][ T318] __kasan_slab_free (mm/\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:12.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e8ebc4c18ea8213d28e6cb867d18fcc67daca21"
},
{
"url": "https://git.kernel.org/stable/c/21c89a0a8de7eadad8d385645a95b3233f23130e"
},
{
"url": "https://git.kernel.org/stable/c/afbc79a7770b230a9f24bd39271209d6b3682c5f"
},
{
"url": "https://git.kernel.org/stable/c/e9c66d3e7d8557b3308e55c613aa07254fe97611"
},
{
"url": "https://git.kernel.org/stable/c/4a233447b941db451ea5f5a0942cffd0f7f7eaae"
},
{
"url": "https://git.kernel.org/stable/c/66360460cab63c248ca5b1070a01c0c29133b960"
}
],
"title": "net/sched: teql: Fix double-free in teql_master_xmit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23449",
"datePublished": "2026-04-03T15:15:32.150Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-05-11T22:07:12.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31649 (GCVE-0-2026-31649)
Vulnerability from cvelistv5
Published
2026-04-24 14:45
Modified
2026-05-11 22:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix integer underflow in chain mode
The jumbo_frm() chain-mode implementation unconditionally computes
len = nopaged_len - bmax;
where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is
BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()
decides to invoke jumbo_frm() based on skb->len (total length including
page fragments):
is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);
When a packet has a small linear portion (nopaged_len <= bmax) but a
large total length due to page fragments (skb->len > bmax), the
subtraction wraps as an unsigned integer, producing a huge len value
(~0xFFFFxxxx). This causes the while (len != 0) loop to execute
hundreds of thousands of iterations, passing skb->data + bmax * i
pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less
SoCs (the typical deployment for stmmac), this maps arbitrary kernel
memory to the DMA engine, constituting a kernel memory disclosure and
potential memory corruption from hardware.
Fix this by introducing a buf_len local variable clamped to
min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then
always safe: it is zero when the linear portion fits within a single
descriptor, causing the while (len != 0) loop to be skipped naturally,
and the fragment loop in stmmac_xmit() handles page fragments afterward.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 Version: 286a837217204b1ef105e3a554d0757e4fdfaac1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "513e06735f5be575b409d195822195348b164e48",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "275bdf762e82082f064e60a92448fa2ac43cf95b",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "b7b8012193fd98236d7ae05d4b553f010a77b2ef",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "2c91b39912278d0878f9ba60ba04d2518b18a08d",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "6fca757c20396dc2e604dcc61922264e9e3dc803",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "10d12b9240ebf96c785f0e2e4228318cd5f3a3eb",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "51f4e090b9f87b40c21b6daadb5c06e6c0a07b67",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx). This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single(). On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:12:54.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"
},
{
"url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"
},
{
"url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
},
{
"url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"
},
{
"url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"
},
{
"url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"
},
{
"url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
},
{
"url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
}
],
"title": "net: stmmac: fix integer underflow in chain mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31649",
"datePublished": "2026-04-24T14:45:02.520Z",
"dateReserved": "2026-03-09T15:48:24.128Z",
"dateUpdated": "2026-05-11T22:12:54.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23378 (GCVE-0-2026-23378)
Vulnerability from cvelistv5
Published
2026-03-25 10:27
Modified
2026-05-11 22:05
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ife: Fix metalist update behavior
Whenever an ife action replace changes the metalist, instead of
replacing the old data on the metalist, the current ife code is appending
the new metadata. Aside from being innapropriate behavior, this may lead
to an unbounded addition of metadata to the metalist which might cause an
out of bounds error when running the encode op:
[ 138.423369][ C1] ==================================================================
[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255
[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)
[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 138.425800][ C1] Call Trace:
[ 138.425804][ C1] <IRQ>
[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)
[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))
[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)
[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)
[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))
[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)
[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)
To solve this issue, fix the replace behavior by adding the metalist to
the ife rcu data structure.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aa9fd9a325d51fa0b11153b03b8fefff569fa955 Version: aa9fd9a325d51fa0b11153b03b8fefff569fa955 Version: aa9fd9a325d51fa0b11153b03b8fefff569fa955 Version: aa9fd9a325d51fa0b11153b03b8fefff569fa955 Version: aa9fd9a325d51fa0b11153b03b8fefff569fa955 Version: aa9fd9a325d51fa0b11153b03b8fefff569fa955 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_ife.h",
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56ade7ddea6ce605552341785d08e365c3f61861",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "5b1449301ca070814d866990b46f48d3f39ea4ee",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "91a89d3bdc2f63d983adc13d1771631663c5dc1b",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "cd888c3966672239f2e0707b846a5a936ac9038a",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "691866c4cca54dc4df762276b49e89b36e046947",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "e2cedd400c3ec0302ffca2490e8751772906ac23",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_ife.h",
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: Fix metalist update behavior\n\nWhenever an ife action replace changes the metalist, instead of\nreplacing the old data on the metalist, the current ife code is appending\nthe new metadata. Aside from being innapropriate behavior, this may lead\nto an unbounded addition of metadata to the metalist which might cause an\nout of bounds error when running the encode op:\n\n[ 138.423369][ C1] ==================================================================\n[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255\n[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)\n[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 138.425800][ C1] Call Trace:\n[ 138.425804][ C1] \u003cIRQ\u003e\n[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)\n[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))\n[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)\n[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))\n[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))\n[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)\n[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)\n[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)\n[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))\n[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)\n[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)\n\nTo solve this issue, fix the replace behavior by adding the metalist to\nthe ife rcu data structure."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:05:43.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56ade7ddea6ce605552341785d08e365c3f61861"
},
{
"url": "https://git.kernel.org/stable/c/5b1449301ca070814d866990b46f48d3f39ea4ee"
},
{
"url": "https://git.kernel.org/stable/c/91a89d3bdc2f63d983adc13d1771631663c5dc1b"
},
{
"url": "https://git.kernel.org/stable/c/cd888c3966672239f2e0707b846a5a936ac9038a"
},
{
"url": "https://git.kernel.org/stable/c/691866c4cca54dc4df762276b49e89b36e046947"
},
{
"url": "https://git.kernel.org/stable/c/e2cedd400c3ec0302ffca2490e8751772906ac23"
}
],
"title": "net/sched: act_ife: Fix metalist update behavior",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23378",
"datePublished": "2026-03-25T10:27:57.986Z",
"dateReserved": "2026-01-13T15:37:46.006Z",
"dateUpdated": "2026-05-11T22:05:43.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31427 (GCVE-0-2026-31427)
Vulnerability from cvelistv5
Published
2026-04-13 13:40
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
process_sdp() declares union nf_inet_addr rtp_addr on the stack and
passes it to the nf_nat_sip sdp_session hook after walking the SDP
media descriptions. However rtp_addr is only initialized inside the
media loop when a recognized media type with a non-zero port is found.
If the SDP body contains no m= lines, only inactive media sections
(m=audio 0 ...) or only unrecognized media types, rtp_addr is never
assigned. Despite that, the function still calls hooks->sdp_session()
with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack
value as an IP address and rewrite the SDP session owner and connection
lines with it.
With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this
results in the session-level o= and c= addresses being rewritten to
0.0.0.0 for inactive SDP sessions. Without stack auto-init the
rewritten address is whatever happened to be on the stack.
Fix this by pre-initializing rtp_addr from the session-level connection
address (caddr) when available, and tracking via a have_rtp_addr flag
whether any valid address was established. Skip the sdp_session hook
entirely when no valid address exists.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 Version: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "faa6ea32797a1847790514ff0da1be1d09771580",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "82baeb871e8f04906bc886273fdf0209e1754eb3",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "6e5e3c87b7e6212f1d8414fc2e4d158b01e12025",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "7edca70751b9bdb5b83eed53cde21eccf3c86147",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "01f34a80ac23ae90b1909b94b4ed05343a62f646",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "52fdda318ef2362fc5936385bcb8b3d0328ee629",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "6a2b724460cb67caed500c508c2ae5cf012e4db4",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks-\u003esdp_session()\nwith \u0026rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:29.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/faa6ea32797a1847790514ff0da1be1d09771580"
},
{
"url": "https://git.kernel.org/stable/c/82baeb871e8f04906bc886273fdf0209e1754eb3"
},
{
"url": "https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025"
},
{
"url": "https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6"
},
{
"url": "https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147"
},
{
"url": "https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646"
},
{
"url": "https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629"
},
{
"url": "https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4"
}
],
"title": "netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31427",
"datePublished": "2026-04-13T13:40:30.280Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:29.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23293 (GCVE-0-2026-23293)
Vulnerability from cvelistv5
Published
2026-03-25 10:26
Modified
2026-05-11 22:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If an IPv6 packet is injected into the interface,
route_shortcircuit() is called and a NULL pointer dereference happens on
neigh_lookup().
BUG: kernel NULL pointer dereference, address: 0000000000000380
Oops: Oops: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x20/0x270
[...]
