certfr_avis - certfr-2026-avi-0731

Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44

Version: 5.13

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f55552adb100eb54a6e6dabff4fbdc8679bd3fa0",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "82c535eff05490c71153af57de9fe85502fcb5d5",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "638d3e0b9eb77aa53fdd60e2b928761d16ba76fa",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "870c8738c3774336baedddd0240951d078a703b8",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "638e48ee39d0f2af9336f917a6f5d6692dd64d93",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "b193019860d61e92da395eae2011f2f6716b182f",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg\n\nCheck bounds against the end of the BO whenever we access the msg."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:21.856Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f55552adb100eb54a6e6dabff4fbdc8679bd3fa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/82c535eff05490c71153af57de9fe85502fcb5d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/638d3e0b9eb77aa53fdd60e2b928761d16ba76fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/870c8738c3774336baedddd0240951d078a703b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/638e48ee39d0f2af9336f917a6f5d6692dd64d93"
        },
        {
          "url": "https://git.kernel.org/stable/c/e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b193019860d61e92da395eae2011f2f6716b182f"
        }
      ],
      "title": "drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46230",
    "datePublished": "2026-05-28T09:40:52.696Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:21.856Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43503 (GCVE-0-2026-43503)

Vulnerability from cvelistv5

Published

2026-05-23 11:44

Modified

2026-06-14 17:45

Severity ?

8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes. Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change. The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker. The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently. The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.

References

URL

Tags

	https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991
	https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196
	https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee
	https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349
	https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8
	https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d
	https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20
	https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0

Impacted products

Vendor

Product

Version

Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9

Version: 3.9

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/gro.c",
            "net/core/skbuff.c",
            "net/ipv4/tcp_output.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fbeab9555564a1b98e8582cd106dfe46c4606991",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "179f1852bdedc300e373e807cc102cd81feff196",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "12401fcfb01f53ccc63ab0a3246570fe8f3105ee",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "989214c66884d70716d83dc1d0bf5e16287bf349",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "ff375cc75f9167168db38e0464a482d5fbc8d81d",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "9bc9d6d6967a2239aa57af2aa53554eddd640d20",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "48f6a5356a33dd78e7144ae1faef95ffc990aae0",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/gro.c",
            "net/core/skbuff.c",
            "net/ipv4/tcp_output.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.257",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.208",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.257",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.208",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.174",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: propagate shared-frag marker through frag-transfer helpers\n\nTwo frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail\nto propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()-\u003eflags when\nmoving frags from source to destination.  __pskb_copy_fclone() defers\nthe rest of the shinfo metadata to skb_copy_header() after copying\nfrag descriptors, but that helper only carries over gso_{size,segs,\ntype} and never touches skb_shinfo()-\u003eflags; skb_shift() moves frag\ndescriptors directly and leaves flags untouched.  As a result, the\ndestination skb keeps a reference to the same externally-owned or\npage-cache-backed pages while reporting skb_has_shared_frag() as\nfalse.\n\nThe mismatch is harmful in any in-place writer that uses\nskb_has_shared_frag() to decide whether shared pages must be detoured\nthrough skb_cow_data().  ESP input is one such writer (esp4.c,\nesp6.c), and a single nft \u0027dup to \u003clocal\u003e\u0027 rule -- or any other\nnf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()\u0027d\nskb in esp_input() with the marker stripped, letting an unprivileged\nuser write into the page cache of a root-owned read-only file via\nauthencesn-ESN stray writes.\n\nSet SKBFL_SHARED_FRAG on the destination whenever frag descriptors\nwere actually moved from the source.  skb_copy() and skb_copy_expand()\nshare skb_copy_header() too but linearize all paged data into freshly\nallocated head storage and emerge with nr_frags == 0, so\nskb_has_shared_frag() returns false on its own; they need no change.\n\nThe same omission exists in skb_gro_receive() and skb_gro_receive_list().\nThe former moves the incoming skb\u0027s frag descriptors into the\naccumulator\u0027s last sub-skb via two paths (a direct frag-move loop and\nthe head_frag + memcpy path); the latter chains the incoming skb whole\nonto p\u0027s frag_list.  Downstream skb_segment() reads only\nskb_shinfo(p)-\u003eflags, and skb_segment_list() reuses each sub-skb\u0027s\nshinfo as the nskb -- both p and lp must carry the marker.\n\nThe same omission also exists in tcp_clone_payload(), which builds an\nMTU probe skb by moving frag descriptors from skbs on sk_write_queue\ninto a freshly allocated nskb.  The helper falls into the same family\nand warrants the same fix for consistency; no TCP TX-side in-place\nwriter is currently known to reach a user page through this gap, but\na future consumer depending on the marker would regress silently.\n\nThe same omission exists in skb_segment(): the per-iteration flag\nmerge takes only head_skb\u0027s flag, and the inner switch that rebinds\nfrag_skb to list_skb on head_skb-frags exhaustion does not fold the\nnew frag_skb\u0027s flag into nskb.  Fold frag_skb\u0027s flag at both sites\nso segments drawing frags from frag_list members carry the marker."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:45:49.109Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991"
        },
        {
          "url": "https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196"
        },
        {
          "url": "https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20"
        },
        {
          "url": "https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0"
        }
      ],
      "title": "net: skbuff: propagate shared-frag marker through frag-transfer helpers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43503",
    "datePublished": "2026-05-23T11:44:01.103Z",
    "dateReserved": "2026-05-01T14:12:56.014Z",
    "dateUpdated": "2026-06-14T17:45:49.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46129 (GCVE-0-2026-46129)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

References

URL

Tags

	https://git.kernel.org/stable/c/ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5
	https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07
	https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53
	https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738
	https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c
	https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837

Impacted products

Vendor

Product

Version

Version: 20e8f2de3688082eeafeb93c8900485b7542457e
Version: 58208907c4044a764dbd8896026283905da6d9be
Version: bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618
Version: 6cb008f1bb23e023dfe615cca5df14570dfc8da5
Version: a11224a016d6d1d46a4d9b6573244448a80d4d7f
Version: a11224a016d6d1d46a4d9b6573244448a80d4d7f
Version: 6.1.162   ≤
Version: 6.6.122   ≤
Version: 6.12.67   ≤
Version: 6.18.7   ≤

Version: 6.19

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/space-info.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5",
              "status": "affected",
              "version": "20e8f2de3688082eeafeb93c8900485b7542457e",
              "versionType": "git"
            },
            {
              "lessThan": "c2670ec4aa49ca226bce9776601e0da37502be07",
              "status": "affected",
              "version": "58208907c4044a764dbd8896026283905da6d9be",
              "versionType": "git"
            },
            {
              "lessThan": "f414b3abbba59ef379a2b3c31f2bdd9358ed5e53",
              "status": "affected",
              "version": "bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618",
              "versionType": "git"
            },
            {
              "lessThan": "9a060970fd7b5e1c561e4ce73cb9949e4269a738",
              "status": "affected",
              "version": "6cb008f1bb23e023dfe615cca5df14570dfc8da5",
              "versionType": "git"
            },
            {
              "lessThan": "dd6ade0fdd59218d71a981ae7c937a304e49209c",
              "status": "affected",
              "version": "a11224a016d6d1d46a4d9b6573244448a80d4d7f",
              "versionType": "git"
            },
            {
              "lessThan": "3f487be81292702a59ea9dbc4088b3360a50e837",
              "status": "affected",
              "version": "a11224a016d6d1d46a4d9b6573244448a80d4d7f",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.88",
              "status": "affected",
              "version": "6.12.67",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.30",
              "status": "affected",
              "version": "6.18.7",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/space-info.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.19"
            },
            {
              "lessThan": "6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.162",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.122",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.12.67",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.18.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info()\n-\u003e btrfs_sysfs_add_space_info_type()\n-\u003e kobject_init_and_add()\n-\u003e failure\n-\u003e kobject_put(\u0026space_info-\u003ekobj)\n-\u003e space_info_release()\n-\u003e kfree(space_info)\n\nThen control returns to create_space_info():\n\nbtrfs_sysfs_add_space_info_type() returns error\n-\u003e goto out_free\n-\u003e kfree(space_info)\n\nThis causes a double free.\n\nKeep the direct kfree(space_info) for the earlier failure path, but\nafter btrfs_sysfs_add_space_info_type() has called kobject_put(), let\nthe kobject release callback handle the cleanup."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:36.554Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07"
        },
        {
          "url": "https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837"
        }
      ],
      "title": "btrfs: fix double free in create_space_info() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46129",
    "datePublished": "2026-05-28T09:35:44.271Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-06-14T17:56:36.554Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46167 (GCVE-0-2026-46167)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening.

References

URL

Tags

	https://git.kernel.org/stable/c/0f7c41314ebf17049917a452684db371babf711a
	https://git.kernel.org/stable/c/cf24991619be317e2769310b4a367bf4a04b82bc
	https://git.kernel.org/stable/c/087d97342c100138ea7d75a50977c9c2319f957b
	https://git.kernel.org/stable/c/d06d937b0a4cdb8867f04275c8100a8b943da31a
	https://git.kernel.org/stable/c/a502b997668401a6821501fc98b7f9220f9b6ff2
	https://git.kernel.org/stable/c/762a6ccf391db0d629e590a803a3a2231e17dd3f
	https://git.kernel.org/stable/c/6b0e7438e31c74b01514d31ff35c1e688c4baaba
	https://git.kernel.org/stable/c/b38e53cbfb9d84732e5984fbd73e128d592415c5

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/usblp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0f7c41314ebf17049917a452684db371babf711a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cf24991619be317e2769310b4a367bf4a04b82bc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "087d97342c100138ea7d75a50977c9c2319f957b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d06d937b0a4cdb8867f04275c8100a8b943da31a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a502b997668401a6821501fc98b7f9220f9b6ff2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "762a6ccf391db0d629e590a803a3a2231e17dd3f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6b0e7438e31c74b01514d31ff35c1e688c4baaba",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b38e53cbfb9d84732e5984fbd73e128d592415c5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/usblp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl\n\nJust like in a previous problem in this driver, usblp_ctrl_msg() will\ncollapse the usb_control_msg() return value to 0/-errno, discarding the\nactual number of bytes transferred.\n\nIdeally that short command should be detected and error out, but many\nprinters are known to send \"incorrect\" responses back so we can\u0027t just\ndo that.\n\nstatusbuf is kmalloc(8) at probe time and never filled before the first\nLPGETSTATUS ioctl.\n\nusblp_read_status() requests 1 byte. If a malicious printer responds\nwith zero bytes, *statusbuf is one byte of stale kmalloc heap,\nsign-extended into the local int status, which the LPGETSTATUS path then\ncopy_to_user()s directly to the ioctl caller.\n\nFix this all by just zapping out the memory buffer when allocated at\nprobe time.  If a later call does a short read, the data will be\nidentical to what the device sent it the last time, so there is no\n\"leak\" of information happening."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:59:37.617Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0f7c41314ebf17049917a452684db371babf711a"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf24991619be317e2769310b4a367bf4a04b82bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/087d97342c100138ea7d75a50977c9c2319f957b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d06d937b0a4cdb8867f04275c8100a8b943da31a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a502b997668401a6821501fc98b7f9220f9b6ff2"
        },
        {
          "url": "https://git.kernel.org/stable/c/762a6ccf391db0d629e590a803a3a2231e17dd3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b0e7438e31c74b01514d31ff35c1e688c4baaba"
        },
        {
          "url": "https://git.kernel.org/stable/c/b38e53cbfb9d84732e5984fbd73e128d592415c5"
        }
      ],
      "title": "usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46167",
    "datePublished": "2026-05-28T09:36:22.434Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:59:37.617Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46196 (GCVE-0-2026-46196)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them. For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state. Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.

References

URL

Tags

	https://git.kernel.org/stable/c/247ed8a969f981bfba3112fd4bb441eaa6cef59c
	https://git.kernel.org/stable/c/7bcadb3c2bc1cf60690e931aadd35fb7bd646a49
	https://git.kernel.org/stable/c/2c5b8eeea006eb694c81631cd5713d494b80be90
	https://git.kernel.org/stable/c/342829e042ac00f3d68d442ea92873fb6683f494
	https://git.kernel.org/stable/c/fad217e16fded7f3c09f8637b0f6a224d58b5f2e

Impacted products

Vendor

Product

Version

Version: 8cf868affdc459beee1a941df0cfaba1673740e3
Version: 8cf868affdc459beee1a941df0cfaba1673740e3
Version: 8cf868affdc459beee1a941df0cfaba1673740e3
Version: 8cf868affdc459beee1a941df0cfaba1673740e3
Version: 8cf868affdc459beee1a941df0cfaba1673740e3

Version: 4.10

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/tracepoint.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "247ed8a969f981bfba3112fd4bb441eaa6cef59c",
              "status": "affected",
              "version": "8cf868affdc459beee1a941df0cfaba1673740e3",
              "versionType": "git"
            },
            {
              "lessThan": "7bcadb3c2bc1cf60690e931aadd35fb7bd646a49",
              "status": "affected",
              "version": "8cf868affdc459beee1a941df0cfaba1673740e3",
              "versionType": "git"
            },
            {
              "lessThan": "2c5b8eeea006eb694c81631cd5713d494b80be90",
              "status": "affected",
              "version": "8cf868affdc459beee1a941df0cfaba1673740e3",
              "versionType": "git"
            },
            {
              "lessThan": "342829e042ac00f3d68d442ea92873fb6683f494",
              "status": "affected",
              "version": "8cf868affdc459beee1a941df0cfaba1673740e3",
              "versionType": "git"
            },
            {
              "lessThan": "fad217e16fded7f3c09f8637b0f6a224d58b5f2e",
              "status": "affected",
              "version": "8cf868affdc459beee1a941df0cfaba1673740e3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/tracepoint.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()\n\nWhen a tracepoint goes through the 0 -\u003e 1 transition, tracepoint_add_func()\ninvokes the subsystem\u0027s ext-\u003eregfunc() before attempting to install the\nnew probe via func_add(). If func_add() then fails (for example, when\nallocate_probes() cannot allocate a new probe array under memory pressure\nand returns -ENOMEM), the function returns the error without calling the\nmatching ext-\u003eunregfunc(), leaving the side effects of regfunc() behind\nwith no installed probe to justify them.\n\nFor syscall tracepoints this is particularly unpleasant: syscall_regfunc()\nbumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.\nAfter a leaked failure, the refcount is stuck at a non-zero value with no\nconsumer, and every task continues paying the syscall trace entry/exit\noverhead until reboot. Other subsystems providing regfunc()/unregfunc()\npairs exhibit similarly scoped persistent state.\n\nMirror the existing 1 -\u003e 0 cleanup and call ext-\u003eunregfunc() in the\nfunc_add() error path, gated on the same condition used there so the\nunwind is symmetric with the registration."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:54.236Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/247ed8a969f981bfba3112fd4bb441eaa6cef59c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bcadb3c2bc1cf60690e931aadd35fb7bd646a49"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c5b8eeea006eb694c81631cd5713d494b80be90"
        },
        {
          "url": "https://git.kernel.org/stable/c/342829e042ac00f3d68d442ea92873fb6683f494"
        },
        {
          "url": "https://git.kernel.org/stable/c/fad217e16fded7f3c09f8637b0f6a224d58b5f2e"
        }
      ],
      "title": "tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46196",
    "datePublished": "2026-05-28T09:36:49.293Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:54.236Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46204 (GCVE-0-2026-46204)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:02

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.