Call Trace:
<TASK>
vxlan_xmit+0x638/0x1ef0 [vxlan]
dev_hard_start_xmit+0x9e/0x2e0
__dev_queue_xmit+0xbee/0x14e0
packet_sendmsg+0x116f/0x1930
__sys_sendto+0x1f5/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x12f/0x1590
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix this by adding an early check on route_shortcircuit() when protocol
is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because
VXLAN can be built-in even when IPv6 is built as a module.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 Version: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "649e2bb74da54c96cf20729001e283626a2fefa0",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "dc3e62cf3bbf66280a907ec379f373d0c3b8b2bc",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "b5190fcd75a1f1785c766a8d1e44d3938e168f45",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "5f93e6b4d12bd3a4517a6d447ea675f448f21434",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "f0373e9317bc904e7bdb123d3106fe4f3cea2fb7",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "fbbd2118982c55fb9b0a753ae0cf7194e77149fb",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "abcd48ecdeb2e12eccb8339a35534c757782afcd",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "168ff39e4758897d2eee4756977d036d52884c7e",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If an IPv6 packet is injected into the interface,\nroute_shortcircuit() is called and a NULL pointer dereference happens on\nneigh_lookup().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000380\n Oops: Oops: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x20/0x270\n [...]\n Call Trace:\n \u003cTASK\u003e\n vxlan_xmit+0x638/0x1ef0 [vxlan]\n dev_hard_start_xmit+0x9e/0x2e0\n __dev_queue_xmit+0xbee/0x14e0\n packet_sendmsg+0x116f/0x1930\n __sys_sendto+0x1f5/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x12f/0x1590\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by adding an early check on route_shortcircuit() when protocol\nis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because\nVXLAN can be built-in even when IPv6 is built as a module."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:04:04.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/649e2bb74da54c96cf20729001e283626a2fefa0"
},
{
"url": "https://git.kernel.org/stable/c/dc3e62cf3bbf66280a907ec379f373d0c3b8b2bc"
},
{
"url": "https://git.kernel.org/stable/c/b5190fcd75a1f1785c766a8d1e44d3938e168f45"
},
{
"url": "https://git.kernel.org/stable/c/5f93e6b4d12bd3a4517a6d447ea675f448f21434"
},
{
"url": "https://git.kernel.org/stable/c/f0373e9317bc904e7bdb123d3106fe4f3cea2fb7"
},
{
"url": "https://git.kernel.org/stable/c/fbbd2118982c55fb9b0a753ae0cf7194e77149fb"
},
{
"url": "https://git.kernel.org/stable/c/abcd48ecdeb2e12eccb8339a35534c757782afcd"
},
{
"url": "https://git.kernel.org/stable/c/168ff39e4758897d2eee4756977d036d52884c7e"
}
],
"title": "net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23293",
"datePublished": "2026-03-25T10:26:51.160Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-05-11T22:04:04.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31403 (GCVE-0-2026-31403)
Vulnerability from cvelistv5
Published
2026-04-03 15:16
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
The /proc/fs/nfs/exports proc entry is created at module init
and persists for the module's lifetime. exports_proc_open()
captures the caller's current network namespace and stores
its svc_export_cache in seq->private, but takes no reference
on the namespace. If the namespace is subsequently torn down
(e.g. container destruction after the opener does setns() to a
different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
which frees the cache. Subsequent reads on the still-open fd
dereference the freed cache_detail, walking a freed hash table.
Hold a reference on the struct net for the lifetime of the open
file descriptor. This prevents nfsd_net_exit() from running --
and thus prevents nfsd_export_shutdown() from freeing the cache
-- while any exports fd is open. cache_detail already stores
its net pointer (cd->net, set by cache_create_net()), so
exports_release() can retrieve it without additional per-file
storage.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 Version: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 Version: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 Version: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 Version: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 Version: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 Version: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76740c28050dc6db2f5550f1325b00a11bbb3255",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "c7f406fb341d6747634b8b1fa5461656e5e56076",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "d1a19217995df9c7e4118f5a2820c5032fef2945",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "e3d77f935639e6ae4b381c80464c31df998d61f4",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "6a8d70e2ad6aad2c345a5048edcb8168036f97d6",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "e7fcf179b82d3a3730fd8615da01b087cc654d0b",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module\u0027s lifetime. exports_proc_open()\ncaptures the caller\u0027s current network namespace and stores\nits svc_export_cache in seq-\u003eprivate, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd-\u003enet, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:01.908Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255"
},
{
"url": "https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076"
},
{
"url": "https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945"
},
{
"url": "https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4"
},
{
"url": "https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"
},
{
"url": "https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6"
},
{
"url": "https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b"
}
],
"title": "NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31403",
"datePublished": "2026-04-03T15:16:06.444Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:01.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43284 (GCVE-0-2026-43284)
Vulnerability from cvelistv5
Published
2026-05-08 07:21
Modified
2026-05-26 17:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 Version: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-26T17:32:27.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/13/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/4"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-detection-script-dirty-frag-linux-kernel-local-privilege-escalation"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-mitigation-script-dirty-frag-linux-kernel-local-privilege-escalation"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:46.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6cb440f274a22456ef3e86b457344f1678f38f9",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "ab8b995323e5237041472d07e5055f5f7dcdf15b",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "fe785bb3a8096dffcc4048a85cd0c83337eeecad",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "5d55c7336f8032d434adcc5fab987ccc93a44aec",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "8253aab4659ca16116b522203c2a6b18dccacea7",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "50ed1e7873100f77abad20fd31c51029bc49cd03",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "b54edf1e9a3fd3491bdcb82a21f8d21315271e0d",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "71a1d9d985d26716f74d21f18ee8cac821b06e97",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "52646cbd00e765a6db9c3afe9535f26218276034",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.206",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.255",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.205",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.206",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.171",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.172",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.138",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.87",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.28",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.5",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:34.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9"
},
{
"url": "https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b"
},
{
"url": "https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad"
},
{
"url": "https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec"
},
{
"url": "https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7"
},
{
"url": "https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03"
},
{
"url": "https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d"
},
{
"url": "https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97"
},
{
"url": "https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034"
},
{
"url": "https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4"
}
],
"title": "xfrm: esp: avoid in-place decrypt on shared skb frags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43284",
"datePublished": "2026-05-08T07:21:47.524Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-26T17:32:27.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31602 (GCVE-0-2026-31602)
Vulnerability from cvelistv5
Published
2026-04-24 14:42
Modified
2026-06-01 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ctxfi: Limit PTP to a single page
Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256
playback streams, but the additional pages are not used by the card
correctly. The CT20K2 hardware already has multiple VMEM_PTPAL
registers, but using them separately would require refactoring the
entire virtual memory allocation logic.
ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of
CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When
aggregate memory allocations exceed this limit, ct_vm_map() tries to
access beyond the allocated space and causes a page fault:
BUG: unable to handle page fault for address: ffffd4ae8a10a000
Oops: Oops: 0002 [#1] SMP PTI
RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]
Call Trace:
atc_pcm_playback_prepare+0x225/0x3b0
ct_pcm_playback_prepare+0x38/0x60
snd_pcm_do_prepare+0x2f/0x50
snd_pcm_action_single+0x36/0x90
snd_pcm_action_nonatomic+0xbf/0xd0
snd_pcm_ioctl+0x28/0x40
__x64_sys_ioctl+0x97/0xe0
do_syscall_64+0x81/0x610
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count
remain unchanged.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 Version: 391e69143d0a05f960e3ab39a8c26b7b230bb8a9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctvmem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5908160e17cb56e1f61fbaee08adc21083f4933",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "de8016fb0904d68ac886e375069535996baa42ee",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "2b4331c08c0b385598b4d8ccd71e93ab3f4b2578",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "452894005b4abe141b11fe01e7bfe152e6d3860f",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "365c36e1a126c6aa1aecedd3a351bcabc66f0c29",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "b7f5ecd13cce8c2f8fa5a84c9aab65997142577e",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "ad9011a795407093dcf507f6e5da1828987b4b47",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
},
{
"lessThan": "e9418da50d9e5c496c22fe392e4ad74c038a94eb",
"status": "affected",
"version": "391e69143d0a05f960e3ab39a8c26b7b230bb8a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctvmem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Limit PTP to a single page\n\nCommit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256\nplayback streams, but the additional pages are not used by the card\ncorrectly. The CT20K2 hardware already has multiple VMEM_PTPAL\nregisters, but using them separately would require refactoring the\nentire virtual memory allocation logic.\n\nct_vm_map() always uses PTEs in vm-\u003eptp[0].area regardless of\nCT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When\naggregate memory allocations exceed this limit, ct_vm_map() tries to\naccess beyond the allocated space and causes a page fault:\n\n BUG: unable to handle page fault for address: ffffd4ae8a10a000\n Oops: Oops: 0002 [#1] SMP PTI\n RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]\n Call Trace:\n atc_pcm_playback_prepare+0x225/0x3b0\n ct_pcm_playback_prepare+0x38/0x60\n snd_pcm_do_prepare+0x2f/0x50\n snd_pcm_action_single+0x36/0x90\n snd_pcm_action_nonatomic+0xbf/0xd0\n snd_pcm_ioctl+0x28/0x40\n __x64_sys_ioctl+0x97/0xe0\n do_syscall_64+0x81/0x610\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRevert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count\nremain unchanged."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:12:22.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5908160e17cb56e1f61fbaee08adc21083f4933"
},
{
"url": "https://git.kernel.org/stable/c/de8016fb0904d68ac886e375069535996baa42ee"
},
{
"url": "https://git.kernel.org/stable/c/2b4331c08c0b385598b4d8ccd71e93ab3f4b2578"
},
{
"url": "https://git.kernel.org/stable/c/452894005b4abe141b11fe01e7bfe152e6d3860f"
},
{
"url": "https://git.kernel.org/stable/c/365c36e1a126c6aa1aecedd3a351bcabc66f0c29"
},
{
"url": "https://git.kernel.org/stable/c/3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5"
},
{
"url": "https://git.kernel.org/stable/c/b7f5ecd13cce8c2f8fa5a84c9aab65997142577e"
},
{
"url": "https://git.kernel.org/stable/c/ad9011a795407093dcf507f6e5da1828987b4b47"
},
{
"url": "https://git.kernel.org/stable/c/e9418da50d9e5c496c22fe392e4ad74c038a94eb"
}
],
"title": "ALSA: ctxfi: Limit PTP to a single page",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31602",
"datePublished": "2026-04-24T14:42:25.935Z",
"dateReserved": "2026-03-09T15:48:24.121Z",
"dateUpdated": "2026-06-01T16:12:22.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43255 (GCVE-0-2026-43255)
Vulnerability from cvelistv5
Published
2026-05-06 11:28
Modified
2026-05-11 22:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: libertas: fix WARNING in usb_tx_block
The function usb_tx_block() submits cardp->tx_urb without ensuring that
any previous transmission on this URB has completed. If a second call
occurs while the URB is still active (e.g. during rapid firmware loading),
usb_submit_urb() detects the active state and triggers a warning:
'URB submitted while active'.
Fix this by enforcing serialization: call usb_kill_urb() before
submitting the new request. This ensures the URB is idle and safe to reuse.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 Version: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/if_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "498525d8358d6d20918787e59736d5b6a021e9fd",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "2902a9b4415a6bafc9b1e5dd360f065d757a0bb7",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "948a39c95d0f8d73722910f8cdb7b6e3e9206232",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "5bfb25495e391a1be0db94b15715174fa06b93a1",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "b82073564373e68c6ae3a96039fae14cd002a496",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "3308c7504e093b22e91a4468470309cee2e26b83",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "fc188b44547dea4e7350833171982a6312befde9",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "d66676e6ca96bf8680f869a9bd6573b26c634622",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/if_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix WARNING in usb_tx_block\n\nThe function usb_tx_block() submits cardp-\u003etx_urb without ensuring that\nany previous transmission on this URB has completed. If a second call\noccurs while the URB is still active (e.g. during rapid firmware loading),\nusb_submit_urb() detects the active state and triggers a warning:\n\u0027URB submitted while active\u0027.\n\nFix this by enforcing serialization: call usb_kill_urb() before\nsubmitting the new request. This ensures the URB is idle and safe to reuse."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:00.707Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/498525d8358d6d20918787e59736d5b6a021e9fd"
},
{
"url": "https://git.kernel.org/stable/c/2902a9b4415a6bafc9b1e5dd360f065d757a0bb7"
},
{
"url": "https://git.kernel.org/stable/c/948a39c95d0f8d73722910f8cdb7b6e3e9206232"
},
{
"url": "https://git.kernel.org/stable/c/5bfb25495e391a1be0db94b15715174fa06b93a1"
},
{
"url": "https://git.kernel.org/stable/c/b82073564373e68c6ae3a96039fae14cd002a496"
},
{
"url": "https://git.kernel.org/stable/c/3308c7504e093b22e91a4468470309cee2e26b83"
},
{
"url": "https://git.kernel.org/stable/c/fc188b44547dea4e7350833171982a6312befde9"
},
{
"url": "https://git.kernel.org/stable/c/d66676e6ca96bf8680f869a9bd6573b26c634622"
}
],
"title": "wifi: libertas: fix WARNING in usb_tx_block",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43255",
"datePublished": "2026-05-06T11:28:44.522Z",
"dateReserved": "2026-05-01T14:12:55.996Z",
"dateUpdated": "2026-05-11T22:21:00.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31408 (GCVE-0-2026-31408)
Vulnerability from cvelistv5
Published
2026-04-06 07:38
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.
Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.
Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d57384e27d1ebf0047e3f00a6e1181b8be9857a2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b0a7da0e3f7442545f071499beb36374714bb9de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "45aaca995e4a7a05b272a58e7ab2fff4f611b8f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "108b81514d8f2535eb16651495cefb2250528db3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e76e8f0581ef555eacc11dbb095e602fb30a5361",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "598dbba9919c5e36c54fe1709b557d64120cb94b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold\n\nsco_recv_frame() reads conn-\u003esk under sco_conn_lock() but immediately\nreleases the lock without holding a reference to the socket. A concurrent\nclose() can free the socket between the lock release and the subsequent\nsk-\u003esk_state access, resulting in a use-after-free.\n\nOther functions in the same file (sco_sock_timeout(), sco_conn_del())\ncorrectly use sco_sock_hold() to safely hold a reference under the lock.\n\nFix by using sco_sock_hold() to take a reference before releasing the\nlock, and adding sock_put() on all exit paths."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:07.990Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d57384e27d1ebf0047e3f00a6e1181b8be9857a2"
},
{
"url": "https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de"
},
{
"url": "https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1"
},
{
"url": "https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3"
},
{
"url": "https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e"
},
{
"url": "https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361"
},
{
"url": "https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b"
}
],
"title": "Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31408",
"datePublished": "2026-04-06T07:38:20.533Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:07.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31524 (GCVE-0-2026-31524)
Vulnerability from cvelistv5
Published
2026-04-22 13:54
Modified
2026-05-11 22:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: asus: avoid memory leak in asus_report_fixup()
The asus_report_fixup() function was returning a newly allocated
kmemdup()-allocated buffer, but never freeing it. Switch to
devm_kzalloc() to ensure the memory is managed and freed automatically
when the device is removed.
The caller of report_fixup() does not take ownership of the returned
pointer, but it is permitted to return a pointer whose lifetime is at
least that of the input buffer.
Also fix a harmless out-of-bounds read by copying only the original
descriptor size.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5703e52cc711bc01e72cf12b86a126909c79d213 Version: 5703e52cc711bc01e72cf12b86a126909c79d213 Version: 5703e52cc711bc01e72cf12b86a126909c79d213 Version: 5703e52cc711bc01e72cf12b86a126909c79d213 Version: 5703e52cc711bc01e72cf12b86a126909c79d213 Version: 5703e52cc711bc01e72cf12b86a126909c79d213 Version: 5703e52cc711bc01e72cf12b86a126909c79d213 Version: 5703e52cc711bc01e72cf12b86a126909c79d213 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "726765b43deb2b4723869d673cc5fc6f7a3b2059",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "ede95cfcab8064d9a08813fbd7ed42cea8843dcf",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "2e4fe6b15c2f390c023b20d728b1a3fe7ea4f973",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "f20f17cffbe34fb330267e0f8084f5565f807444",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "7a6d6e4d8af044f94fa97e97af5ff2771e1fbebd",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "a41cc7c1668e44ff2c2d36f9a6353253ffc43e3c",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "84724ac4821a160d47b84289adf139023027bdbb",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "2bad24c17742fc88973d6aea526ce1353f5334a3",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: avoid memory leak in asus_report_fixup()\n\nThe asus_report_fixup() function was returning a newly allocated\nkmemdup()-allocated buffer, but never freeing it. Switch to\ndevm_kzalloc() to ensure the memory is managed and freed automatically\nwhen the device is removed.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it is permitted to return a pointer whose lifetime is at\nleast that of the input buffer.\n\nAlso fix a harmless out-of-bounds read by copying only the original\ndescriptor size."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:27.784Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/726765b43deb2b4723869d673cc5fc6f7a3b2059"
},
{
"url": "https://git.kernel.org/stable/c/ede95cfcab8064d9a08813fbd7ed42cea8843dcf"
},
{
"url": "https://git.kernel.org/stable/c/2e4fe6b15c2f390c023b20d728b1a3fe7ea4f973"
},
{
"url": "https://git.kernel.org/stable/c/f20f17cffbe34fb330267e0f8084f5565f807444"
},
{
"url": "https://git.kernel.org/stable/c/7a6d6e4d8af044f94fa97e97af5ff2771e1fbebd"
},
{
"url": "https://git.kernel.org/stable/c/a41cc7c1668e44ff2c2d36f9a6353253ffc43e3c"
},
{
"url": "https://git.kernel.org/stable/c/84724ac4821a160d47b84289adf139023027bdbb"
},
{
"url": "https://git.kernel.org/stable/c/2bad24c17742fc88973d6aea526ce1353f5334a3"
}
],
"title": "HID: asus: avoid memory leak in asus_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31524",
"datePublished": "2026-04-22T13:54:38.389Z",
"dateReserved": "2026-03-09T15:48:24.110Z",
"dateUpdated": "2026-05-11T22:10:27.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23292 (GCVE-0-2026-23292)
Vulnerability from cvelistv5
Published
2026-03-25 10:26
Modified
2026-05-23 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Fix recursive locking in __configfs_open_file()
In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
function is called, which, here, is target_core_item_dbroot_store(). This
function called filp_open(), following which these functions were called
(in reverse order), according to the call trace:
down_read
__configfs_open_file
do_dentry_open
vfs_open
do_open
path_openat
do_filp_open
file_open_name
filp_open
target_core_item_dbroot_store
flush_write_buffer
configfs_write_iter
target_core_item_dbroot_store() tries to validate the new file path by
trying to open the file path provided to it; however, in this case, the bug
report shows:
db_root: not a directory: /sys/kernel/config/target/dbroot
indicating that the same configfs file was tried to be opened, on which it
is currently working on. Thus, it is trying to acquire frag_sem semaphore
of the same file of which it already holds the semaphore obtained in
flush_write_buffer(), leading to acquiring the semaphore in a nested manner
and a possibility of recursive locking.