References

URL

Tags

	https://git.kernel.org/stable/c/1dc005775fb5b3f86464406452b17364f85581d3
	https://git.kernel.org/stable/c/d0802a8877d730260d4af4dd4e0b6cde7e0e593f
	https://git.kernel.org/stable/c/a6d5563ba1f03a049561cd347574613167294e8d
	https://git.kernel.org/stable/c/5c3e8ebad0c9e2354ddfa8f2148dc4f70a3b4bd1
	https://git.kernel.org/stable/c/2444eb0ec8283f4a3845eb7febad378476e1ba3c

Impacted products

Vendor

Product

Version

Version: 0b15205c7325dc20b7da0068307670d222d66949
Version: 0b15205c7325dc20b7da0068307670d222d66949
Version: 0b15205c7325dc20b7da0068307670d222d66949
Version: 0b15205c7325dc20b7da0068307670d222d66949
Version: 0b15205c7325dc20b7da0068307670d222d66949

Version: 6.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1dc005775fb5b3f86464406452b17364f85581d3",
              "status": "affected",
              "version": "0b15205c7325dc20b7da0068307670d222d66949",
              "versionType": "git"
            },
            {
              "lessThan": "d0802a8877d730260d4af4dd4e0b6cde7e0e593f",
              "status": "affected",
              "version": "0b15205c7325dc20b7da0068307670d222d66949",
              "versionType": "git"
            },
            {
              "lessThan": "a6d5563ba1f03a049561cd347574613167294e8d",
              "status": "affected",
              "version": "0b15205c7325dc20b7da0068307670d222d66949",
              "versionType": "git"
            },
            {
              "lessThan": "5c3e8ebad0c9e2354ddfa8f2148dc4f70a3b4bd1",
              "status": "affected",
              "version": "0b15205c7325dc20b7da0068307670d222d66949",
              "versionType": "git"
            },
            {
              "lessThan": "2444eb0ec8283f4a3845eb7febad378476e1ba3c",
              "status": "affected",
              "version": "0b15205c7325dc20b7da0068307670d222d66949",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn4: Prevent OOB reads when parsing IB\n\nRewrite the IB parsing to use amdgpu_ib_get_value() which handles the\nbounds checks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:02:32.741Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1dc005775fb5b3f86464406452b17364f85581d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0802a8877d730260d4af4dd4e0b6cde7e0e593f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6d5563ba1f03a049561cd347574613167294e8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c3e8ebad0c9e2354ddfa8f2148dc4f70a3b4bd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2444eb0ec8283f4a3845eb7febad378476e1ba3c"
        }
      ],
      "title": "drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46204",
    "datePublished": "2026-05-28T09:40:21.933Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:02:32.741Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46064 (GCVE-0-2026-46064)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:51

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.

References

URL

Tags

	https://git.kernel.org/stable/c/ca1c857e2bb74a9fc0606128334f85316d57067b
	https://git.kernel.org/stable/c/b870f652877bfbe321bd0f4096fc37a93296f7b6
	https://git.kernel.org/stable/c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153
	https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0
	https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787
	https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083
	https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c
	https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45462

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/lowlevel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca1c857e2bb74a9fc0606128334f85316d57067b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b870f652877bfbe321bd0f4096fc37a93296f7b6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ce57fa439bd1b5d664f334a0c3e3f0e42abb0153",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fd19eb1c75047a4ed4e855f56cafd704dc3914e0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fe31722b0194ff76bf8b461e8bf97a2081147787",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c1c2417c60dbdca5ebb00462f21ee71c2d7f7083",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9e8f6c9d4ecddda2f28baa1678340286cff3969c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9aad71144fa3682cca3837a06c8623016790e7ec",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/lowlevel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmasm: fix heap over-read in ibmasm_send_i2o_message()\n\nThe ibmasm_send_i2o_message() function uses get_dot_command_size() to\ncompute the byte count for memcpy_toio(), but this value is derived from\nuser-controlled fields in the dot_command_header (command_size: u8,\ndata_size: u16) and is never validated against the actual allocation size.\nA root user can write a small buffer with inflated header fields, causing\nmemcpy_toio() to read up to ~65 KB past the end of the allocation into\nadjacent kernel heap, which is then forwarded to the service processor\nover MMIO.\n\nSilently clamping the copy size is not sufficient: if the header fields\nclaim a larger size than the buffer, the SP receives a dot command whose\nown header is inconsistent with the I2O message length, which can cause\nthe SP to desynchronize. Reject such commands outright by returning\nfailure.\n\nValidate command_size before calling get_mfa_inbound() to avoid leaking\nan I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware\nframe from the controller\u0027s free pool, and returning without a\ncorresponding set_mfa_inbound() call would permanently exhaust it.\n\nAdditionally, clamp command_size to I2O_COMMAND_SIZE before the\nmemcpy_toio() so the MMIO write stays within the I2O message frame,\nconsistent with the clamping already performed by outgoing_message_size()\nfor the header field."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:51:42.521Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca1c857e2bb74a9fc0606128334f85316d57067b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b870f652877bfbe321bd0f4096fc37a93296f7b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec"
        }
      ],
      "title": "ibmasm: fix heap over-read in ibmasm_send_i2o_message()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46064",
    "datePublished": "2026-05-27T12:57:30.247Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:51:42.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45462 (GCVE-0-2026-45462)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45462",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:34:07.309607Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:34:15.840Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:03.340Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45462"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45462",
    "datePublished": "2026-06-09T17:05:25.178Z",
    "dateReserved": "2026-05-12T16:06:43.097Z",
    "dateUpdated": "2026-06-16T18:18:03.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45987 (GCVE-0-2026-45987)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs fields written by the CPU from vmcb02 to the cached vmcb12. This is because the cached vmcb12 is used as the authoritative copy of some of the controls, and is the payload when saving/restoring nested state. int_state is also written by the CPU, specifically bit 0 (i.e. SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites what KVM_SET_NESTED_STATE restored in int_state). However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an interrupt shadow would be restored into vmcb01 instead of vmcb02. This would mostly be benign for L1 (delays an interrupt), but not for L2. For L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before a HLT that should have been in an interrupt shadow). Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02() to avoid this problem. With that, KVM_SET_NESTED_STATE restores the correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it would overwrite it with the same value.

References

URL

Tags

	https://git.kernel.org/stable/c/0c1f74d8b74d8a31751fb6ea5417e48e02c93b58
	https://git.kernel.org/stable/c/4b44aa1a134e499c4517597118378b308602a16c
	https://git.kernel.org/stable/c/e39a77a9b1e17d2d831c304eafac4c41a784a0be
	https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258
	https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61
	https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297
	https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862
	https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055

Impacted products

Vendor

Product

Version

Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663
Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663
Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663
Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663
Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663
Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663
Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663
Version: cc440cdad5b7a4c1de12dace725209eb3e0cf663

Version: 5.8

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/nested.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c1f74d8b74d8a31751fb6ea5417e48e02c93b58",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            },
            {
              "lessThan": "4b44aa1a134e499c4517597118378b308602a16c",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            },
            {
              "lessThan": "e39a77a9b1e17d2d831c304eafac4c41a784a0be",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            },
            {
              "lessThan": "1709418535a8df95532999d61b03d59975280258",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            },
            {
              "lessThan": "2f950eeb27af6885416232761700b8820cae0a61",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            },
            {
              "lessThan": "497f6af9679fc9c6ce2f438e11ed5d51b1aa8297",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            },
            {
              "lessThan": "e0377e52f3c10ee572732d11b04625b7f517a862",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            },
            {
              "lessThan": "03bee264f8ebfd39e0254c98e112d033a7aa9055",
              "status": "affected",
              "version": "cc440cdad5b7a4c1de12dace725209eb3e0cf663",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/nested.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2\n\nAfter VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs\nfields written by the CPU from vmcb02 to the cached vmcb12. This is\nbecause the cached vmcb12 is used as the authoritative copy of some of\nthe controls, and is the payload when saving/restoring nested state.\n\nint_state is also written by the CPU, specifically bit 0 (i.e.\nSVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync\u0027d to\ncached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE\npreceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow\nwould be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites\nwhat KVM_SET_NESTED_STATE restored in int_state).\n\nHowever, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an\ninterrupt shadow would be restored into vmcb01 instead of vmcb02. This\nwould mostly be benign for L1 (delays an interrupt), but not for L2. For\nL2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before\na HLT that should have been in an interrupt shadow).\n\nSync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()\nto avoid this problem. With that, KVM_SET_NESTED_STATE restores the\ncorrect interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it\nwould overwrite it with the same value."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:36.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c1f74d8b74d8a31751fb6ea5417e48e02c93b58"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b44aa1a134e499c4517597118378b308602a16c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e39a77a9b1e17d2d831c304eafac4c41a784a0be"
        },
        {
          "url": "https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61"
        },
        {
          "url": "https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862"
        },
        {
          "url": "https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055"
        }
      ],
      "title": "KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45987",
    "datePublished": "2026-05-27T12:55:38.653Z",
    "dateReserved": "2026-05-13T15:03:33.090Z",
    "dateUpdated": "2026-06-14T17:46:36.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46103 (GCVE-0-2026-46103)

Vulnerability from cvelistv5

Published

2026-05-27 12:59

Modified

2026-06-14 17:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the control message buffer lifetime so that it is released on driver unbind.

References

URL

Tags

	https://git.kernel.org/stable/c/3df5b9110ac08f67ccfe382fc172bfee95688eec
	https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705
	https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b
	https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58
	https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae
	https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89

Impacted products

Vendor

Product

Version

Version: 9f2d3eae88d26c29d96e42983b755940d9169cd9
Version: 9f2d3eae88d26c29d96e42983b755940d9169cd9
Version: 9f2d3eae88d26c29d96e42983b755940d9169cd9
Version: 9f2d3eae88d26c29d96e42983b755940d9169cd9
Version: 9f2d3eae88d26c29d96e42983b755940d9169cd9
Version: 9f2d3eae88d26c29d96e42983b755940d9169cd9

Version: 4.19

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49161

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/ucan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3df5b9110ac08f67ccfe382fc172bfee95688eec",
              "status": "affected",
              "version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
              "versionType": "git"
            },
            {
              "lessThan": "4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705",
              "status": "affected",
              "version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
              "versionType": "git"
            },
            {
              "lessThan": "10b7b676b78a7bd888d19729b459aad7fc1f428b",
              "status": "affected",
              "version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
              "versionType": "git"
            },
            {
              "lessThan": "c524c124e3094d2de12235a513854c03d06a2b58",
              "status": "affected",
              "version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
              "versionType": "git"
            },
            {
              "lessThan": "c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae",
              "status": "affected",
              "version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
              "versionType": "git"
            },
            {
              "lessThan": "fed4626501c871890da287bec62a96e52da1af89",
              "status": "affected",
              "version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/ucan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the control message buffer lifetime so that it is released on driver\nunbind."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:54:39.297Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3df5b9110ac08f67ccfe382fc172bfee95688eec"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705"
        },
        {
          "url": "https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89"
        }
      ],
      "title": "can: ucan: fix devres lifetime",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46103",
    "datePublished": "2026-05-27T12:59:11.533Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:54:39.297Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49161 (GCVE-0-2026-49161)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-284 - Improper Access Control

Summary

Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft PC Manager	Version: 1.0.0 < 3.21.6.0

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49161",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:39.872468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:22:08.228Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft PC Manager",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "3.21.6.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:pc_manager:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.21.6.0",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:54.992Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft PC Manager Security Feature Bypass Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49161"
        }
      ],
      "title": "Microsoft PC Manager Security Feature Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-49161",
    "datePublished": "2026-06-09T17:05:16.713Z",
    "dateReserved": "2026-05-27T23:44:09.622Z",
    "dateUpdated": "2026-06-16T18:17:54.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46132 (GCVE-0-2026-46132)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.

References

URL

Tags

	https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1
	https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d
	https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7
	https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00
	https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8
	https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5
	https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011
	https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0

Impacted products

Vendor

Product

Version

Version: 75345f888f700c4ab2448287e35d48c760b202e6
Version: 75345f888f700c4ab2448287e35d48c760b202e6
Version: 75345f888f700c4ab2448287e35d48c760b202e6
Version: 75345f888f700c4ab2448287e35d48c760b202e6
Version: 75345f888f700c4ab2448287e35d48c760b202e6
Version: 75345f888f700c4ab2448287e35d48c760b202e6
Version: 75345f888f700c4ab2448287e35d48c760b202e6
Version: 75345f888f700c4ab2448287e35d48c760b202e6

Version: 5.3

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/rtnetlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "14271b401ec6a4bf0d88054106fc2956084717e1",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            },
            {
              "lessThan": "cccce3190ba4356432b9f22369b56123d3d89f0d",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            },
            {
              "lessThan": "a44fbb631cba646532f3948636626f81717365a7",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            },
            {
              "lessThan": "0653c0516234c8258975d268a749115fc0f0ff00",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            },
            {
              "lessThan": "c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            },
            {
              "lessThan": "fbe0e6197225e6a83cf113a67a4b425f8de0bcd5",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            },
            {
              "lessThan": "38bcc21f52246badb3154b6158dcb381d98de011",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            },
            {
              "lessThan": "4b9e327991815e128ad3af75c3a04630a63ce3e0",
              "status": "affected",
              "version": "75345f888f700c4ab2448287e35d48c760b202e6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/rtnetlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev-\u003ebroadcast into it using dev-\u003eaddr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev-\u003ebroadcast, dev-\u003eaddr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev-\u003eaddr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), \u0026vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:50.522Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0"
        }
      ],
      "title": "net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46132",
    "datePublished": "2026-05-28T09:35:47.047Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-06-14T17:56:50.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46043 (GCVE-0-2026-46043)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:50

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen: payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users. Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.