Fix this by modifying target_core_item_dbroot_store() to use kern_path()
instead of filp_open() to avoid opening the file using filesystem-specific
function __configfs_open_file(), and further modifying it to make this fix
compatible.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b0841eefd9693827afb9888235e26ddd098f9cef Version: b0841eefd9693827afb9888235e26ddd098f9cef Version: b0841eefd9693827afb9888235e26ddd098f9cef Version: b0841eefd9693827afb9888235e26ddd098f9cef Version: b0841eefd9693827afb9888235e26ddd098f9cef Version: b0841eefd9693827afb9888235e26ddd098f9cef Version: 49824b5c875087a52672b0c8e8ecbefe6f773532 Version: 09e21253d17f53bdb5aac0e0dbd057a29fcbe8d1 Version: 0dfc45be875a378c2a3a4d6ed8e668ec8eb75073 Version: 4.9.201 ≤ Version: 4.14.154 ≤ Version: 4.19.84 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3161ef61f121d4573cad5b57c92188dcd9b284b3",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "e8ef82cb6443d5f3260b1b830e17f03dda4229ea",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "4fcfa424a581d823cb1a9676e3eefe6ca17e453a",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "9a5641024fbfd9b24fe65984ad85fea10a3ae438",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "142eacb50fb903a4c10dee7e67b6e79ebb36a582",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "14d4ac19d1895397532eec407433c5d74d9da53b",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"status": "affected",
"version": "49824b5c875087a52672b0c8e8ecbefe6f773532",
"versionType": "git"
},
{
"status": "affected",
"version": "09e21253d17f53bdb5aac0e0dbd057a29fcbe8d1",
"versionType": "git"
},
{
"status": "affected",
"version": "0dfc45be875a378c2a3a4d6ed8e668ec8eb75073",
"versionType": "git"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.201",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.154",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.84",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.201",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.84",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix recursive locking in __configfs_open_file()\n\nIn flush_write_buffer, \u0026p-\u003efrag_sem is acquired and then the loaded store\nfunction is called, which, here, is target_core_item_dbroot_store(). This\nfunction called filp_open(), following which these functions were called\n(in reverse order), according to the call trace:\n\n down_read\n __configfs_open_file\n do_dentry_open\n vfs_open\n do_open\n path_openat\n do_filp_open\n file_open_name\n filp_open\n target_core_item_dbroot_store\n flush_write_buffer\n configfs_write_iter\n\ntarget_core_item_dbroot_store() tries to validate the new file path by\ntrying to open the file path provided to it; however, in this case, the bug\nreport shows:\n\ndb_root: not a directory: /sys/kernel/config/target/dbroot\n\nindicating that the same configfs file was tried to be opened, on which it\nis currently working on. Thus, it is trying to acquire frag_sem semaphore\nof the same file of which it already holds the semaphore obtained in\nflush_write_buffer(), leading to acquiring the semaphore in a nested manner\nand a possibility of recursive locking.\n\nFix this by modifying target_core_item_dbroot_store() to use kern_path()\ninstead of filp_open() to avoid opening the file using filesystem-specific\nfunction __configfs_open_file(), and further modifying it to make this fix\ncompatible."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:30.234Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3161ef61f121d4573cad5b57c92188dcd9b284b3"
},
{
"url": "https://git.kernel.org/stable/c/e8ef82cb6443d5f3260b1b830e17f03dda4229ea"
},
{
"url": "https://git.kernel.org/stable/c/4fcfa424a581d823cb1a9676e3eefe6ca17e453a"
},
{
"url": "https://git.kernel.org/stable/c/9a5641024fbfd9b24fe65984ad85fea10a3ae438"
},
{
"url": "https://git.kernel.org/stable/c/142eacb50fb903a4c10dee7e67b6e79ebb36a582"
},
{
"url": "https://git.kernel.org/stable/c/14d4ac19d1895397532eec407433c5d74d9da53b"
}
],
"title": "scsi: target: Fix recursive locking in __configfs_open_file()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23292",
"datePublished": "2026-03-25T10:26:50.408Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-05-23T16:04:30.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43025 (GCVE-0-2026-43025)
Vulnerability from cvelistv5
Published
2026-05-01 14:15
Modified
2026-05-11 22:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ignore explicit helper on new expectations
Use the existing master conntrack helper, anything else is not really
supported and it just makes validation more complicated, so just ignore
what helper userspace suggests for this expectation.
This was uncovered when validating CTA_EXPECT_CLASS via different helper
provided by userspace than the existing master conntrack helper:
BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0
Read of size 4 at addr ffff8880043fe408 by task poc/102
Call Trace:
nf_ct_expect_related_report+0x2479/0x27c0
ctnetlink_create_expect+0x22b/0x3b0
ctnetlink_new_expect+0x4bd/0x5c0
nfnetlink_rcv_msg+0x67a/0x950
netlink_rcv_skb+0x120/0x350
Allowing to read kernel memory bytes off the expectation boundary.
CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace
via netlink dump.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bd0779370588386e4a67ba5d0b176cfded8e6a53 Version: bd0779370588386e4a67ba5d0b176cfded8e6a53 Version: bd0779370588386e4a67ba5d0b176cfded8e6a53 Version: bd0779370588386e4a67ba5d0b176cfded8e6a53 Version: bd0779370588386e4a67ba5d0b176cfded8e6a53 Version: bd0779370588386e4a67ba5d0b176cfded8e6a53 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e135f8e8212cbed12a03ab8dec77fa1247139897",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "2ea0f35f235f70c133ad61fe05ba013753b978c6",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "187b6ec5229ea93cb04c4f6d3b52efc80f513d0d",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "21a04c31db4057deec85fcd6cc63d720b38819c3",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "917b61fa2042f11e2af4c428e43f08199586633a",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ignore explicit helper on new expectations\n\nUse the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n Read of size 4 at addr ffff8880043fe408 by task poc/102\n Call Trace:\n nf_ct_expect_related_report+0x2479/0x27c0\n ctnetlink_create_expect+0x22b/0x3b0\n ctnetlink_new_expect+0x4bd/0x5c0\n nfnetlink_rcv_msg+0x67a/0x950\n netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:15.671Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e135f8e8212cbed12a03ab8dec77fa1247139897"
},
{
"url": "https://git.kernel.org/stable/c/2ea0f35f235f70c133ad61fe05ba013753b978c6"
},
{
"url": "https://git.kernel.org/stable/c/0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd"
},
{
"url": "https://git.kernel.org/stable/c/187b6ec5229ea93cb04c4f6d3b52efc80f513d0d"
},
{
"url": "https://git.kernel.org/stable/c/21a04c31db4057deec85fcd6cc63d720b38819c3"
},
{
"url": "https://git.kernel.org/stable/c/917b61fa2042f11e2af4c428e43f08199586633a"
}
],
"title": "netfilter: ctnetlink: ignore explicit helper on new expectations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43025",
"datePublished": "2026-05-01T14:15:27.103Z",
"dateReserved": "2026-05-01T14:12:55.976Z",
"dateUpdated": "2026-05-11T22:16:15.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31681 (GCVE-0-2026-31681)
Vulnerability from cvelistv5
Published
2026-04-25 08:46
Modified
2026-06-01 16:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_multiport: validate range encoding in checkentry
ports_match_v1() treats any non-zero pflags entry as the start of a
port range and unconditionally consumes the next ports[] element as
the range end.
The checkentry path currently validates protocol, flags and count, but
it does not validate the range encoding itself. As a result, malformed
rules can mark the last slot as a range start or place two range starts
back to back, leaving ports_match_v1() to step past the last valid
ports[] element while interpreting the rule.