References

URL

Tags

	https://git.kernel.org/stable/c/c4376c672c3648d5bdc31dfffc329d07164f93c4
	https://git.kernel.org/stable/c/5fedefec757192dcaad29a664ac332c7601be144
	https://git.kernel.org/stable/c/2c0d71ef12f46c57d37bc571f3f2797db7eb50cc
	https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240
	https://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520
	https://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa
	https://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d
	https://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3

Impacted products

Vendor

Product

Version

Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76

Version: 4.8

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33113

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_recv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4376c672c3648d5bdc31dfffc329d07164f93c4",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "5fedefec757192dcaad29a664ac332c7601be144",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "2c0d71ef12f46c57d37bc571f3f2797db7eb50cc",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "2fd4f8b749309a61c3f3f88ee8891d94f79e1240",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "f83519a4c122c9c7a850a2197648a9ff4c67c520",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "9b924f3a26b21330a837cfe72e819b6393bbeeaa",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "e8ee0e792d475b1067c199ef0af1b6221fa6f43d",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "7244491dab347f648e661da96dc0febadd9daec3",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_recv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\n\nrxe_rcv() currently checks only that the incoming packet is at least\nheader_size(pkt) bytes long before payload_size() is used.\n\nHowever, payload_size() subtracts both the attacker-controlled BTH pad\nfield and RXE_ICRC_SIZE from pkt-\u003epaylen:\n\n  payload_size = pkt-\u003epaylen - offset[RXE_PAYLOAD] - bth_pad(pkt)\n                 - RXE_ICRC_SIZE\n\nThis means a short packet can still make payload_size() underflow even\nif it includes enough bytes for the fixed headers. Simply requiring\nheader_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a\npacket with a forged non-zero BTH pad can still leave payload_size()\nnegative and pass an underflowed value to later receive-path users.\n\nFix this by validating pkt-\u003epaylen against the full minimum length\nrequired by payload_size(): header_size(pkt) + bth_pad(pkt) +\nRXE_ICRC_SIZE."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:11.647Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4376c672c3648d5bdc31dfffc329d07164f93c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5fedefec757192dcaad29a664ac332c7601be144"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c0d71ef12f46c57d37bc571f3f2797db7eb50cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240"
        },
        {
          "url": "https://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3"
        }
      ],
      "title": "RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46043",
    "datePublished": "2026-05-27T12:56:57.987Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:11.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33113 (GCVE-0-2026-33113)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33113",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:09:59.255590Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:10:18.591Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:56.589Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33113"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-33113",
    "datePublished": "2026-06-09T17:05:18.556Z",
    "dateReserved": "2026-03-17T20:15:23.720Z",
    "dateUpdated": "2026-06-16T18:17:56.589Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46120 (GCVE-0-2026-46120)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ip6_gre: Use cached t->net in ip6erspan_changelink(). After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration. This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify(). Reachable from an unprivileged user namespace (unshare --user --map-root-user --net). ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.

References

URL

Tags

	https://git.kernel.org/stable/c/7bd0f2b162b426b343a114e1b329f0d8d14fdc6e
	https://git.kernel.org/stable/c/01b71ff2857d3598337de11e7840a8e3ff21553c
	https://git.kernel.org/stable/c/0fcf6731706f73494245a9c0d64f93bebf95bb51
	https://git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702
	https://git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2
	https://git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82
	https://git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91
	https://git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e

Impacted products

Vendor

Product

Version

Version: 2d665034f239412927b1e71329f20f001c92da09
Version: 2d665034f239412927b1e71329f20f001c92da09
Version: 2d665034f239412927b1e71329f20f001c92da09
Version: 2d665034f239412927b1e71329f20f001c92da09
Version: 2d665034f239412927b1e71329f20f001c92da09
Version: 2d665034f239412927b1e71329f20f001c92da09
Version: 2d665034f239412927b1e71329f20f001c92da09
Version: 2d665034f239412927b1e71329f20f001c92da09
Version: c6d72628352c949629af619b77b042e0fb5245e7
Version: 4.16.12 ≤

Version: 4.17

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_gre.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7bd0f2b162b426b343a114e1b329f0d8d14fdc6e",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "lessThan": "01b71ff2857d3598337de11e7840a8e3ff21553c",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "lessThan": "0fcf6731706f73494245a9c0d64f93bebf95bb51",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "lessThan": "eca62bb0569de4d43a4dac06a2092a9d4ca1d702",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "lessThan": "311fdd26eb4443d43b909cc67a10f3a5fd1b21b2",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "lessThan": "e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "lessThan": "cf7fc624329e76c6394653d12353e1d033adea91",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "lessThan": "1d324c2f43f70c965f25c58cc3611c779adbe47e",
              "status": "affected",
              "version": "2d665034f239412927b1e71329f20f001c92da09",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c6d72628352c949629af619b77b042e0fb5245e7",
              "versionType": "git"
            },
            {
              "lessThan": "4.17",
              "status": "affected",
              "version": "4.16.12",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_gre.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.16.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: Use cached t-\u003enet in ip6erspan_changelink().\n\nAfter commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of\nrtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns\nip6gre hash via link_net. ip6erspan_changelink() was not converted in\nthat series and still uses dev_net(dev), which diverges from the\ndevice\u0027s creation netns after IFLA_NET_NS_FD migration.\n\nThis re-inserts the tunnel into the wrong per-netns hash. The\noriginal netns keeps a stale entry. When that netns is later\ndestroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a\nslab-use-after-free reported by KASAN, followed by a kernel BUG at\nnet/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().\n\nReachable from an unprivileged user namespace (unshare --user\n--map-root-user --net).\n\nip6gre_changelink() earlier in the same file already uses the cached\nt-\u003enet; only ip6erspan_changelink() has the wrong shape."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:54.746Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7bd0f2b162b426b343a114e1b329f0d8d14fdc6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/01b71ff2857d3598337de11e7840a8e3ff21553c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fcf6731706f73494245a9c0d64f93bebf95bb51"
        },
        {
          "url": "https://git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702"
        },
        {
          "url": "https://git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e"
        }
      ],
      "title": "ip6_gre: Use cached t-\u003enet in ip6erspan_changelink().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46120",
    "datePublished": "2026-05-28T09:35:35.385Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:54.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45997 (GCVE-0-2026-45997)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup.

References

URL

Tags

	https://git.kernel.org/stable/c/2c2c14b7dfccad8c5a28802849e40c21252e4c28
	https://git.kernel.org/stable/c/262152ec37101f9dc524743ccdbd6c7641d14573
	https://git.kernel.org/stable/c/b64b4f499801b12d0e2785447e4df6c164c608a9
	https://git.kernel.org/stable/c/13e550fbfccdb311e76ec96892dfe35f0dba0657
	https://git.kernel.org/stable/c/a95d38c5701431bfc826e7b18acc0785919d5c88
	https://git.kernel.org/stable/c/1e111c4b3a726df1254670a5cc4868cedb946d37

Impacted products

Vendor

Product

Version

Version: 265dfe8ebbabae7959060bd1c3f75c2473b697ed
Version: 265dfe8ebbabae7959060bd1c3f75c2473b697ed
Version: 265dfe8ebbabae7959060bd1c3f75c2473b697ed
Version: 265dfe8ebbabae7959060bd1c3f75c2473b697ed
Version: 265dfe8ebbabae7959060bd1c3f75c2473b697ed
Version: 265dfe8ebbabae7959060bd1c3f75c2473b697ed
Version: d56459d361a9a99bead8b594635353053271356c
Version: a3e5a9208466b63f27a2509a691023b446ea5105
Version: 4e8e6427319de323f613caa8fd37120df83138d0
Version: eadb60bcc2005247d97dcb3becee57aba4024ff4
Version: 350d048cc506368a316f0bc4082426b24a2a9fc0
Version: 60df9f55562a57173a11b6c7011eee40dfa48157
Version: e95f62013a1159eeea752bb52df0683ee77f70ca
Version: 4.4.288   ≤
Version: 4.9.286   ≤
Version: 4.14.250   ≤
Version: 4.19.210   ≤
Version: 5.4.152   ≤
Version: 5.10.72   ≤
Version: 5.14.11   ≤

Version: 5.15

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/sd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2c2c14b7dfccad8c5a28802849e40c21252e4c28",
              "status": "affected",
              "version": "265dfe8ebbabae7959060bd1c3f75c2473b697ed",
              "versionType": "git"
            },
            {
              "lessThan": "262152ec37101f9dc524743ccdbd6c7641d14573",
              "status": "affected",
              "version": "265dfe8ebbabae7959060bd1c3f75c2473b697ed",
              "versionType": "git"
            },
            {
              "lessThan": "b64b4f499801b12d0e2785447e4df6c164c608a9",
              "status": "affected",
              "version": "265dfe8ebbabae7959060bd1c3f75c2473b697ed",
              "versionType": "git"
            },
            {
              "lessThan": "13e550fbfccdb311e76ec96892dfe35f0dba0657",
              "status": "affected",
              "version": "265dfe8ebbabae7959060bd1c3f75c2473b697ed",
              "versionType": "git"
            },
            {
              "lessThan": "a95d38c5701431bfc826e7b18acc0785919d5c88",
              "status": "affected",
              "version": "265dfe8ebbabae7959060bd1c3f75c2473b697ed",
              "versionType": "git"
            },
            {
              "lessThan": "1e111c4b3a726df1254670a5cc4868cedb946d37",
              "status": "affected",
              "version": "265dfe8ebbabae7959060bd1c3f75c2473b697ed",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d56459d361a9a99bead8b594635353053271356c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a3e5a9208466b63f27a2509a691023b446ea5105",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4e8e6427319de323f613caa8fd37120df83138d0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "eadb60bcc2005247d97dcb3becee57aba4024ff4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "350d048cc506368a316f0bc4082426b24a2a9fc0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "60df9f55562a57173a11b6c7011eee40dfa48157",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e95f62013a1159eeea752bb52df0683ee77f70ca",
              "versionType": "git"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.288",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.286",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.250",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.210",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.152",
              "versionType": "semver"
            },
            {
              "lessThan": "5.11",
              "status": "affected",
              "version": "5.10.72",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15",
              "status": "affected",
              "version": "5.14.11",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/sd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.288",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.286",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.250",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.210",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.152",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.72",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sd: fix missing put_disk() when device_add(\u0026disk_dev) fails\n\nIf device_add(\u0026sdkp-\u003edisk_dev) fails, put_device() runs\nscsi_disk_release(), which frees the scsi_disk but leaves the gendisk\nreferenced. The device_add_disk() error path in sd_probe() calls\nput_disk(gd); call put_disk(gd) here to mirror that cleanup."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:03.622Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2c2c14b7dfccad8c5a28802849e40c21252e4c28"
        },
        {
          "url": "https://git.kernel.org/stable/c/262152ec37101f9dc524743ccdbd6c7641d14573"
        },
        {
          "url": "https://git.kernel.org/stable/c/b64b4f499801b12d0e2785447e4df6c164c608a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/13e550fbfccdb311e76ec96892dfe35f0dba0657"
        },
        {
          "url": "https://git.kernel.org/stable/c/a95d38c5701431bfc826e7b18acc0785919d5c88"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e111c4b3a726df1254670a5cc4868cedb946d37"
        }
      ],
      "title": "scsi: sd: fix missing put_disk() when device_add(\u0026disk_dev) fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45997",
    "datePublished": "2026-05-27T12:55:51.154Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:03.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46142 (GCVE-0-2026-46142)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix VF illegal register access Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang. When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).

References

URL

Tags

	https://git.kernel.org/stable/c/d3bd8040497968f6f5470018724ef7b0df92f707
	https://git.kernel.org/stable/c/f6e656f7cea16b638675a2ab7d7e4cf2516c5eb0
	https://git.kernel.org/stable/c/33c5bb50b9c40e8451e6aec4487a31d794b98d92
	https://git.kernel.org/stable/c/68a007a701bc06fa426507c551ef12514f2e721d
	https://git.kernel.org/stable/c/694de316f607fe2473d52ca0707e3918e72c1562

Impacted products

Vendor

Product

Version

Version: d4187ec2641061748480cdc944fd07653fad50d5
Version: f0b3ecdbb5bbee8ca6b2892aba3988c8a3ce858e
Version: a04ea57aae375bdda1cb57034d8bcbb351e1f973
Version: a04ea57aae375bdda1cb57034d8bcbb351e1f973
Version: a04ea57aae375bdda1cb57034d8bcbb351e1f973
Version: 93e52b75f11a8f39b22993ae315b5b9a6b2668a3
Version: 6.6.117   ≤
Version: 6.12.58   ≤
Version: 6.17.8   ≤

Version: 6.18

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/libwx/wx_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d3bd8040497968f6f5470018724ef7b0df92f707",
              "status": "affected",
              "version": "d4187ec2641061748480cdc944fd07653fad50d5",
              "versionType": "git"
            },
            {
              "lessThan": "f6e656f7cea16b638675a2ab7d7e4cf2516c5eb0",
              "status": "affected",
              "version": "f0b3ecdbb5bbee8ca6b2892aba3988c8a3ce858e",
              "versionType": "git"
            },
            {
              "lessThan": "33c5bb50b9c40e8451e6aec4487a31d794b98d92",
              "status": "affected",
              "version": "a04ea57aae375bdda1cb57034d8bcbb351e1f973",
              "versionType": "git"
            },
            {
              "lessThan": "68a007a701bc06fa426507c551ef12514f2e721d",
              "status": "affected",
              "version": "a04ea57aae375bdda1cb57034d8bcbb351e1f973",
              "versionType": "git"
            },
            {
              "lessThan": "694de316f607fe2473d52ca0707e3918e72c1562",
              "status": "affected",
              "version": "a04ea57aae375bdda1cb57034d8bcbb351e1f973",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "93e52b75f11a8f39b22993ae315b5b9a6b2668a3",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.88",
              "status": "affected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18",
              "status": "affected",
              "version": "6.17.8",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/libwx/wx_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.18"
            },
            {
              "lessThan": "6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.117",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.12.58",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.17.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: fix VF illegal register access\n\nRegister WX_CFG_PORT_ST is a PF restricted register. When a VF is\ninitialized, attempting to read this register triggers an illegal\nregister access, which lead to a system hang.\n\nWhen the device is VF, the bus function ID can be obtained directly from\nthe PCI_FUNC(pdev-\u003edevfn)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:57:38.598Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d3bd8040497968f6f5470018724ef7b0df92f707"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6e656f7cea16b638675a2ab7d7e4cf2516c5eb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/33c5bb50b9c40e8451e6aec4487a31d794b98d92"
        },
        {
          "url": "https://git.kernel.org/stable/c/68a007a701bc06fa426507c551ef12514f2e721d"
        },
        {
          "url": "https://git.kernel.org/stable/c/694de316f607fe2473d52ca0707e3918e72c1562"
        }
      ],
      "title": "net: libwx: fix VF illegal register access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46142",
    "datePublished": "2026-05-28T09:35:57.837Z",
    "dateReserved": "2026-05-13T15:03:33.100Z",
    "dateUpdated": "2026-06-14T17:57:38.598Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42789 (GCVE-0-2026-42789)

Vulnerability from cvelistv5

Published

2026-05-27 12:23

Modified

2026-05-27 15:46

Severity ?

7.0 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

CWE

CWE-295 - Improper Certificate Validation
CWE-296 - Improper Following of a Certificate's Chain of Trust

Summary

Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement. Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim's trust store, can use that certificate's private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers. This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.

References

URL

Tags

	https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq	vendor-advisory, related
	https://cna.erlef.org/cves/CVE-2026-42789.html	related
	https://osv.dev/vulnerability/EEF-CVE-2026-42789	related
	https://www.erlang.org/doc/system/versions.html#order-of-versions	x_version-scheme
	https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db	patch
	https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd	patch

Impacted products

Vendor

Product

Version

Version: 0.22
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*

Version: 17.0
Version: 84adefa331c4159d432d22840663c38f155cd4c1
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47636

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42789",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:41:47.903975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:43:46.333Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "pubkey_cert"
          ],
          "packageName": "public_key",
          "packageURL": "pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/pubkey_cert.erl"
          ],
          "programRoutines": [
            {
              "name": "pubkey_cert:validate_extensions/7"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.15.1.7",
                  "status": "unaffected"
                },
                {
                  "at": "1.17.1.3",
                  "status": "unaffected"
                },
                {
                  "at": "1.20.3.1",
                  "status": "unaffected"
                },
                {
                  "at": "1.21.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "0.22",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "pubkey_cert"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/public_key/src/pubkey_cert.erl"
          ],
          "programRoutines": [
            {
              "name": "pubkey_cert:validate_extensions/7"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "26.2.5.21",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.12",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.1",
                  "status": "unaffected"
                },
                {
                  "at": "29.0.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "471cd2f664300a95353c467873800bbe706005db",
                  "status": "unaffected"
                },
                {
                  "at": "59c8d824386b2eb1614ff9340624843ef6aca0fd",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "84adefa331c4159d432d22840663c38f155cd4c1",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.2.5.21",
                  "versionStartIncluding": "17.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.12",
                  "versionStartIncluding": "27.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.1",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.1",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "John Downey"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Following of a Certificate\u0027s Chain of Trust vulnerability in Erlang OTP \u003ctt\u003epublic_key\u003c/tt\u003e (\u003ctt\u003epubkey_cert\u003c/tt\u003e module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery.\u003cp\u003eIn \u003ctt\u003elib/public_key/src/pubkey_cert.erl\u003c/tt\u003e, \u003ctt\u003epubkey_cert:validate_extensions/7\u003c/tt\u003e contains two flaws that together allow a certificate with \u003ctt\u003ebasicConstraints cA:false\u003c/tt\u003e and no \u003ctt\u003ekeyUsage\u003c/tt\u003e extension to be used as an intermediate issuer in a chain passed to \u003ctt\u003epublic_key:pkix_path_validation/3\u003c/tt\u003e: the \u003ctt\u003ecA:false\u003c/tt\u003e clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the \u003ctt\u003ekeyUsage\u003c/tt\u003e check only fires when the extension is present, so a certificate lacking \u003ctt\u003ekeyUsage\u003c/tt\u003e entirely bypasses the \u003ctt\u003ekeyCertSign\u003c/tt\u003e enforcement.\u003c/p\u003e\u003cp\u003eAny party holding an end-entity certificate with \u003ctt\u003ebasicConstraints cA:false\u003c/tt\u003e and no \u003ctt\u003ekeyUsage\u003c/tt\u003e extension, issued by any CA in the victim\u0027s trust store, can use that certificate\u0027s private key to sign forged leaf certificates for arbitrary identities. \u003ctt\u003epublic_key:pkix_path_validation/3\u003c/tt\u003e accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP \u003ctt\u003essl\u003c/tt\u003e application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to \u003ctt\u003epublic_key\u003c/tt\u003e from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Following of a Certificate\u0027s Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery.\n\nIn lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement.\n\nAny party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim\u0027s trust store, can use that certificate\u0027s private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers.\n\nThis issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-475",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-475 Signature Spoofing by Improper Validation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-296",
              "description": "CWE-296 Improper Following of a Certificate\u0027s Chain of Trust",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:46:57.832Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-42789.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42789"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Non-CA certificate accepted as intermediate issuer in public_key path validation",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The \u003ctt\u003everify_fun\u003c/tt\u003e option in the \u003ctt\u003essl\u003c/tt\u003e or \u003ctt\u003epublic_key\u003c/tt\u003e application can be used to ensure that path validation rejects chains where an intermediate certificate does not have \u003ctt\u003ebasicConstraints cA:true\u003c/tt\u003e."
            }
          ],
          "value": "The verify_fun option in the ssl or public_key application can be used to ensure that path validation rejects chains where an intermediate certificate does not have basicConstraints cA:true."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-42789",
    "datePublished": "2026-05-27T12:23:06.355Z",
    "dateReserved": "2026-04-29T18:06:33.251Z",
    "dateUpdated": "2026-05-27T15:46:57.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47636 (GCVE-0-2026-47636)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47287

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:26:03.768190Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:26:12.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:43.182Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47636"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47636",
    "datePublished": "2026-06-09T17:05:05.831Z",
    "dateReserved": "2026-05-19T20:12:27.070Z",
    "dateUpdated": "2026-06-16T18:17:43.182Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47287 (GCVE-0-2026-47287)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

CWE

CWE-23 - Relative Path Traversal

Summary

Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Visual Studio Code	Version: 1.0.0 < 1.123.2

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45644

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47287",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T18:04:52.851543Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T18:04:59.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:37.305Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Tampering Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47287"
        }
      ],
      "title": "Visual Studio Code Tampering Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47287",
    "datePublished": "2026-06-09T17:04:57.494Z",
    "dateReserved": "2026-05-18T23:53:33.896Z",
    "dateUpdated": "2026-06-16T18:17:37.305Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45644 (GCVE-0-2026-45644)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft Live Share Canvas SDK	Version: 1.0.0 < 1.4.2

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45644",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:42:41.226873Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:43:10.024Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Live Share Canvas SDK",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.4.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:Live_share_canvas:*:SDK:*:*:*:*:*:*",
                  "versionEndExcluding": "1.4.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:18.298Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45644"
        }
      ],
      "title": "Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45644",
    "datePublished": "2026-06-09T17:05:42.550Z",
    "dateReserved": "2026-05-12T20:33:35.156Z",
    "dateUpdated": "2026-06-16T18:18:18.298Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46212 (GCVE-0-2026-46212)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:03

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.

References

URL

Tags

	https://git.kernel.org/stable/c/1d4b241482d9025c537afb3c7c8419c72c0e0c82
	https://git.kernel.org/stable/c/a1a99837bb6169cfb9187abaa2005e8f12079426
	https://git.kernel.org/stable/c/b88c865dcf6e9f20bfe66a360d4b62941ef769b8
	https://git.kernel.org/stable/c/368449e467d5f1e2c2e987bf2bd57000ba75e10b
	https://git.kernel.org/stable/c/6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472
	https://git.kernel.org/stable/c/00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401
	https://git.kernel.org/stable/c/0cc9847c64cb6e61118bc78c9187c8209a7197fa
	https://git.kernel.org/stable/c/4ae1709a314060a196981b344610d023ea841e57

Impacted products

Vendor

Product

Version

Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74

Version: 3.5

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bridge_loop_avoidance.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d4b241482d9025c537afb3c7c8419c72c0e0c82",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "a1a99837bb6169cfb9187abaa2005e8f12079426",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "b88c865dcf6e9f20bfe66a360d4b62941ef769b8",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "368449e467d5f1e2c2e987bf2bd57000ba75e10b",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "0cc9847c64cb6e61118bc78c9187c8209a7197fa",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "4ae1709a314060a196981b344610d023ea841e57",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bridge_loop_avoidance.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: prevent use-after-free when deleting claims\n\nWhen batadv_bla_del_backbone_claims() removes all claims for a backbone, it\ndoes this by dropping the link entry in the hash list. This list entry\nitself was one of the references which need to be dropped at the same time\nvia batadv_claim_put().\n\nBut the batadv_claim_put() must not be done before the last access to the\nclaim object in this function. Otherwise the claim might be freed already\nby the batadv_claim_release() function before the list entry was dropped."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:03:07.022Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d4b241482d9025c537afb3c7c8419c72c0e0c82"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1a99837bb6169cfb9187abaa2005e8f12079426"
        },
        {
          "url": "https://git.kernel.org/stable/c/b88c865dcf6e9f20bfe66a360d4b62941ef769b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/368449e467d5f1e2c2e987bf2bd57000ba75e10b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472"
        },
        {
          "url": "https://git.kernel.org/stable/c/00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cc9847c64cb6e61118bc78c9187c8209a7197fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ae1709a314060a196981b344610d023ea841e57"
        }
      ],
      "title": "batman-adv: bla: prevent use-after-free when deleting claims",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46212",
    "datePublished": "2026-05-28T09:40:29.712Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-14T18:03:07.022Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46160 (GCVE-0-2026-46160)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix missing last_unlink_trans update when removing a directory When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it. Example scenario: mkdir /mnt/dir1 mkdir /mnt/dir1/dir2 mkdir /mnt/dir3 sync -f /mnt # Do some change to the directory and fsync it. chmod 700 /mnt/dir1 xfs_io -c fsync /mnt/dir1 # Move dir2 out of dir1 so that dir1 becomes empty. mv /mnt/dir1/dir2 /mnt/dir3/ open fd on /mnt/dir1 call rmdir(2) on path "/mnt/dir1" fsync fd <trigger power failure> When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following: [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650 [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm [445771.627912] BTRFS info (device dm-0): start tree-log replay [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5 [445771.629453] memcg:ffff89f400351b00 [445771.629892] aops:btree_aops [btrfs] ino:1 [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8 [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00 [445771.635029] page dumped because: eb page dump [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5 [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087 [445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [445771.638097] inode generation 3 transid 9 size 16 nbytes 16384 [445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0 [445771.638100] rdev 0 sequence 2 flags 0x0 [445771.638102] atime 1775744884.0 [445771.660056] ctime 1775744885.645502983 [445771.660058] mtime 1775744885.645502983 [445771.660060] otime 1775744884.0 [445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [445771.660064] index 0 name_len 2 [445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34 [445771.660068] location key (259 1 0) type 2 [445771.660070] transid 9 data_len 0 name_len 4 [445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34 [445771.660076] location key (257 1 0) type 2 [445771.660077] transid 9 data_len 0 name_len 4 [445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [445771.660079] location key (257 1 0) type 2 [445771.660080] transid 9 data_len 0 name_len 4 [445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34 [445771.660082] location key (259 1 0) type 2 [445771.660083] transid 9 data_len 0 name_len 4 [445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160 [445771.660086] inode generation 9 transid 9 size 8 nbytes 0 [445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0 [445771.660088] rdev 0 sequence 2 flags 0x0 [445771.660089] atime 1775744885.641174097 [445771.660090] ctime 1775744885.645502983 [445771.660091] mtime 1775744885.645502983 [445771.660105] otime 1775744885.641174097 [445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14 [445771.660107] index 2 name_len 4 [445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34 [445771.660109] location key (2 ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/cc3c0a0f965754ce230d93ba44ee5b34fbe6138a
	https://git.kernel.org/stable/c/aa9c3ecaf7337df3a689318584f879b5339ede0f
	https://git.kernel.org/stable/c/fb388eb58c1ba047ccabc33901839acfecadcf49
	https://git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e
	https://git.kernel.org/stable/c/999757231c49376cd1a37308d2c8c4c9932571e1

Impacted products

Vendor

Product

Version

Version: 12fcfd22fe5bf4fe74710232098bc101af497995
Version: 12fcfd22fe5bf4fe74710232098bc101af497995
Version: 12fcfd22fe5bf4fe74710232098bc101af497995
Version: 12fcfd22fe5bf4fe74710232098bc101af497995
Version: 12fcfd22fe5bf4fe74710232098bc101af497995