Reject malformed multiport v1 rules in checkentry by validating that
each range start has a following element and that the following element
is not itself marked as another range start.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 Version: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_multiport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c5bf8f5b478f569191c4a7982de7cd5f5f73c1a",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "c9749f6232c845e31c21d4cc72200211df15d8a2",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "b67d638cbee9975c765feb45c126e96ed11ec802",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "36bf0d98e180a7c384c8d8a59b0d2d4b80e5eb16",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "aec14808271f2bf2b656de6ff12dfe73c5fd3b67",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "8368ce8eb01f0b91111d814703696e780d0ef12f",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "1e4baa853f1cc4227e04f52d6860524707cfb294",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "ff64c5bfef12461df8450e0f50bb693b5269c720",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_multiport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_multiport: validate range encoding in checkentry\n\nports_match_v1() treats any non-zero pflags entry as the start of a\nport range and unconditionally consumes the next ports[] element as\nthe range end.\n\nThe checkentry path currently validates protocol, flags and count, but\nit does not validate the range encoding itself. As a result, malformed\nrules can mark the last slot as a range start or place two range starts\nback to back, leaving ports_match_v1() to step past the last valid\nports[] element while interpreting the rule.\n\nReject malformed multiport v1 rules in checkentry by validating that\neach range start has a following element and that the following element\nis not itself marked as another range start."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:13:21.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c5bf8f5b478f569191c4a7982de7cd5f5f73c1a"
},
{
"url": "https://git.kernel.org/stable/c/c9749f6232c845e31c21d4cc72200211df15d8a2"
},
{
"url": "https://git.kernel.org/stable/c/b67d638cbee9975c765feb45c126e96ed11ec802"
},
{
"url": "https://git.kernel.org/stable/c/36bf0d98e180a7c384c8d8a59b0d2d4b80e5eb16"
},
{
"url": "https://git.kernel.org/stable/c/aec14808271f2bf2b656de6ff12dfe73c5fd3b67"
},
{
"url": "https://git.kernel.org/stable/c/8368ce8eb01f0b91111d814703696e780d0ef12f"
},
{
"url": "https://git.kernel.org/stable/c/1e4baa853f1cc4227e04f52d6860524707cfb294"
},
{
"url": "https://git.kernel.org/stable/c/ff64c5bfef12461df8450e0f50bb693b5269c720"
}
],
"title": "netfilter: xt_multiport: validate range encoding in checkentry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31681",
"datePublished": "2026-04-25T08:46:57.995Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-06-01T16:13:21.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23391 (GCVE-0-2026-23391)
Vulnerability from cvelistv5
Published
2026-03-25 10:33
Modified
2026-05-11 22:05
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_CT: drop pending enqueued packets on template removal
Templates refer to objects that can go away while packets are sitting in
nfqueue refer to:
- helper, this can be an issue on module removal.
- timeout policy, nfnetlink_cttimeout might remove it.
The use of templates with zone and event cache filter are safe, since
this just copies values.
Flush these enqueued packets in case the template rule gets removed.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 24de58f465165298aaa8f286b2592f0163706cfe Version: 24de58f465165298aaa8f286b2592f0163706cfe Version: 24de58f465165298aaa8f286b2592f0163706cfe Version: 24de58f465165298aaa8f286b2592f0163706cfe Version: 24de58f465165298aaa8f286b2592f0163706cfe Version: 24de58f465165298aaa8f286b2592f0163706cfe Version: 24de58f465165298aaa8f286b2592f0163706cfe Version: 24de58f465165298aaa8f286b2592f0163706cfe |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_CT.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "55445134d42b84cb0a272e42c98d233ca65eca83",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "cc57506dd66555899560b9c0f24e813f034e12ec",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "d2d0bae0c9a2a17b6990a2966f5cdce0813d6256",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "63b8097cea1923fe82cd598068d0796da8c015ec",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "19a230dec6bb8928e3f96387f9085cf2c79bcef9",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "cb549925875fa06dd155e49db4ac2c5044c30f9c",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "777d02efe3d630cca4c1b63962cec17c57711325",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "f62a218a946b19bb59abdd5361da85fa4606b96b",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_CT.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_CT: drop pending enqueued packets on template removal\n\nTemplates refer to objects that can go away while packets are sitting in\nnfqueue refer to:\n\n- helper, this can be an issue on module removal.\n- timeout policy, nfnetlink_cttimeout might remove it.\n\nThe use of templates with zone and event cache filter are safe, since\nthis just copies values.\n\nFlush these enqueued packets in case the template rule gets removed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:05:58.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/55445134d42b84cb0a272e42c98d233ca65eca83"
},
{
"url": "https://git.kernel.org/stable/c/cc57506dd66555899560b9c0f24e813f034e12ec"
},
{
"url": "https://git.kernel.org/stable/c/d2d0bae0c9a2a17b6990a2966f5cdce0813d6256"
},
{
"url": "https://git.kernel.org/stable/c/63b8097cea1923fe82cd598068d0796da8c015ec"
},
{
"url": "https://git.kernel.org/stable/c/19a230dec6bb8928e3f96387f9085cf2c79bcef9"
},
{
"url": "https://git.kernel.org/stable/c/cb549925875fa06dd155e49db4ac2c5044c30f9c"
},
{
"url": "https://git.kernel.org/stable/c/777d02efe3d630cca4c1b63962cec17c57711325"
},
{
"url": "https://git.kernel.org/stable/c/f62a218a946b19bb59abdd5361da85fa4606b96b"
}
],
"title": "netfilter: xt_CT: drop pending enqueued packets on template removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23391",
"datePublished": "2026-03-25T10:33:15.677Z",
"dateReserved": "2026-01-13T15:37:46.009Z",
"dateUpdated": "2026-05-11T22:05:58.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31685 (GCVE-0-2026-31685)
Vulnerability from cvelistv5
Published
2026-04-25 08:47
Modified
2026-06-01 16:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_eui64: reject invalid MAC header for all packets
`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.
The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.
Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d75bc2cd093bf5803edf512c099bfb220fd6459",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d6a57411caf54df025860c9b1a82cd42d57a562",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5603591373441fecf9951833d6d873e09320f08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "288138418bef956f8b295751a4536c60f0e89f4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9eda5478746ef7dc0e4e537b5a5e4b0ca1027091",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "807d6ee15804df6f01a35c910f09612e858739a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "309ae3e9a51a69699ca94eac5fac5688fa562d55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fdce0b3590f724540795b874b4c8850c90e6b0a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par-\u003efragoff != 0`. For packets with `par-\u003efragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par-\u003efragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:13:27.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d75bc2cd093bf5803edf512c099bfb220fd6459"
},
{
"url": "https://git.kernel.org/stable/c/7d6a57411caf54df025860c9b1a82cd42d57a562"
},
{
"url": "https://git.kernel.org/stable/c/d5603591373441fecf9951833d6d873e09320f08"
},
{
"url": "https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a"
},
{
"url": "https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091"
},
{
"url": "https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6"
},
{
"url": "https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55"
},
{
"url": "https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8"
}
],
"title": "netfilter: ip6t_eui64: reject invalid MAC header for all packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31685",
"datePublished": "2026-04-25T08:47:02.857Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-06-01T16:13:27.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23290 (GCVE-0-2026-23290)
Vulnerability from cvelistv5
Published
2026-03-25 10:26
Modified
2026-05-11 22:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: pegasus: validate USB endpoints
The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5d9086211877361f1bda44a0aec538ddb04042a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af7369ae572f53cb701731a4289ec3b3889bc501",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43d7c4114b1ec14f41f09306525d3b9382286fc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "95556b4e879711693c9865ba0938c148f62d5ea4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c3f1672eaea68c5cb6e1ec081cdb92045453218f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11de1d3ae5565ed22ef1f89d73d8f2d00322c699",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: validate USB endpoints\n\nThe pegasus driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:04:00.817Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5d9086211877361f1bda44a0aec538ddb04042a"
},
{
"url": "https://git.kernel.org/stable/c/af7369ae572f53cb701731a4289ec3b3889bc501"
},
{
"url": "https://git.kernel.org/stable/c/43d7c4114b1ec14f41f09306525d3b9382286fc1"
},
{
"url": "https://git.kernel.org/stable/c/7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f"
},
{
"url": "https://git.kernel.org/stable/c/95556b4e879711693c9865ba0938c148f62d5ea4"
},
{
"url": "https://git.kernel.org/stable/c/c3f1672eaea68c5cb6e1ec081cdb92045453218f"
},
{
"url": "https://git.kernel.org/stable/c/ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2"
},
{
"url": "https://git.kernel.org/stable/c/11de1d3ae5565ed22ef1f89d73d8f2d00322c699"
}
],
"title": "net: usb: pegasus: validate USB endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23290",
"datePublished": "2026-03-25T10:26:48.886Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-05-11T22:04:00.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23457 (GCVE-0-2026-23457)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
sip_help_tcp() parses the SIP Content-Length header with
simple_strtoul(), which returns unsigned long, but stores the result in
unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
silently truncated before computing the SIP message boundary.
For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
causing the parser to miscalculate where the current message ends. The
loop then treats trailing data in the TCP segment as a second SIP
message and processes it through the SDP parser.
Fix this by changing clen to unsigned long to match the return type of
simple_strtoul(), and reject Content-Length values that exceed the
remaining TCP payload length.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da Version: f5b321bd37fbec9188feb1f721ab46a5ac0b35da |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed81b6a7012485acdb9c6c80735a0b7d8e5e1873",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "b75209debb9adab287b3caa982f77788c1e15027",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "528b4509c9dfc272e2e92d811915e5211650d383",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "75fcaee5170e7dbbee778927134ef2e9568b4659",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "865dba58958c3a86786f89a501971ab0e3ec6ba9",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "d4f17256544cc37f6534a14a27a9dec3540c2015",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "fbce58e719a17aa215c724473fd5baaa4a8dc57c",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:21.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873"
},
{
"url": "https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f"
},
{
"url": "https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027"
},
{
"url": "https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383"
},
{
"url": "https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659"
},
{
"url": "https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9"
},
{
"url": "https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015"
},
{
"url": "https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c"
}
],
"title": "netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23457",
"datePublished": "2026-04-03T15:15:38.193Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-05-11T22:07:21.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31507 (GCVE-0-2026-31507)
Vulnerability from cvelistv5
Published
2026-04-22 13:54
Modified
2026-05-11 22:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores
the pointer in pipe_buffer.private. The pipe_buf_operations for these
buffers used .get = generic_pipe_buf_get, which only increments the page
reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv
pointer itself was not handled, so after tee() both the original and the
cloned pipe_buffer share the same smc_spd_priv *.
When both pipes are subsequently released, smc_rx_pipe_buf_release() is
called twice against the same object:
1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]
2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]
KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which
then escalates to a NULL-pointer dereference and kernel panic via
smc_rx_update_consumer() when it chases the freed priv->smc pointer:
BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0
Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_report+0xce/0x650
kasan_report+0xc6/0x100
smc_rx_pipe_buf_release+0x78/0x2a0
free_pipe_info+0xd4/0x130
pipe_release+0x142/0x160
__fput+0x1c6/0x490
__x64_sys_close+0x4f/0x90
do_syscall_64+0xa6/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
BUG: kernel NULL pointer dereference, address: 0000000000000020
RIP: 0010:smc_rx_update_consumer+0x8d/0x350
Call Trace:
<TASK>
smc_rx_pipe_buf_release+0x121/0x2a0
free_pipe_info+0xd4/0x130
pipe_release+0x142/0x160
__fput+0x1c6/0x490
__x64_sys_close+0x4f/0x90
do_syscall_64+0xa6/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Kernel panic - not syncing: Fatal exception
Beyond the memory-safety problem, duplicating an SMC splice buffer is
semantically questionable: smc_rx_update_cons() would advance the
consumer cursor twice for the same data, corrupting receive-window
accounting. A refcount on smc_spd_priv could fix the double-free, but
the cursor-accounting issue would still need to be addressed separately.
The .get callback is invoked by both tee(2) and splice_pipe_to_pipe()
for partial transfers; both will now return -EFAULT. Users who need
to duplicate SMC socket data must use a copy-based read path.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f Version: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e8916f46c2f48607f907fd401590093753a6bc5",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "ae5575e660410c8d2c5d38fb28a0f37aea945676",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "98ba5cb274768146e25ffbfde47753652c1c20d3",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "81acbd345d405994875d419d43b319fee0b9ad62",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "7bcb974c771c863e8588cea0012ac204443a7126",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "54c87a730157868543ebdfa0ecb21b4590ed23a5",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "3cc76380fea749280c026f410af56a28aaac388a",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "24dd586bb4cbba1889a50abe74143817a095c1c9",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer\n\nsmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores\nthe pointer in pipe_buffer.private. The pipe_buf_operations for these\nbuffers used .get = generic_pipe_buf_get, which only increments the page\nreference count when tee(2) duplicates a pipe buffer. The smc_spd_priv\npointer itself was not handled, so after tee() both the original and the\ncloned pipe_buffer share the same smc_spd_priv *.\n\nWhen both pipes are subsequently released, smc_rx_pipe_buf_release() is\ncalled twice against the same object:\n\n 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]\n 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]\n\nKASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which\nthen escalates to a NULL-pointer dereference and kernel panic via\nsmc_rx_update_consumer() when it chases the freed priv-\u003esmc pointer:\n\n BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0\n Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x650\n kasan_report+0xc6/0x100\n smc_rx_pipe_buf_release+0x78/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n RIP: 0010:smc_rx_update_consumer+0x8d/0x350\n Call Trace:\n \u003cTASK\u003e\n smc_rx_pipe_buf_release+0x121/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nBeyond the memory-safety problem, duplicating an SMC splice buffer is\nsemantically questionable: smc_rx_update_cons() would advance the\nconsumer cursor twice for the same data, corrupting receive-window\naccounting. A refcount on smc_spd_priv could fix the double-free, but\nthe cursor-accounting issue would still need to be addressed separately.\n\nThe .get callback is invoked by both tee(2) and splice_pipe_to_pipe()\nfor partial transfers; both will now return -EFAULT. Users who need\nto duplicate SMC socket data must use a copy-based read path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:07.488Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e8916f46c2f48607f907fd401590093753a6bc5"
},
{
"url": "https://git.kernel.org/stable/c/ae5575e660410c8d2c5d38fb28a0f37aea945676"
},
{
"url": "https://git.kernel.org/stable/c/98ba5cb274768146e25ffbfde47753652c1c20d3"
},
{
"url": "https://git.kernel.org/stable/c/81acbd345d405994875d419d43b319fee0b9ad62"
},
{
"url": "https://git.kernel.org/stable/c/7bcb974c771c863e8588cea0012ac204443a7126"
},
{
"url": "https://git.kernel.org/stable/c/54c87a730157868543ebdfa0ecb21b4590ed23a5"
},
{
"url": "https://git.kernel.org/stable/c/3cc76380fea749280c026f410af56a28aaac388a"
},
{
"url": "https://git.kernel.org/stable/c/24dd586bb4cbba1889a50abe74143817a095c1c9"
}
],
"title": "net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31507",
"datePublished": "2026-04-22T13:54:25.910Z",
"dateReserved": "2026-03-09T15:48:24.106Z",
"dateUpdated": "2026-05-11T22:10:07.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31423 (GCVE-0-2026-31423)
Vulnerability from cvelistv5
Published
2026-04-13 13:40
Modified
2026-05-11 22:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
m2sm() converts a u32 slope to a u64 scaled value. For large inputs
(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores
the difference of two such u64 values in a u32 variable `dsm` and
uses it as a divisor. When the difference is exactly 2^32 the
truncation yields zero, causing a divide-by-zero oops in the
concave-curve intersection path:
Oops: divide error: 0000
RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)
Call Trace:
init_ed (net/sched/sch_hfsc.c:629)
hfsc_enqueue (net/sched/sch_hfsc.c:1569)
[...]
Widen `dsm` to u64 and replace do_div() with div64_u64() so the full
difference is preserved.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad8e8fec40290a8c8cf145c0deaadf76f80c5163",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25b6821884713a31e2b49fb67b0ebd765b33e0a9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c56f78614e7781aaceca9bd3cb2128bf7d45c3bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9e6431cbea8bb1fae8069ed099b4ee100499835",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17c1b9807b8a67d676b6dcf749ee932ebaa7f568",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4576100b8cd03118267513cafacde164b498b322",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_hfsc: fix divide-by-zero in rtsc_min()\n\nm2sm() converts a u32 slope to a u64 scaled value. For large inputs\n(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores\nthe difference of two such u64 values in a u32 variable `dsm` and\nuses it as a divisor. When the difference is exactly 2^32 the\ntruncation yields zero, causing a divide-by-zero oops in the\nconcave-curve intersection path:\n\n Oops: divide error: 0000\n RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)\n Call Trace:\n init_ed (net/sched/sch_hfsc.c:629)\n hfsc_enqueue (net/sched/sch_hfsc.c:1569)\n [...]\n\nWiden `dsm` to u64 and replace do_div() with div64_u64() so the full\ndifference is preserved."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:25.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad8e8fec40290a8c8cf145c0deaadf76f80c5163"
},
{
"url": "https://git.kernel.org/stable/c/ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f"
},
{
"url": "https://git.kernel.org/stable/c/25b6821884713a31e2b49fb67b0ebd765b33e0a9"
},
{
"url": "https://git.kernel.org/stable/c/c56f78614e7781aaceca9bd3cb2128bf7d45c3bd"
},
{
"url": "https://git.kernel.org/stable/c/b9e6431cbea8bb1fae8069ed099b4ee100499835"
},
{
"url": "https://git.kernel.org/stable/c/17c1b9807b8a67d676b6dcf749ee932ebaa7f568"
},
{
"url": "https://git.kernel.org/stable/c/d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5"
},
{
"url": "https://git.kernel.org/stable/c/4576100b8cd03118267513cafacde164b498b322"
}
],
"title": "net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31423",
"datePublished": "2026-04-13T13:40:26.567Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:25.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46333 (GCVE-0-2026-46333)
Vulnerability from cvelistv5
Published
2026-05-15 12:58
Modified
2026-05-23 16:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the
traditional "drop capabilities" model doesn't make any difference for
this all.