Version: 2.6.30

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cc3c0a0f965754ce230d93ba44ee5b34fbe6138a",
              "status": "affected",
              "version": "12fcfd22fe5bf4fe74710232098bc101af497995",
              "versionType": "git"
            },
            {
              "lessThan": "aa9c3ecaf7337df3a689318584f879b5339ede0f",
              "status": "affected",
              "version": "12fcfd22fe5bf4fe74710232098bc101af497995",
              "versionType": "git"
            },
            {
              "lessThan": "fb388eb58c1ba047ccabc33901839acfecadcf49",
              "status": "affected",
              "version": "12fcfd22fe5bf4fe74710232098bc101af497995",
              "versionType": "git"
            },
            {
              "lessThan": "36fcc2c7517f8a86379154c9793f867592aa8b7e",
              "status": "affected",
              "version": "12fcfd22fe5bf4fe74710232098bc101af497995",
              "versionType": "git"
            },
            {
              "lessThan": "999757231c49376cd1a37308d2c8c4c9932571e1",
              "status": "affected",
              "version": "12fcfd22fe5bf4fe74710232098bc101af497995",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix missing last_unlink_trans update when removing a directory\n\nWhen removing a directory we are not updating its last_unlink_trans field,\nwhich can result in incorrect fsync behaviour in case some one fsyncs the\ndirectory after it was removed because it\u0027s holding a file descriptor on\nit.\n\nExample scenario:\n\n   mkdir /mnt/dir1\n   mkdir /mnt/dir1/dir2\n   mkdir /mnt/dir3\n\n   sync -f /mnt\n\n   # Do some change to the directory and fsync it.\n   chmod 700 /mnt/dir1\n   xfs_io -c fsync /mnt/dir1\n\n   # Move dir2 out of dir1 so that dir1 becomes empty.\n   mv /mnt/dir1/dir2 /mnt/dir3/\n\n   open fd on /mnt/dir1\n   call rmdir(2) on path \"/mnt/dir1\"\n   fsync fd\n\n   \u003ctrigger power failure\u003e\n\nWhen attempting to mount the filesystem, the log replay will fail with\nan -EIO error and dmesg/syslog has the following:\n\n   [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650\n   [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm\n   [445771.627912] BTRFS info (device dm-0): start tree-log replay\n   [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5\n   [445771.629453] memcg:ffff89f400351b00\n   [445771.629892] aops:btree_aops [btrfs] ino:1\n   [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n   [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8\n   [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00\n   [445771.635029] page dumped because: eb page dump\n   [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir\n   [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5\n   [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087\n   [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n   [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n   [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n   [445771.638100] \t\trdev 0 sequence 2 flags 0x0\n   [445771.638102] \t\tatime 1775744884.0\n   [445771.660056] \t\tctime 1775744885.645502983\n   [445771.660058] \t\tmtime 1775744885.645502983\n   [445771.660060] \t\totime 1775744884.0\n   [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n   [445771.660064] \t\tindex 0 name_len 2\n   [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34\n   [445771.660068] \t\tlocation key (259 1 0) type 2\n   [445771.660070] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34\n   [445771.660076] \t\tlocation key (257 1 0) type 2\n   [445771.660077] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n   [445771.660079] \t\tlocation key (257 1 0) type 2\n   [445771.660080] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34\n   [445771.660082] \t\tlocation key (259 1 0) type 2\n   [445771.660083] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160\n   [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0\n   [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0\n   [445771.660088] \t\trdev 0 sequence 2 flags 0x0\n   [445771.660089] \t\tatime 1775744885.641174097\n   [445771.660090] \t\tctime 1775744885.645502983\n   [445771.660091] \t\tmtime 1775744885.645502983\n   [445771.660105] \t\totime 1775744885.641174097\n   [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14\n   [445771.660107] \t\tindex 2 name_len 4\n   [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34\n   [445771.660109] \t\tlocation key (2\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:59:02.851Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cc3c0a0f965754ce230d93ba44ee5b34fbe6138a"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa9c3ecaf7337df3a689318584f879b5339ede0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb388eb58c1ba047ccabc33901839acfecadcf49"
        },
        {
          "url": "https://git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/999757231c49376cd1a37308d2c8c4c9932571e1"
        }
      ],
      "title": "btrfs: fix missing last_unlink_trans update when removing a directory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46160",
    "datePublished": "2026-05-28T09:36:15.580Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:59:02.851Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45998 (GCVE-0-2026-45998)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

References

URL

Tags

	https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c
	https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495
	https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd
	https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd
	https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8

Impacted products

Vendor

Product

Version

Version: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319
Version: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319
Version: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319
Version: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319
Version: 2d1faf7a0ca3c0b327cf064c80e4e775532c9319

Version: 6.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/ar-internal.h",
            "net/rxrpc/call_event.c",
            "net/rxrpc/io_thread.c",
            "net/rxrpc/skbuff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e3bf143b1e98fb3d6d9e6825bcd683974d478e8c",
              "status": "affected",
              "version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
              "versionType": "git"
            },
            {
              "lessThan": "bf20f46d94f1db38e6ffc0ca204a5fe0de01b495",
              "status": "affected",
              "version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
              "versionType": "git"
            },
            {
              "lessThan": "996b0487b3cdda4c91811dbb1c9564626bc840bd",
              "status": "affected",
              "version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
              "versionType": "git"
            },
            {
              "lessThan": "8fde6296c4d4da2be7ab761305ab7f232b94eefd",
              "status": "affected",
              "version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
              "versionType": "git"
            },
            {
              "lessThan": "1f2740150f904bfa60e4bad74d65add3ccb5e7f8",
              "status": "affected",
              "version": "2d1faf7a0ca3c0b327cf064c80e4e775532c9319",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/ar-internal.h",
            "net/rxrpc/call_event.c",
            "net/rxrpc/io_thread.c",
            "net/rxrpc/skbuff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix potential UAF after skb_unshare() failure\n\nIf skb_unshare() fails to unshare a packet due to allocation failure in\nrxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())\nwill be NULL\u0027d out.  This will likely cause the call to\ntrace_rxrpc_rx_done() to oops.\n\nFix this by moving the unsharing down to where rxrpc_input_call_event()\ncalls rxrpc_input_call_packet().  There are a number of places prior to\nthat where we ignore DATA packets for a variety of reasons (such as the\ncall already being complete) for which an unshare is then avoided.\n\nAnd with that, rxrpc_input_packet() doesn\u0027t need to take a pointer to the\npointer to the packet, so change that to just a pointer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:06.713Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495"
        },
        {
          "url": "https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8"
        }
      ],
      "title": "rxrpc: Fix potential UAF after skb_unshare() failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45998",
    "datePublished": "2026-05-27T12:55:52.756Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:06.713Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46189 (GCVE-0-2026-46189)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

References

URL

Tags

	https://git.kernel.org/stable/c/269967d7693304e1f06ed2dff4ebbbeeb397cda4
	https://git.kernel.org/stable/c/1df5711121cdc11e76b889408fdbe459feba1d39
	https://git.kernel.org/stable/c/3a231c34c5bc3d3cfc850b877758ec9fdaa8a483
	https://git.kernel.org/stable/c/ecc36a82ecfcfdf3c6606d209f22ec5543c410e0
	https://git.kernel.org/stable/c/45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0
	https://git.kernel.org/stable/c/0c63333ff97bd1275294fd12840a0efe9d7a4c59
	https://git.kernel.org/stable/c/935ee27d0904aa944cbcc979094c20e5ef62eead
	https://git.kernel.org/stable/c/e38e86995df27f1f854063dab1f0c6a513db3faf

Impacted products

Vendor

Product

Version

Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1
Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1
Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1
Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1
Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1
Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1
Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1
Version: 29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1

Version: 4.10

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45476

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "269967d7693304e1f06ed2dff4ebbbeeb397cda4",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            },
            {
              "lessThan": "1df5711121cdc11e76b889408fdbe459feba1d39",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            },
            {
              "lessThan": "3a231c34c5bc3d3cfc850b877758ec9fdaa8a483",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            },
            {
              "lessThan": "ecc36a82ecfcfdf3c6606d209f22ec5543c410e0",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            },
            {
              "lessThan": "45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            },
            {
              "lessThan": "0c63333ff97bd1275294fd12840a0efe9d7a4c59",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            },
            {
              "lessThan": "935ee27d0904aa944cbcc979094c20e5ef62eead",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            },
            {
              "lessThan": "e38e86995df27f1f854063dab1f0c6a513db3faf",
              "status": "affected",
              "version": "29c8d9eba550c6d73d17cc1618a9f5f2a7345aa1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path\n\nSashiko points out that pvrdma_uar_free() is already called within\npvrdma_dealloc_ucontext(), so calling it before triggers a double free."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:23.441Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/269967d7693304e1f06ed2dff4ebbbeeb397cda4"
        },
        {
          "url": "https://git.kernel.org/stable/c/1df5711121cdc11e76b889408fdbe459feba1d39"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a231c34c5bc3d3cfc850b877758ec9fdaa8a483"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecc36a82ecfcfdf3c6606d209f22ec5543c410e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c63333ff97bd1275294fd12840a0efe9d7a4c59"
        },
        {
          "url": "https://git.kernel.org/stable/c/935ee27d0904aa944cbcc979094c20e5ef62eead"
        },
        {
          "url": "https://git.kernel.org/stable/c/e38e86995df27f1f854063dab1f0c6a513db3faf"
        }
      ],
      "title": "RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46189",
    "datePublished": "2026-05-28T09:36:43.205Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:23.441Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45476 (GCVE-0-2026-45476)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-416 - Use After Free

Summary

Use after free in Linux MANA Driver allows an authorized attacker to elevate privileges locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Linux kernel - Microsoft MANA Network Driver	Version: 1.0.0 < 7.1

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45482

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:37.665620Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:20:09.003Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Linux kernel - Microsoft MANA Network Driver",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:linux_kernel_mana_network_driver:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Use after free in Linux MANA Driver allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:05.573Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Azure Network Adapter Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45476"
        }
      ],
      "title": "Microsoft Azure Network Adapter Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45476",
    "datePublished": "2026-06-09T17:05:27.647Z",
    "dateReserved": "2026-05-12T16:06:43.100Z",
    "dateUpdated": "2026-06-16T18:18:05.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45482 (GCVE-0-2026-45482)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Improper limitation of a pathname to a restricted directory ('path traversal') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft Visual Studio Code CoPilot Chat Extension	Version: 0.27.0 < 1.123.2

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47292

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:00.449616Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:19:54.786Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Visual Studio Code CoPilot Chat Extension",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "0.27.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code_copilot_chat_extension:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "0.27.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper limitation of a pathname to a restricted directory (\u0027path traversal\u0027) in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:06.165Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45482"
        }
      ],
      "title": "Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45482",
    "datePublished": "2026-06-09T17:05:28.201Z",
    "dateReserved": "2026-05-12T16:07:22.617Z",
    "dateUpdated": "2026-06-16T18:18:06.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47292 (GCVE-0-2026-47292)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Visual Studio Code - MSSQL Extension	Version: 1.0.0 < 1.123.2

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47292",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:50.382011Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:25:57.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code - MSSQL Extension",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code_mssql_extension:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:39.367Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47292"
        }
      ],
      "title": "Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47292",
    "datePublished": "2026-06-09T17:04:59.894Z",
    "dateReserved": "2026-05-18T23:53:33.897Z",
    "dateUpdated": "2026-06-16T18:17:39.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46019 (GCVE-0-2026-46019)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the first page using free_page(), leaking the remaining 3 pages. Use free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak.

References

URL

Tags

	https://git.kernel.org/stable/c/de6952e0af2acbada900d742437e848285c01d11
	https://git.kernel.org/stable/c/5ad40cde96d603a88d68f8ed59f6d36407ab1f3c
	https://git.kernel.org/stable/c/03e00aafa5f747d07811589e8d5fee638245431b
	https://git.kernel.org/stable/c/b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca
	https://git.kernel.org/stable/c/65b3589d39d05699c3850202f8333e5361033ea3
	https://git.kernel.org/stable/c/61516b4a5b2647dc3f8f67b5dffaf038be997511
	https://git.kernel.org/stable/c/230ad8a78fe67266b1ba4685da1abdd61471c5b8
	https://git.kernel.org/stable/c/3fcfff4ed35f963380a68741bcd52742baff7f76

Impacted products

Vendor

Product

Version

Version: bbe628ed897d728d38c4035381d12b2f308fac6f
Version: bbe628ed897d728d38c4035381d12b2f308fac6f
Version: bbe628ed897d728d38c4035381d12b2f308fac6f
Version: bbe628ed897d728d38c4035381d12b2f308fac6f
Version: bbe628ed897d728d38c4035381d12b2f308fac6f
Version: bbe628ed897d728d38c4035381d12b2f308fac6f
Version: bbe628ed897d728d38c4035381d12b2f308fac6f
Version: bbe628ed897d728d38c4035381d12b2f308fac6f

Version: 4.5

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/atmel-aes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de6952e0af2acbada900d742437e848285c01d11",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            },
            {
              "lessThan": "5ad40cde96d603a88d68f8ed59f6d36407ab1f3c",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            },
            {
              "lessThan": "03e00aafa5f747d07811589e8d5fee638245431b",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            },
            {
              "lessThan": "b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            },
            {
              "lessThan": "65b3589d39d05699c3850202f8333e5361033ea3",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            },
            {
              "lessThan": "61516b4a5b2647dc3f8f67b5dffaf038be997511",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            },
            {
              "lessThan": "230ad8a78fe67266b1ba4685da1abdd61471c5b8",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            },
            {
              "lessThan": "3fcfff4ed35f963380a68741bcd52742baff7f76",
              "status": "affected",
              "version": "bbe628ed897d728d38c4035381d12b2f308fac6f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/atmel-aes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup\n\natmel_aes_buff_init() allocates 4 pages using __get_free_pages() with\nATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the\nfirst page using free_page(), leaking the remaining 3 pages. Use\nfree_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:21.711Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de6952e0af2acbada900d742437e848285c01d11"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ad40cde96d603a88d68f8ed59f6d36407ab1f3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/03e00aafa5f747d07811589e8d5fee638245431b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca"
        },
        {
          "url": "https://git.kernel.org/stable/c/65b3589d39d05699c3850202f8333e5361033ea3"
        },
        {
          "url": "https://git.kernel.org/stable/c/61516b4a5b2647dc3f8f67b5dffaf038be997511"
        },
        {
          "url": "https://git.kernel.org/stable/c/230ad8a78fe67266b1ba4685da1abdd61471c5b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fcfff4ed35f963380a68741bcd52742baff7f76"
        }
      ],
      "title": "crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46019",
    "datePublished": "2026-05-27T12:56:21.100Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:48:21.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46083 (GCVE-0-2026-46083)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: fix resource leaks on device setup failure Make sure to call controller cleanup() if spi_setup() fails while registering a device to avoid leaking any resources allocated by setup().