Make it all make a *bit* more sense by saying that if you don't have a
MM pointer, we'll use a cached "last dumpability" flag if the thread
ever had a MM (it will be zero for kernel threads since it is never
set), and require a proper CAP_SYS_PTRACE capability to override.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 Version: d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12 Version: 03eed7afbc09e061f66b448daf7863174c3dc3f3 Version: e45692fa1aea06676449b63ef3c2b6e1e72b7578 Version: 694a95fa6dae4991f16cda333d897ea063021fed Version: 3.16.52 ≤ Version: 4.4.40 ≤ Version: 4.8.16 ≤ Version: 4.9.1 ≤ |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-20T18:47:13.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/9"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00035.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46333",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:24.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "15b828a46f305ae9f05a7c16914b3ce273474205",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "4709234fd1b95136ceb789f639b1e7ea5de1b181",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "8f907d345bae8f4b3f004c5abc56bf2dfb851ea7",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "2a93a4fac7b6051d3be7cd1b015fe7320cd0404d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "01363cb3fbd0238ffdeb09f53e9039c9edf8a730",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"status": "affected",
"version": "d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12",
"versionType": "git"
},
{
"status": "affected",
"version": "03eed7afbc09e061f66b448daf7863174c3dc3f3",
"versionType": "git"
},
{
"status": "affected",
"version": "e45692fa1aea06676449b63ef3c2b6e1e72b7578",
"versionType": "git"
},
{
"status": "affected",
"version": "694a95fa6dae4991f16cda333d897ea063021fed",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.52",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.40",
"versionType": "semver"
},
{
"lessThan": "4.9",
"status": "affected",
"version": "4.8.16",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.256",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.207",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.173",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.139",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.89",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.31",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptrace: slightly saner \u0027get_dumpable()\u0027 logic\n\nThe \u0027dumpability\u0027 of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don\u0027t have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses \u0027dumpable\u0027 to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt\u0027s not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn\u0027t make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don\u0027t have a\nMM pointer, we\u0027ll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:07:12.401Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6"
},
{
"url": "https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205"
},
{
"url": "https://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181"
},
{
"url": "https://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7"
},
{
"url": "https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d"
},
{
"url": "https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404d"
},
{
"url": "https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730"
},
{
"url": "https://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a"
}
],
"title": "ptrace: slightly saner \u0027get_dumpable()\u0027 logic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46333",
"datePublished": "2026-05-15T12:58:44.599Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-05-23T16:07:12.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23472 (GCVE-0-2026-23472)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-05-11 22:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
uart_write_room() and uart_write() behave inconsistently when
xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were
never properly initialized):
- uart_write_room() returns kfifo_avail() which can be > 0
- uart_write() checks xmit_buf and returns 0 if NULL
This inconsistency causes an infinite loop in drivers that rely on
tty_write_room() to determine if they can write:
while (tty_write_room(tty) > 0) {
written = tty->ops->write(...);
// written is always 0, loop never exits
}
For example, caif_serial's handle_tx() enters an infinite loop when
used with PORT_UNKNOWN serial ports, causing system hangs.
Fix by making uart_write_room() also check xmit_buf and return 0 if
it's NULL, consistent with uart_write().
Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/serial_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efe85a557186b7fe915572ae93a8f3f78bfd9a22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "455ce986fa356ff43a43c0d363ba95fa152f21d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/serial_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN\n\nuart_write_room() and uart_write() behave inconsistently when\nxmit_buf is NULL (which happens for PORT_UNKNOWN ports that were\nnever properly initialized):\n\n- uart_write_room() returns kfifo_avail() which can be \u003e 0\n- uart_write() checks xmit_buf and returns 0 if NULL\n\nThis inconsistency causes an infinite loop in drivers that rely on\ntty_write_room() to determine if they can write:\n\n while (tty_write_room(tty) \u003e 0) {\n written = tty-\u003eops-\u003ewrite(...);\n // written is always 0, loop never exits\n }\n\nFor example, caif_serial\u0027s handle_tx() enters an infinite loop when\nused with PORT_UNKNOWN serial ports, causing system hangs.\n\nFix by making uart_write_room() also check xmit_buf and return 0 if\nit\u0027s NULL, consistent with uart_write().\n\nReproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:41.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efe85a557186b7fe915572ae93a8f3f78bfd9a22"
},
{
"url": "https://git.kernel.org/stable/c/bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c"
},
{
"url": "https://git.kernel.org/stable/c/455ce986fa356ff43a43c0d363ba95fa152f21d5"
}
],
"title": "serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23472",
"datePublished": "2026-04-03T15:15:51.209Z",
"dateReserved": "2026-01-13T15:37:46.022Z",
"dateUpdated": "2026-05-11T22:07:41.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23403 (GCVE-0-2026-23403)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-05-11 22:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix memory leak in verify_header
The function sets `*ns = NULL` on every call, leaking the namespace
string allocated in previous iterations when multiple profiles are
unpacked. This also breaks namespace consistency checking since *ns
is always NULL when the comparison is made.
Remove the incorrect assignment.
The caller (aa_unpack) initializes *ns to NULL once before the loop,
which is sufficient.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d678eb0fe55c9195d9a253e8c5b82a87b930737",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "6b79abcb3c985e153fcf9d395e1d4336081aabc2",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "bcf82c0c5a8b383fd2d5d8f3fd880cdcab2ac557",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "663ce34786e759ebcbeb3060685c20bcc886d51a",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "786e2c2a87d9c505f33321d1fd23a176aa8ddeb1",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "4f0889f2df1ab99224a5e1ac4e20437eea5fe38e",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "42fd831abfc15d0643c14688f0522556b347e7e6",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "e38c55d9f834e5b848bfed0f5c586aaf45acb825",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix memory leak in verify_header\n\nThe function sets `*ns = NULL` on every call, leaking the namespace\nstring allocated in previous iterations when multiple profiles are\nunpacked. This also breaks namespace consistency checking since *ns\nis always NULL when the comparison is made.\n\nRemove the incorrect assignment.\nThe caller (aa_unpack) initializes *ns to NULL once before the loop,\nwhich is sufficient."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:14.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d678eb0fe55c9195d9a253e8c5b82a87b930737"
},
{
"url": "https://git.kernel.org/stable/c/6b79abcb3c985e153fcf9d395e1d4336081aabc2"
},
{
"url": "https://git.kernel.org/stable/c/bcf82c0c5a8b383fd2d5d8f3fd880cdcab2ac557"
},
{
"url": "https://git.kernel.org/stable/c/663ce34786e759ebcbeb3060685c20bcc886d51a"
},
{
"url": "https://git.kernel.org/stable/c/786e2c2a87d9c505f33321d1fd23a176aa8ddeb1"
},
{
"url": "https://git.kernel.org/stable/c/4f0889f2df1ab99224a5e1ac4e20437eea5fe38e"
},
{
"url": "https://git.kernel.org/stable/c/42fd831abfc15d0643c14688f0522556b347e7e6"
},
{
"url": "https://git.kernel.org/stable/c/e38c55d9f834e5b848bfed0f5c586aaf45acb825"
}
],
"title": "apparmor: fix memory leak in verify_header",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23403",
"datePublished": "2026-04-01T08:36:34.269Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-05-11T22:06:14.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71108 (GCVE-0-2025-71108)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-05-11 21:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: Handle incorrect num_connectors capability
The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.
Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07c8d2a109d847775b3b4e2c3294c8e1eea75432",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "58941bbb0050e365a98c64f1fc4a9a0ac127dba6",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "f72f97d0aee4a993a35f2496bca5efd24827235d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "914605b0de8128434eafc9582445306830748b93",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "3042a57a8e8bce4a3100c3f6f03dc372aab24943",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "132fe187e0d940f388f839fe2cde9b84106ad20d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "30cd2cb1abf4c4acdb1ddb468c946f68939819fb",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Handle incorrect num_connectors capability\n\nThe UCSI spec states that the num_connectors field is 7 bits, and the\n8th bit is reserved and should be set to zero.\nSome buggy FW has been known to set this bit, and it can lead to a\nsystem not booting.\nFlag that the FW is not behaving correctly, and auto-fix the value\nso that the system boots correctly.\n\nFound on Lenovo P1 G8 during Linux enablement program. The FW will\nbe fixed, but seemed worth addressing in case it hit platforms that\naren\u0027t officially Linux supported."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:58.410Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432"
},
{
"url": "https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6"
},
{
"url": "https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d"
},
{
"url": "https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93"
},
{
"url": "https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943"
},
{
"url": "https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d"
},
{
"url": "https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb"
}
],
"title": "usb: typec: ucsi: Handle incorrect num_connectors capability",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71108",
"datePublished": "2026-01-14T15:05:56.553Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-05-11T21:54:58.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23312 (GCVE-0-2026-23312)
Vulnerability from cvelistv5
Published
2026-03-25 10:27
Modified
2026-05-11 22:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: kaweth: validate USB endpoints
The kaweth driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kaweth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b5075e4ce97d1a1ce82ff3fb6308761987a48bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c986abd2a5033633c6e6f9dd135cf96b19c7fdf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c7ebf5e45d2504d92ea294ac3828d58586491df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "72f90f481c6a059680b9b976695d4cfb04fba1f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f33e80d195a003b384620ee240f69092b519146b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2795fc06e7652c0ba299d936c584d5e08b6b57a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0aae18e4638a7c1c579df92bc6edc36cedfaaa8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b063c002ca759d1b299988ee23f564c9609c875",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kaweth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kaweth: validate USB endpoints\n\nThe kaweth driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:04:27.060Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b5075e4ce97d1a1ce82ff3fb6308761987a48bb"
},
{
"url": "https://git.kernel.org/stable/c/6c986abd2a5033633c6e6f9dd135cf96b19c7fdf"
},
{
"url": "https://git.kernel.org/stable/c/7c7ebf5e45d2504d92ea294ac3828d58586491df"
},
{
"url": "https://git.kernel.org/stable/c/72f90f481c6a059680b9b976695d4cfb04fba1f3"
},
{
"url": "https://git.kernel.org/stable/c/f33e80d195a003b384620ee240f69092b519146b"
},
{
"url": "https://git.kernel.org/stable/c/2795fc06e7652c0ba299d936c584d5e08b6b57a1"
},
{
"url": "https://git.kernel.org/stable/c/0aae18e4638a7c1c579df92bc6edc36cedfaaa8c"
},
{
"url": "https://git.kernel.org/stable/c/4b063c002ca759d1b299988ee23f564c9609c875"
}
],
"title": "net: usb: kaweth: validate USB endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23312",
"datePublished": "2026-03-25T10:27:07.916Z",
"dateReserved": "2026-01-13T15:37:45.994Z",
"dateUpdated": "2026-05-11T22:04:27.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31738 (GCVE-0-2026-31738)
Vulnerability from cvelistv5
Published
2026-05-01 14:14
Modified
2026-05-23 16:05
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: validate ND option lengths in vxlan_na_create
vxlan_na_create() walks ND options according to option-provided
lengths. A malformed option can make the parser advance beyond the
computed option span or use a too-short source LLADDR option payload.
Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa Version: d8be18c52dbc94989f6d74637b731af39cd3d902 Version: 3927dace523706cc00f808520eaf2125dd7c07b5 Version: 3.12.18 ≤ Version: 3.13.10 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "901c1dd3bab2955d7e664f914c374c8c3ac2b958",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "e476745917a1e288eb15e7ff49d286a86a4861d3",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "2029712fb2c87e9a8c75094906f2ee29bf08c500",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "602596c69a70e50d9ab8c6ae0290a01f88229dd7",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "de20d2e3b9179d132f5f5b44e490d7c916c6321b",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "eddfce70a6f3107d1679b0c2fcbeb96b593bd679",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "b69c4236255bd8de16cd876e58c6f0867d1d78b1",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "afa9a05e6c4971bd5586f1b304e14d61fb3d9385",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"status": "affected",
"version": "d8be18c52dbc94989f6d74637b731af39cd3d902",
"versionType": "git"
},
{
"status": "affected",
"version": "3927dace523706cc00f808520eaf2125dd7c07b5",
"versionType": "git"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.18",
"versionType": "semver"
},
{
"lessThan": "3.14",
"status": "affected",
"version": "3.13.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: validate ND option lengths in vxlan_na_create\n\nvxlan_na_create() walks ND options according to option-provided\nlengths. A malformed option can make the parser advance beyond the\ncomputed option span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:05:52.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/901c1dd3bab2955d7e664f914c374c8c3ac2b958"
},
{
"url": "https://git.kernel.org/stable/c/e476745917a1e288eb15e7ff49d286a86a4861d3"
},
{
"url": "https://git.kernel.org/stable/c/2029712fb2c87e9a8c75094906f2ee29bf08c500"
},
{
"url": "https://git.kernel.org/stable/c/602596c69a70e50d9ab8c6ae0290a01f88229dd7"
},
{
"url": "https://git.kernel.org/stable/c/de20d2e3b9179d132f5f5b44e490d7c916c6321b"
},
{
"url": "https://git.kernel.org/stable/c/eddfce70a6f3107d1679b0c2fcbeb96b593bd679"
},
{
"url": "https://git.kernel.org/stable/c/b69c4236255bd8de16cd876e58c6f0867d1d78b1"
},
{
"url": "https://git.kernel.org/stable/c/afa9a05e6c4971bd5586f1b304e14d61fb3d9385"
}
],
"title": "vxlan: validate ND option lengths in vxlan_na_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31738",
"datePublished": "2026-05-01T14:14:34.900Z",
"dateReserved": "2026-03-09T15:48:24.138Z",
"dateUpdated": "2026-05-23T16:05:52.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23340 (GCVE-0-2026-23340)
Vulnerability from cvelistv5
Published
2026-03-25 10:27
Modified
2026-05-11 22:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
When shrinking the number of real tx queues,
netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush
qdiscs for queues which will no longer be used.
qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with
qdisc_lock(). However, for lockless qdiscs, the dequeue path is
serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so
qdisc_reset() can run concurrently with __qdisc_run() and free skbs
while they are still being dequeued, leading to UAF.
This can easily be reproduced on e.g. virtio-net by imposing heavy
traffic while frequently changing the number of queue pairs:
iperf3 -ub0 -c $peer -t 0 &
while :; do
ethtool -L eth0 combined 1
ethtool -L eth0 combined 2
done
With KASAN enabled, this leads to reports like:
BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760
...
Call Trace:
<TASK>
...
__qdisc_run+0x133f/0x1760
__dev_queue_xmit+0x248f/0x3550
ip_finish_output2+0xa42/0x2110
ip_output+0x1a7/0x410
ip_send_skb+0x2e6/0x480
udp_send_skb+0xb0a/0x1590
udp_sendmsg+0x13c9/0x1fc0
...
</TASK>
Allocated by task 1270 on cpu 5 at 44.558414s:
...
alloc_skb_with_frags+0x84/0x7c0
sock_alloc_send_pskb+0x69a/0x830
__ip_append_data+0x1b86/0x48c0
ip_make_skb+0x1e8/0x2b0
udp_sendmsg+0x13a6/0x1fc0
...
Freed by task 1306 on cpu 3 at 44.558445s:
...
kmem_cache_free+0x117/0x5e0
pfifo_fast_reset+0x14d/0x580
qdisc_reset+0x9e/0x5f0
netif_set_real_num_tx_queues+0x303/0x840
virtnet_set_channels+0x1bf/0x260 [virtio_net]
ethnl_set_channels+0x684/0xae0
ethnl_default_set_doit+0x31a/0x890
...
Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by
taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the
serialization model already used by dev_reset_queue().
Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state
reflects an empty queue, avoiding needless re-scheduling.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 Version: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 Version: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 Version: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 Version: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 Version: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 Version: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bb27ad54d12de67e457d7d251198e361bef835e",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "7594467c49bfc2f4644dee0415ac2290db11fa0d",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "dbd58b0730aa06ab6ad26079cf9a5b6b58e7e750",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "5bc4e69306ed7ae02232eb4c0b23ed621a26d504",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "8314944cc3bdeaa5a73e6f8a8cf0d94822e625cb",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "c69df4e0524f8de8e176ba389acd83e85f5f49d0",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "7f083faf59d14c04e01ec05a7507f036c965acf8",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs\n\nWhen shrinking the number of real tx queues,\nnetif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush\nqdiscs for queues which will no longer be used.\n\nqdisc_reset_all_tx_gt() currently serializes qdisc_reset() with\nqdisc_lock(). However, for lockless qdiscs, the dequeue path is\nserialized by qdisc_run_begin/end() using qdisc-\u003eseqlock instead, so\nqdisc_reset() can run concurrently with __qdisc_run() and free skbs\nwhile they are still being dequeued, leading to UAF.\n\nThis can easily be reproduced on e.g. virtio-net by imposing heavy\ntraffic while frequently changing the number of queue pairs:\n\n iperf3 -ub0 -c $peer -t 0 \u0026\n while :; do\n ethtool -L eth0 combined 1\n ethtool -L eth0 combined 2\n done\n\nWith KASAN enabled, this leads to reports like:\n\n BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760\n ...\n Call Trace:\n \u003cTASK\u003e\n ...\n __qdisc_run+0x133f/0x1760\n __dev_queue_xmit+0x248f/0x3550\n ip_finish_output2+0xa42/0x2110\n ip_output+0x1a7/0x410\n ip_send_skb+0x2e6/0x480\n udp_send_skb+0xb0a/0x1590\n udp_sendmsg+0x13c9/0x1fc0\n ...\n \u003c/TASK\u003e\n\n Allocated by task 1270 on cpu 5 at 44.558414s:\n ...\n alloc_skb_with_frags+0x84/0x7c0\n sock_alloc_send_pskb+0x69a/0x830\n __ip_append_data+0x1b86/0x48c0\n ip_make_skb+0x1e8/0x2b0\n udp_sendmsg+0x13a6/0x1fc0\n ...\n\n Freed by task 1306 on cpu 3 at 44.558445s:\n ...\n kmem_cache_free+0x117/0x5e0\n pfifo_fast_reset+0x14d/0x580\n qdisc_reset+0x9e/0x5f0\n netif_set_real_num_tx_queues+0x303/0x840\n virtnet_set_channels+0x1bf/0x260 [virtio_net]\n ethnl_set_channels+0x684/0xae0\n ethnl_default_set_doit+0x31a/0x890\n ...\n\nSerialize qdisc_reset_all_tx_gt() against the lockless dequeue path by\ntaking qdisc-\u003eseqlock for TCQ_F_NOLOCK qdiscs, matching the\nserialization model already used by dev_reset_queue().\n\nAdditionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state\nreflects an empty queue, avoiding needless re-scheduling."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:04:56.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bb27ad54d12de67e457d7d251198e361bef835e"
},
{
"url": "https://git.kernel.org/stable/c/7594467c49bfc2f4644dee0415ac2290db11fa0d"
},
{
"url": "https://git.kernel.org/stable/c/dbd58b0730aa06ab6ad26079cf9a5b6b58e7e750"
},
{
"url": "https://git.kernel.org/stable/c/5bc4e69306ed7ae02232eb4c0b23ed621a26d504"
},
{
"url": "https://git.kernel.org/stable/c/8314944cc3bdeaa5a73e6f8a8cf0d94822e625cb"
},
{
"url": "https://git.kernel.org/stable/c/c69df4e0524f8de8e176ba389acd83e85f5f49d0"
},
{
"url": "https://git.kernel.org/stable/c/7f083faf59d14c04e01ec05a7507f036c965acf8"
}
],
"title": "net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23340",
"datePublished": "2026-03-25T10:27:28.728Z",
"dateReserved": "2026-01-13T15:37:45.998Z",
"dateUpdated": "2026-05-11T22:04:56.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…