References

URL

Tags

	https://git.kernel.org/stable/c/a2c817c629430fbbd54273525b472dac96e2c8fd
	https://git.kernel.org/stable/c/1e774294b2f944f59e03a04eb438768a4b93c3ce
	https://git.kernel.org/stable/c/11baa8b24bcb07ae2048f2566a220021d766abe0
	https://git.kernel.org/stable/c/dbcead54b12468d9aa54c0e1f0042d838ec3b0ae
	https://git.kernel.org/stable/c/db357034f7e0cf23f233f414a8508312dfe8fbbe

Impacted products

Vendor

Product

Version

Version: c7299fea67696db5bd09d924d1f1080d894f92ef
Version: c7299fea67696db5bd09d924d1f1080d894f92ef
Version: c7299fea67696db5bd09d924d1f1080d894f92ef
Version: c7299fea67696db5bd09d924d1f1080d894f92ef
Version: c7299fea67696db5bd09d924d1f1080d894f92ef
Version: 3e7c190475d98099231ee8ae486d31b1e2e7535a
Version: 4b8b7bc3a726268e5c15d9bafe27863a85fdfc8e
Version: e92ac9263b06c39f05526ad15c90d228cdab60fd
Version: 5.4.126   ≤
Version: 5.10.44   ≤
Version: 5.12.11   ≤

Version: 5.13

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50512

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a2c817c629430fbbd54273525b472dac96e2c8fd",
              "status": "affected",
              "version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
              "versionType": "git"
            },
            {
              "lessThan": "1e774294b2f944f59e03a04eb438768a4b93c3ce",
              "status": "affected",
              "version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
              "versionType": "git"
            },
            {
              "lessThan": "11baa8b24bcb07ae2048f2566a220021d766abe0",
              "status": "affected",
              "version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
              "versionType": "git"
            },
            {
              "lessThan": "dbcead54b12468d9aa54c0e1f0042d838ec3b0ae",
              "status": "affected",
              "version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
              "versionType": "git"
            },
            {
              "lessThan": "db357034f7e0cf23f233f414a8508312dfe8fbbe",
              "status": "affected",
              "version": "c7299fea67696db5bd09d924d1f1080d894f92ef",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3e7c190475d98099231ee8ae486d31b1e2e7535a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4b8b7bc3a726268e5c15d9bafe27863a85fdfc8e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e92ac9263b06c39f05526ad15c90d228cdab60fd",
              "versionType": "git"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.126",
              "versionType": "semver"
            },
            {
              "lessThan": "5.11",
              "status": "affected",
              "version": "5.10.44",
              "versionType": "semver"
            },
            {
              "lessThan": "5.13",
              "status": "affected",
              "version": "5.12.11",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.126",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix resource leaks on device setup failure\n\nMake sure to call controller cleanup() if spi_setup() fails while\nregistering a device to avoid leaking any resources allocated by\nsetup()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:05.346Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a2c817c629430fbbd54273525b472dac96e2c8fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e774294b2f944f59e03a04eb438768a4b93c3ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/11baa8b24bcb07ae2048f2566a220021d766abe0"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbcead54b12468d9aa54c0e1f0042d838ec3b0ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/db357034f7e0cf23f233f414a8508312dfe8fbbe"
        }
      ],
      "title": "spi: fix resource leaks on device setup failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46083",
    "datePublished": "2026-05-27T12:58:23.376Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:53:05.346Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-50512 (GCVE-0-2026-50512)

Vulnerability from cvelistv5

Published

2026-06-09 17:36

Modified

2026-06-16 18:18

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-306 - Missing Authentication for Critical Function

Summary

Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft PC Manager	Version: 1.0.0 < 3.21.6.0

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50512",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:43:26.702843Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:43:41.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft PC Manager",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "3.21.6.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:pc_manager:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.21.6.0",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft PC Manager allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:31.259Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft PC Manager Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50512"
        }
      ],
      "title": "Microsoft PC Manager Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-50512",
    "datePublished": "2026-06-09T17:36:32.880Z",
    "dateReserved": "2026-06-04T19:00:41.292Z",
    "dateUpdated": "2026-06-16T18:18:31.259Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46088 (GCVE-0-2026-46088)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone.

References

URL

Tags

	https://git.kernel.org/stable/c/708f6ec9bcdf58bfd561409110baaf4fd3be4ea3
	https://git.kernel.org/stable/c/bfcbb4994da9e979c4bcfcf24aaaac69e457e48e
	https://git.kernel.org/stable/c/a470f7cabc4df72d9bd132f5719a8717292bb440
	https://git.kernel.org/stable/c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0
	https://git.kernel.org/stable/c/8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e
	https://git.kernel.org/stable/c/654c818a69c21d2bea4e8fd9eae7da865df9a5c8
	https://git.kernel.org/stable/c/82012fd3e78a14360fbc2f1a7491589896704f97
	https://git.kernel.org/stable/c/e0da8a8cac74f4b9f577979d131f0d2b88a84487

Impacted products

Vendor

Product

Version

Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4
Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4
Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4
Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4
Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4
Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4
Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4
Version: 8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4

Version: 3.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/core/control.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "708f6ec9bcdf58bfd561409110baaf4fd3be4ea3",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            },
            {
              "lessThan": "bfcbb4994da9e979c4bcfcf24aaaac69e457e48e",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            },
            {
              "lessThan": "a470f7cabc4df72d9bd132f5719a8717292bb440",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            },
            {
              "lessThan": "1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            },
            {
              "lessThan": "8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            },
            {
              "lessThan": "654c818a69c21d2bea4e8fd9eae7da865df9a5c8",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            },
            {
              "lessThan": "82012fd3e78a14360fbc2f1a7491589896704f97",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            },
            {
              "lessThan": "e0da8a8cac74f4b9f577979d131f0d2b88a84487",
              "status": "affected",
              "version": "8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/core/control.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()\n\nsnd_ctl_elem_init_enum_names() advances pointer p through the names\nbuffer while decrementing buf_len. If buf_len reaches zero but items\nremain, the next iteration calls strnlen(p, 0).\n\nWhile strnlen(p, 0) returns 0 and would hit the existing name_len == 0\nerror path, CONFIG_FORTIFY_SOURCE\u0027s fortified strnlen() first checks\nmaxlen against __builtin_dynamic_object_size(). When Clang loses track\nof p\u0027s object size inside the loop, this triggers a BRK exception panic\nbefore the return value is examined.\n\nAdd a buf_len == 0 guard at the loop entry to prevent calling fortified\nstrnlen() on an exhausted buffer.\n\nFound by kernel fuzz testing through Xiaomi Smartphone."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:28.015Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/708f6ec9bcdf58bfd561409110baaf4fd3be4ea3"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfcbb4994da9e979c4bcfcf24aaaac69e457e48e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a470f7cabc4df72d9bd132f5719a8717292bb440"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/654c818a69c21d2bea4e8fd9eae7da865df9a5c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/82012fd3e78a14360fbc2f1a7491589896704f97"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0da8a8cac74f4b9f577979d131f0d2b88a84487"
        }
      ],
      "title": "ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46088",
    "datePublished": "2026-05-27T12:58:31.895Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:53:28.015Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46098 (GCVE-0-2026-46098)

Vulnerability from cvelistv5

Published

2026-05-27 12:59

Modified

2026-06-14 17:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless.

References

URL

Tags

	https://git.kernel.org/stable/c/cffca7a18b8f9de7c3d3013a1f5740c412b2a501
	https://git.kernel.org/stable/c/7ef97d4675b05a103648bd9244d91dff7d8c08b0
	https://git.kernel.org/stable/c/e16859f3f4426fa349bc5519d582a93d28f5a15d
	https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d
	https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf
	https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9
	https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1
	https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8

Impacted products

Vendor

Product

Version

Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1
Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1
Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1
Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1
Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1
Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1
Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1
Version: 43e3692101086add8719c3b8b50b05c9ac5b14e1

Version: 3.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/caif/cfsrvl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cffca7a18b8f9de7c3d3013a1f5740c412b2a501",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            },
            {
              "lessThan": "7ef97d4675b05a103648bd9244d91dff7d8c08b0",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            },
            {
              "lessThan": "e16859f3f4426fa349bc5519d582a93d28f5a15d",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            },
            {
              "lessThan": "914c6456fcfc21a3d553945dff62fd1621d6155d",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            },
            {
              "lessThan": "3ac6db584d9d420267bb8413115707eeec76d9cf",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            },
            {
              "lessThan": "63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            },
            {
              "lessThan": "a4b191ddc12c55ddb62feb096536f819f384d6f1",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            },
            {
              "lessThan": "f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8",
              "status": "affected",
              "version": "43e3692101086add8719c3b8b50b05c9ac5b14e1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/caif/cfsrvl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: clear client service pointer on teardown\n\n`caif_connect()` can tear down an existing client after remote shutdown by\ncalling `caif_disconnect_client()` followed by `caif_free_client()`.\n`caif_free_client()` releases the service layer referenced by\n`adap_layer-\u003edn`, but leaves that pointer stale.\n\nWhen the socket is later destroyed, `caif_sock_destructor()` calls\n`caif_free_client()` again and dereferences the freed service pointer.\n\nClear the client/service links before releasing the service object so\nrepeated teardown becomes harmless."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:54:16.006Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cffca7a18b8f9de7c3d3013a1f5740c412b2a501"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ef97d4675b05a103648bd9244d91dff7d8c08b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e16859f3f4426fa349bc5519d582a93d28f5a15d"
        },
        {
          "url": "https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8"
        }
      ],
      "title": "net: caif: clear client service pointer on teardown",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46098",
    "datePublished": "2026-05-27T12:59:02.308Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:54:16.006Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46199 (GCVE-0-2026-46199)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:02

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg.

References

URL

Tags

	https://git.kernel.org/stable/c/88411caee8f576d6b5abf6531232fcc0ce756dc5
	https://git.kernel.org/stable/c/c72a8b4dc6d598e3831ef3abd9c6527dfbf4810e
	https://git.kernel.org/stable/c/7688143ca62edeecacb3ba0a2cea129dbd262a18
	https://git.kernel.org/stable/c/63b51e8a9d54317d31cc3856c1e12407070d5fc2
	https://git.kernel.org/stable/c/3c817a60b09eaab926e475088e750936efcc95ae
	https://git.kernel.org/stable/c/0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648

Impacted products

Vendor

Product

Version

Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44
Version: 87cc7f9ebf7ce10f82250002d667ef3e93a79d44

Version: 5.13

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45504

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "88411caee8f576d6b5abf6531232fcc0ce756dc5",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "c72a8b4dc6d598e3831ef3abd9c6527dfbf4810e",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "7688143ca62edeecacb3ba0a2cea129dbd262a18",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "63b51e8a9d54317d31cc3856c1e12407070d5fc2",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "3c817a60b09eaab926e475088e750936efcc95ae",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            },
            {
              "lessThan": "0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648",
              "status": "affected",
              "version": "87cc7f9ebf7ce10f82250002d667ef3e93a79d44",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg\n\nCheck bounds against the end of the BO whenever we access the msg."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:02:09.201Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/88411caee8f576d6b5abf6531232fcc0ce756dc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c72a8b4dc6d598e3831ef3abd9c6527dfbf4810e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7688143ca62edeecacb3ba0a2cea129dbd262a18"
        },
        {
          "url": "https://git.kernel.org/stable/c/63b51e8a9d54317d31cc3856c1e12407070d5fc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c817a60b09eaab926e475088e750936efcc95ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648"
        }
      ],
      "title": "drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46199",
    "datePublished": "2026-05-28T09:40:16.061Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:02:09.201Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45504 (GCVE-0-2026-45504)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft Exchange Server 2016 Cumulative Update 23

Version: 15.01.0.0 < 15.01.2507.069

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 14	Version: 15.02.0.0 < 15.02.1544.041
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 15	Version: 15.02.0.0 < 15.02.1748.046
Microsoft	Microsoft Exchange Server Subscription Edition RTM	Version: 15.02.0.0 < 15.02.2562.043

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44821

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45504",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:08.420862Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:28:57.856Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.069",
              "status": "affected",
              "version": "15.01.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1544.041",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 15",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1748.046",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server Subscription Edition RTM",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.2562.043",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.2562.043",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1748.046",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.069",
                  "versionStartIncluding": "15.01.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1544.041",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:26.992Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45504"
        }
      ],
      "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45504",
    "datePublished": "2026-06-09T17:04:47.304Z",
    "dateReserved": "2026-05-12T16:07:22.619Z",
    "dateUpdated": "2026-06-16T18:17:26.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44821 (GCVE-0-2026-44821)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-125 - Out-of-bounds Read

Summary

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44821",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:49:48.690924Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:49:58.458Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:17.780Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Office Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44821"
        }
      ],
      "title": "Microsoft Office Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-44821",
    "datePublished": "2026-06-09T17:04:34.172Z",
    "dateReserved": "2026-05-07T20:07:18.272Z",
    "dateUpdated": "2026-06-16T18:17:17.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46068 (GCVE-0-2026-46068)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:51

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx The bounce buffers are allocated with __get_free_pages() using BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error path and nx842_crypto_free_ctx() release the buffers with free_page(). Use free_pages() with the matching order instead.

References

URL

Tags

	https://git.kernel.org/stable/c/f17a4850d1ce7c11cba8b1830b9bfedfede878bb
	https://git.kernel.org/stable/c/910bb34b801d39794e656f7d48414844b2bd354e
	https://git.kernel.org/stable/c/5c07962fed66e1238fad7635fa150570bd38b4c5
	https://git.kernel.org/stable/c/80fd99d7c30ea889662d21f1b44d8fea4c83138d
	https://git.kernel.org/stable/c/adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c

Impacted products

Vendor

Product

Version

Version: ed70b479c2c0b6e1319f0cb2de19f1051be219a4
Version: ed70b479c2c0b6e1319f0cb2de19f1051be219a4
Version: ed70b479c2c0b6e1319f0cb2de19f1051be219a4
Version: ed70b479c2c0b6e1319f0cb2de19f1051be219a4
Version: ed70b479c2c0b6e1319f0cb2de19f1051be219a4

Version: 4.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/nx/nx-842.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f17a4850d1ce7c11cba8b1830b9bfedfede878bb",
              "status": "affected",
              "version": "ed70b479c2c0b6e1319f0cb2de19f1051be219a4",
              "versionType": "git"
            },
            {
              "lessThan": "910bb34b801d39794e656f7d48414844b2bd354e",
              "status": "affected",
              "version": "ed70b479c2c0b6e1319f0cb2de19f1051be219a4",
              "versionType": "git"
            },
            {
              "lessThan": "5c07962fed66e1238fad7635fa150570bd38b4c5",
              "status": "affected",
              "version": "ed70b479c2c0b6e1319f0cb2de19f1051be219a4",
              "versionType": "git"
            },
            {
              "lessThan": "80fd99d7c30ea889662d21f1b44d8fea4c83138d",
              "status": "affected",
              "version": "ed70b479c2c0b6e1319f0cb2de19f1051be219a4",
              "versionType": "git"
            },
            {
              "lessThan": "adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c",
              "status": "affected",
              "version": "ed70b479c2c0b6e1319f0cb2de19f1051be219a4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/nx/nx-842.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx\n\nThe bounce buffers are allocated with __get_free_pages() using\nBOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error\npath and nx842_crypto_free_ctx() release the buffers with free_page().\nUse free_pages() with the matching order instead."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:51:58.785Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f17a4850d1ce7c11cba8b1830b9bfedfede878bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/910bb34b801d39794e656f7d48414844b2bd354e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c07962fed66e1238fad7635fa150570bd38b4c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/80fd99d7c30ea889662d21f1b44d8fea4c83138d"
        },
        {
          "url": "https://git.kernel.org/stable/c/adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c"
        }
      ],
      "title": "crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46068",
    "datePublished": "2026-05-27T12:57:48.457Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:51:58.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46146 (GCVE-0-2026-46146)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor. Add a proper size check to abort the loop for plugging the hole.

References

URL

Tags

	https://git.kernel.org/stable/c/076d5d13eb9c1ad259a7f246149f6676c62285f9
	https://git.kernel.org/stable/c/316aa0b1e3c5600eae5ab876394c1ac70e6db581
	https://git.kernel.org/stable/c/24a40df79307ca7ca0eec0889361cf6ac146d72a
	https://git.kernel.org/stable/c/e0e3dcf48189603f3865f1a0b799b3b42baae96d
	https://git.kernel.org/stable/c/4e0ee232ebe3df04874125d7c7f3e6c25ea5483d
	https://git.kernel.org/stable/c/be09b47ed8677d76962e3240c145502e2ad9f3c8
	https://git.kernel.org/stable/c/fa5b19ce69067874b1413f3c2027563bae8c2cb3
	https://git.kernel.org/stable/c/6e7247d8f5fefeceb0bb9cc80a5388a636b219cd

Impacted products

Vendor

Product

Version

Version: 786571b10b1ae6d90e1242848ce78ee7e1d493c4
Version: 275e37532e8ebe25e8a4069b2d9f955bfd202a46
Version: 47ab3d820cb0a502bd0074f83bb3cf7ab5d79902
Version: 1034719fdefd26caeec0a44a868bb5a412c2c1a5
Version: ae17b3b5e753efc239421d186cd1ff06e5ac296e
Version: ecfd41166b72b67d3bdeb88d224ff445f6163869
Version: ecfd41166b72b67d3bdeb88d224ff445f6163869
Version: ecfd41166b72b67d3bdeb88d224ff445f6163869
Version: 799c06ad4c9c790c265e8b6b94947213f1fb389c
Version: dfdcbcde5c20df878178245d4449feada7d5b201
Version: 7ef3fd250f84494fb2f7871f357808edaa1fc6ce
Version: 5.10.241   ≤
Version: 5.15.190   ≤
Version: 6.1.149   ≤
Version: 6.6.103   ≤
Version: 6.12.43   ≤
Version: 5.4.297   ≤
Version: 6.15.11   ≤
Version: 6.16.2   ≤

Version: 6.17

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "076d5d13eb9c1ad259a7f246149f6676c62285f9",
              "status": "affected",
              "version": "786571b10b1ae6d90e1242848ce78ee7e1d493c4",
              "versionType": "git"
            },
            {
              "lessThan": "316aa0b1e3c5600eae5ab876394c1ac70e6db581",
              "status": "affected",
              "version": "275e37532e8ebe25e8a4069b2d9f955bfd202a46",
              "versionType": "git"
            },
            {
              "lessThan": "24a40df79307ca7ca0eec0889361cf6ac146d72a",
              "status": "affected",
              "version": "47ab3d820cb0a502bd0074f83bb3cf7ab5d79902",
              "versionType": "git"
            },
            {
              "lessThan": "e0e3dcf48189603f3865f1a0b799b3b42baae96d",
              "status": "affected",
              "version": "1034719fdefd26caeec0a44a868bb5a412c2c1a5",
              "versionType": "git"
            },
            {
              "lessThan": "4e0ee232ebe3df04874125d7c7f3e6c25ea5483d",
              "status": "affected",
              "version": "ae17b3b5e753efc239421d186cd1ff06e5ac296e",
              "versionType": "git"
            },
            {
              "lessThan": "be09b47ed8677d76962e3240c145502e2ad9f3c8",
              "status": "affected",
              "version": "ecfd41166b72b67d3bdeb88d224ff445f6163869",
              "versionType": "git"
            },
            {
              "lessThan": "fa5b19ce69067874b1413f3c2027563bae8c2cb3",
              "status": "affected",
              "version": "ecfd41166b72b67d3bdeb88d224ff445f6163869",
              "versionType": "git"
            },
            {
              "lessThan": "6e7247d8f5fefeceb0bb9cc80a5388a636b219cd",
              "status": "affected",
              "version": "ecfd41166b72b67d3bdeb88d224ff445f6163869",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "799c06ad4c9c790c265e8b6b94947213f1fb389c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dfdcbcde5c20df878178245d4449feada7d5b201",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7ef3fd250f84494fb2f7871f357808edaa1fc6ce",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.258",
              "status": "affected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.88",
              "status": "affected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThan": "6.16",
              "status": "affected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThan": "6.17",
              "status": "affected",
              "version": "6.16.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.10.241",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.190",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.149",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.12.43",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.297",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.15.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()\n\nThe convert_chmap_v3() has a loop with its increment size of\ncs_desc-\u003ewLength, but we forgot to validate cs_desc-\u003ewLength itself,\nwhich may lead to potential endless loop by a malformed descriptor.\n\nAdd a proper size check to abort the loop for plugging the hole."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:57:58.491Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/076d5d13eb9c1ad259a7f246149f6676c62285f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/316aa0b1e3c5600eae5ab876394c1ac70e6db581"
        },
        {
          "url": "https://git.kernel.org/stable/c/24a40df79307ca7ca0eec0889361cf6ac146d72a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0e3dcf48189603f3865f1a0b799b3b42baae96d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e0ee232ebe3df04874125d7c7f3e6c25ea5483d"
        },
        {
          "url": "https://git.kernel.org/stable/c/be09b47ed8677d76962e3240c145502e2ad9f3c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa5b19ce69067874b1413f3c2027563bae8c2cb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e7247d8f5fefeceb0bb9cc80a5388a636b219cd"
        }
      ],
      "title": "ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46146",
    "datePublished": "2026-05-28T09:36:02.794Z",
    "dateReserved": "2026-05-13T15:03:33.100Z",
    "dateUpdated": "2026-06-14T17:57:58.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46178 (GCVE-0-2026-46178)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:00

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().

References

URL

Tags

	https://git.kernel.org/stable/c/53fd4c03558672ccb167754fbacbf045c7ab335c
	https://git.kernel.org/stable/c/0be6ae614ca7fa53e7389e3c7462ed20abbd4192
	https://git.kernel.org/stable/c/5b3b220d54e6a3d77380cb7caa1ef79cb8f4fc94
	https://git.kernel.org/stable/c/c5dc30da990045105c9762248d23076223e7878a
	https://git.kernel.org/stable/c/0dbd619716fb07b7de1acd64fec673ee6e1adde7
	https://git.kernel.org/stable/c/e01b8c9286c470b71a38acd320106f2c4f2826a1
	https://git.kernel.org/stable/c/388617f44d81604a760742a0b5de292d411e63e3
	https://git.kernel.org/stable/c/c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c

Impacted products

Vendor

Product

Version

Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54
Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54
Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54
Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54
Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54
Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54
Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54
Version: 225c7b1feef1b41170f7037a5b10a65cd8a42c54

Version: 2.6.22

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx4/srq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "53fd4c03558672ccb167754fbacbf045c7ab335c",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            },
            {
              "lessThan": "0be6ae614ca7fa53e7389e3c7462ed20abbd4192",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            },
            {
              "lessThan": "5b3b220d54e6a3d77380cb7caa1ef79cb8f4fc94",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            },
            {
              "lessThan": "c5dc30da990045105c9762248d23076223e7878a",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            },
            {
              "lessThan": "0dbd619716fb07b7de1acd64fec673ee6e1adde7",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            },
            {
              "lessThan": "e01b8c9286c470b71a38acd320106f2c4f2826a1",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            },
            {
              "lessThan": "388617f44d81604a760742a0b5de292d411e63e3",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            },
            {
              "lessThan": "c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c",
              "status": "affected",
              "version": "225c7b1feef1b41170f7037a5b10a65cd8a42c54",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx4/srq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()\n\nSashiko points out that mlx4_srq_alloc() was not undone during error\nunwind, add the missing call to mlx4_srq_free()."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:00:31.083Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/53fd4c03558672ccb167754fbacbf045c7ab335c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0be6ae614ca7fa53e7389e3c7462ed20abbd4192"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b3b220d54e6a3d77380cb7caa1ef79cb8f4fc94"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5dc30da990045105c9762248d23076223e7878a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dbd619716fb07b7de1acd64fec673ee6e1adde7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e01b8c9286c470b71a38acd320106f2c4f2826a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/388617f44d81604a760742a0b5de292d411e63e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c"
        }
      ],
      "title": "RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46178",
    "datePublished": "2026-05-28T09:36:32.222Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-14T18:00:31.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46227 (GCVE-0-2026-46227)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:04

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf(). While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped. sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *). Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer. Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive. The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for.

References

URL

Tags

	https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104
	https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197
	https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f
	https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078
	https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d
	https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5
	https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae
	https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817

Impacted products

Vendor

Product

Version

Version: 4910280503f3af2857d5aa77e35b22d93a8960a8
Version: 4910280503f3af2857d5aa77e35b22d93a8960a8
Version: 4910280503f3af2857d5aa77e35b22d93a8960a8
Version: 4910280503f3af2857d5aa77e35b22d93a8960a8
Version: 4910280503f3af2857d5aa77e35b22d93a8960a8
Version: 4910280503f3af2857d5aa77e35b22d93a8960a8
Version: 4910280503f3af2857d5aa77e35b22d93a8960a8
Version: 4910280503f3af2857d5aa77e35b22d93a8960a8

Version: 4.17

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f3a3f0b406b4b7eb3cea35a23fa2bf170848b104",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "0dbc8cde64280fc37cdd678cced34eaf96cfb197",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "0c7b55974f97b78d1109025eadf084e74cbf330f",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "6187a172d6ed57d6b2c327836e4407c6456e639d",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "c9dadb31f36045a8cb65df4bd75e7237ef21a4b5",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "bf0f40d8107e2ce827521968dc6926f3e13728ae",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "abb5f36771cc4c05899b34000829a787572a8817",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp.  After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:07.453Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
        },
        {
          "url": "https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817"
        }
      ],
      "title": "sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46227",
    "datePublished": "2026-05-28T09:40:47.518Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:07.453Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46123 (GCVE-0-2026-46123)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

7.7 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: clamp rx length before skb_put virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one(). Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device. The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory. Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle(). Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log. Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer overflow in USB transport layer"), which hardened the USB 9p transport against unchecked device-reported length.

References

URL

Tags

	https://git.kernel.org/stable/c/4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a
	https://git.kernel.org/stable/c/fd91fa2678ab603dfb285416c1cf3843d7be1e41
	https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5
	https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9
	https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead
	https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c
	https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112

Impacted products

Vendor

Product

Version

Version: cf2719a21fdb9d4c8e9c834d279163609bef575d
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 9b67438e315b925a699f0178f4a48baf3d2d6ef4
Version: 5.15.78 ≤
Version: 6.0.8 ≤

Version: 6.1

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/virtio_bt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a",
              "status": "affected",
              "version": "cf2719a21fdb9d4c8e9c834d279163609bef575d",
              "versionType": "git"
            },
            {
              "lessThan": "fd91fa2678ab603dfb285416c1cf3843d7be1e41",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "ed41c81d30b211a671667259c3b5feeba0e062d5",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "6c1730099a6fc18b183bd6c1adad3b54adcaeda9",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "b40cdd1b1370d76e9e760af4490cb4a351cceead",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "e6b4296f170d949ebba937cf6a3f247ec9550d2c",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "21bd244b6de5d2fe1063c23acc93fbdd2b20d112",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9b67438e315b925a699f0178f4a48baf3d2d6ef4",
              "versionType": "git"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.78",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1",
              "status": "affected",
              "version": "6.0.8",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/virtio_bt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: virtio_bt: clamp rx length before skb_put\n\nvirtbt_rx_work() calls skb_put(skb, len) where len comes directly\nfrom virtqueue_get_buf() with no validation against the buffer we\nposted to the device. The RX skb is allocated in virtbt_add_inbuf()\nand exposed to virtio as exactly 1000 bytes via sg_init_one().\n\nChecking len against skb_tailroom(skb) is not sufficient because\nalloc_skb() can leave more tailroom than the 1000 bytes actually\nhanded to the device. A malicious or buggy backend can therefore\nreport used.len between 1001 and skb_tailroom(skb), causing skb_put()\nto include uninitialized kernel heap bytes that were never written by\nthe device.\n\nThe same path also accepts len == 0, in which case skb_put(skb, 0)\nleaves the skb empty but virtbt_rx_handle() still reads the pkt_type\nbyte from skb-\u003edata, consuming uninitialized memory.\n\nDefine VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and\nsg_init_one(), and gate virtbt_rx_work() on that same constant so\nthe bound checked matches the buffer actually exposed to the device.\nReject used.len == 0 in the same gate so an empty completion can\nno longer reach virtbt_rx_handle().\n\nUse bt_dev_err_ratelimited() because the length value comes from an\nuntrusted backend that can otherwise flood the kernel log.\n\nSame class of bug as commit c04db81cd028 (\"net/9p: Fix buffer\noverflow in USB transport layer\"), which hardened the USB 9p\ntransport against unchecked device-reported length."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:08.614Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd91fa2678ab603dfb285416c1cf3843d7be1e41"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112"
        }
      ],
      "title": "Bluetooth: virtio_bt: clamp rx length before skb_put",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46123",
    "datePublished": "2026-05-28T09:35:38.003Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:56:08.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42496 (GCVE-0-2026-42496)

Vulnerability from cvelistv5

Published

2026-05-26 00:17

Modified

2026-05-28 13:08

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Summary

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.

References

URL

Tags

	https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch	patch
	https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes	release-notes
	https://www.cve.org/CVERecord?id=CVE-2026-42497	related

Impacted products

	Vendor	Product	Version
	BINGOS	Archive::Tar	Version: 0 < 3.08

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45500

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42496",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T13:08:28.377579Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T13:08:37.326Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Archive-Tar",
          "product": "Archive::Tar",
          "programFiles": [
            "lib/Archive/Tar.pm"
          ],
          "programRoutines": [
            {
              "name": "Archive::Tar::_make_special_file"
            }
          ],
          "repo": "https://github.com/jib/archive-tar-new",
          "vendor": "BINGOS",
          "versions": [
            {
              "lessThan": "3.08",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.\n\n_make_special_file() passes the tar header\u0027s linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.\n\nA subsequent open through the extracted name reads or writes the attacker chosen path."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T00:17:19.110Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42497"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to Archive::Tar 3.08 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-12T00:00:00.000Z",
          "value": "Issue reported."
        },
        {
          "lang": "en",
          "time": "2026-05-22T00:00:00.000Z",
          "value": "Version 3.08 released."
        }
      ],
      "title": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-42496",
    "datePublished": "2026-05-26T00:17:19.110Z",
    "dateReserved": "2026-04-27T18:34:48.417Z",
    "dateUpdated": "2026-05-28T13:08:37.326Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45500 (GCVE-0-2026-45500)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft Exchange Server 2016 Cumulative Update 23

Version: 15.01.0.0 < 15.01.2507.069

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 14	Version: 15.02.0.0 < 15.02.1544.041
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 15	Version: 15.02.0.0 < 15.02.1748.046
Microsoft	Microsoft Exchange Server Subscription Edition RTM	Version: 15.02.0.0 < 15.02.2562.043

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45500",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:47:30.149691Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:47:38.919Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.069",
              "status": "affected",
              "version": "15.01.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1544.041",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 15",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1748.046",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server Subscription Edition RTM",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.2562.043",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1544.041",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.2562.043",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1748.046",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.069",
                  "versionStartIncluding": "15.01.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:24.735Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45500"
        }
      ],
      "title": "Microsoft Exchange Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45500",
    "datePublished": "2026-06-09T17:04:44.979Z",
    "dateReserved": "2026-05-12T16:07:22.619Z",
    "dateUpdated": "2026-06-16T18:17:24.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45840 (GCVE-0-2026-45840)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM. kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.

References

URL

Tags

	https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e
	https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0
	https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81
	https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63
	https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15
	https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704
	https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f
	https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519

Impacted products

Vendor

Product

Version

Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9
Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9
Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9
Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9
Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9
Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9
Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9
Version: 5cd667b0a4567048bb555927d6ee564f4e5620a9

Version: 3.17

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/datapath.c",
            "net/openvswitch/vport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8d59b80e69dddb665eb2de36e62859ab2073470e",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "b39f763d720d623218bc1d95ace6855d7b474e81",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "f9ef3db77a383d66847fd082c2b437d8ae4d9c63",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "f99ac36b5d7c719d08a69fcdecce40f78a874e15",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "1d6c02b86329883aa467a3a61f8d34369db73a2f",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "2091c6aa0df6aba47deb5c8ab232b1cb60af3519",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/datapath.c",
            "net/openvswitch/vport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: cap upcall PID array size and pre-size vport replies\n\nThe vport netlink reply helpers allocate a fixed-size skb with\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\narray via ovs_vport_get_upcall_portids().  Since\novs_vport_set_upcall_portids() accepts any non-zero multiple of\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\narray large enough to overflow the reply buffer, causing nla_put() to\nfail with -EMSGSIZE and hitting BUG_ON(err \u003c 0).  On systems with\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\nreachable via unshare -Urn since OVS vport mutation operations use\nGENL_UNS_ADMIN_PERM.\n\n kernel BUG at net/openvswitch/datapath.c:2414!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\n Call Trace:\n  \u003cTASK\u003e\n  genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\n  genl_rcv_msg (net/netlink/genetlink.c:1194)\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n  genl_rcv (net/netlink/genetlink.c:1219)\n  netlink_unicast (net/netlink/af_netlink.c:1344)\n  netlink_sendmsg (net/netlink/af_netlink.c:1894)\n  __sys_sendto (net/socket.c:2206)\n  __x64_sys_sendto (net/socket.c:2209)\n  do_syscall_64 (arch/x86/entry/syscall_64.c:63)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n  \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nReject attempts to set more PIDs than nr_cpu_ids in\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\nexisting ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already\nused by the per-CPU dispatch configuration on the datapath side\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\ntwo sides stay consistent."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:11.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63"
        },
        {
          "url": "https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519"
        }
      ],
      "title": "openvswitch: cap upcall PID array size and pre-size vport replies",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45840",
    "datePublished": "2026-05-27T09:24:39.478Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-06-14T17:46:11.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46069 (GCVE-0-2026-46069)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:52

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning.

References

URL

Tags

	https://git.kernel.org/stable/c/11869ce402d95519d49b25a2a97741f68d69d103
	https://git.kernel.org/stable/c/63fe3389b3e092d6c0eeea9fc0318e7918b16618
	https://git.kernel.org/stable/c/4e179a60a60c0a5aea245e8e67768343c0f070b8
	https://git.kernel.org/stable/c/030abbae49cf9fd1fba7aa08e15ec81efbeb78cf
	https://git.kernel.org/stable/c/ae5e95d4157481693be2317e3ffcd84e36010cbb

Impacted products

Vendor

Product

Version

Version: 4636187da60b6e33526050235c610409d9cc00e8
Version: 4636187da60b6e33526050235c610409d9cc00e8
Version: 4636187da60b6e33526050235c610409d9cc00e8
Version: 4636187da60b6e33526050235c610409d9cc00e8
Version: 4636187da60b6e33526050235c610409d9cc00e8

Version: 4.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/marvell/mwifiex/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "11869ce402d95519d49b25a2a97741f68d69d103",
              "status": "affected",
              "version": "4636187da60b6e33526050235c610409d9cc00e8",
              "versionType": "git"
            },
            {
              "lessThan": "63fe3389b3e092d6c0eeea9fc0318e7918b16618",
              "status": "affected",
              "version": "4636187da60b6e33526050235c610409d9cc00e8",
              "versionType": "git"
            },
            {
              "lessThan": "4e179a60a60c0a5aea245e8e67768343c0f070b8",
              "status": "affected",
              "version": "4636187da60b6e33526050235c610409d9cc00e8",
              "versionType": "git"
            },
            {
              "lessThan": "030abbae49cf9fd1fba7aa08e15ec81efbeb78cf",
              "status": "affected",
              "version": "4636187da60b6e33526050235c610409d9cc00e8",
              "versionType": "git"
            },
            {
              "lessThan": "ae5e95d4157481693be2317e3ffcd84e36010cbb",
              "status": "affected",
              "version": "4636187da60b6e33526050235c610409d9cc00e8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/marvell/mwifiex/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()\n\nThe mwifiex_adapter_cleanup() function uses timer_delete()\n(non-synchronous) for the wakeup_timer before the adapter structure is\nfreed. This is incorrect because timer_delete() does not wait for any\nrunning timer callback to complete.\n\nIf the wakeup_timer callback (wakeup_timer_fn) is executing when\nmwifiex_adapter_cleanup() is called, the callback will continue to\naccess adapter fields (adapter-\u003ehw_status, adapter-\u003eif_ops.card_reset,\netc.) which may be freed by mwifiex_free_adapter() called later in the\nmwifiex_remove_card() path.\n\nUse timer_delete_sync() instead to ensure any running timer callback has\ncompleted before returning."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:02.001Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/11869ce402d95519d49b25a2a97741f68d69d103"
        },
        {
          "url": "https://git.kernel.org/stable/c/63fe3389b3e092d6c0eeea9fc0318e7918b16618"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e179a60a60c0a5aea245e8e67768343c0f070b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/030abbae49cf9fd1fba7aa08e15ec81efbeb78cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae5e95d4157481693be2317e3ffcd84e36010cbb"
        }
      ],
      "title": "wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46069",
    "datePublished": "2026-05-27T12:57:50.213Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:52:02.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46116 (GCVE-0-2026-46116)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being: BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 Workqueue: netns cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush xfrm_state_fini ops_exit_list cleanup_net The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains. __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates: if (x->km.seq) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi); while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev. The defensive change here: - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, bysrc, byseq and byspi so a second deletion is a no-op rather than a write through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc(). - Test hlist_unhashed() rather than the value predicate for byseq/byspi, so the unhash decision tracks list state rather than mutable scalar fields. Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash. Reproduction: - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal - 9 unique signatures collected in ~9h, all within xfrm_state lifecycle

References

URL

Tags

	https://git.kernel.org/stable/c/b4a53add2fa8f1b5aa17d4c5686c320785fab182
	https://git.kernel.org/stable/c/26edb0a3c99f9d958c212be68b21f1221614dcf0
	https://git.kernel.org/stable/c/4980162de555cb838f1a189ce7d2cbf5d2e7b050
	https://git.kernel.org/stable/c/a2e2d08fb070fab4947447171f1c4e3ca5a188e5
	https://git.kernel.org/stable/c/14acf9652e5690de3c7486c6db5fb8dafd0a32a3

Impacted products

Vendor

Product

Version

Version: 7b4dc3600e4877178ba94c7fbf7e520421378aa6
Version: 7b4dc3600e4877178ba94c7fbf7e520421378aa6
Version: 7b4dc3600e4877178ba94c7fbf7e520421378aa6
Version: 7b4dc3600e4877178ba94c7fbf7e520421378aa6
Version: 7b4dc3600e4877178ba94c7fbf7e520421378aa6

Version: 2.6.19

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b4a53add2fa8f1b5aa17d4c5686c320785fab182",
              "status": "affected",
              "version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
              "versionType": "git"
            },
            {
              "lessThan": "26edb0a3c99f9d958c212be68b21f1221614dcf0",
              "status": "affected",
              "version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
              "versionType": "git"
            },
            {
              "lessThan": "4980162de555cb838f1a189ce7d2cbf5d2e7b050",
              "status": "affected",
              "version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
              "versionType": "git"
            },
            {
              "lessThan": "a2e2d08fb070fab4947447171f1c4e3ca5a188e5",
              "status": "affected",
              "version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
              "versionType": "git"
            },
            {
              "lessThan": "14acf9652e5690de3c7486c6db5fb8dafd0a32a3",
              "status": "affected",
              "version": "7b4dc3600e4877178ba94c7fbf7e520421378aa6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.19"
            },
            {
              "lessThan": "2.6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: defensively unhash xfrm_state lists in __xfrm_state_delete\n\nKASAN reproduces a slab-use-after-free in __xfrm_state_delete()\u0027s\nhlist_del_rcu calls under syzkaller load on linux-6.12.y stable\n(reproduced on 6.12.47, also reachable via the same code path on\ntorvalds/master and on the ipsec tree). Nine unique signatures cluster\nin the xfrm_state lifecycle, the load-bearing one being:\n\n  BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]\n  BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]\n  BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c\n  Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435\n\n  Workqueue: netns cleanup_net\n  Call Trace:\n   __hlist_del / hlist_del_rcu\n   __xfrm_state_delete\n   xfrm_state_delete\n   xfrm_state_flush\n   xfrm_state_fini\n   ops_exit_list\n   cleanup_net\n\nThe other observed signatures hit the same slab object from\n__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB\nwrite variant of __xfrm_state_delete, all on the byseq/byspi\nhash chains.\n\n__xfrm_state_delete() guards its byseq and byspi unhashes with\nvalue-based predicates:\n\n\tif (x-\u003ekm.seq)\n\t\thlist_del_rcu(\u0026x-\u003ebyseq);\n\tif (x-\u003eid.spi)\n\t\thlist_del_rcu(\u0026x-\u003ebyspi);\n\nwhile everywhere else in the file (e.g. state_cache, state_cache_input)\nthe safer hlist_unhashed() check is used. xfrm_alloc_spi() sets\nx-\u003eid.spi = newspi inside xfrm_state_lock and then immediately inserts\ninto byspi, but a path that observes x-\u003eid.spi != 0 outside of\nxfrm_state_lock can still skip-or-hit the byspi unhash inconsistently\nwith whether x is actually on the list. The same holds for x-\u003ekm.seq\nversus byseq, and the bydst/bysrc unhashes have no predicate at all,\nso a second __xfrm_state_delete() on the same object writes through\nLIST_POISON pprev.\n\nThe defensive change here:\n\n  - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,\n    bysrc, byseq and byspi so a second deletion is a no-op rather\n    than a write through LIST_POISON pprev. The byseq/byspi nodes\n    are already initialised in xfrm_state_alloc().\n  - Test hlist_unhashed() rather than the value predicate for\n    byseq/byspi, so the unhash decision tracks list state rather than\n    mutable scalar fields.\n\nEmpirical verification: applied this patch on top of v6.12.47, rebuilt,\nand re-ran the same syzkaller harness for 1h16m on a previously-crashy\nconfiguration that produced ~100 hits each of slab-use-after-free\nRead in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in\n__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at\n~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo\nconfirms the xfrm_state slab is actively allocated and freed during\nthe run (~143 KiB resident), so the fuzzer is still exercising those\ncode paths -- they just no longer crash.\n\nReproduction:\n\n  - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV\n  - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db\n  - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal\n  - 9 unique signatures collected in ~9h, all within xfrm_state\n    lifecycle"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:37.369Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b4a53add2fa8f1b5aa17d4c5686c320785fab182"
        },
        {
          "url": "https://git.kernel.org/stable/c/26edb0a3c99f9d958c212be68b21f1221614dcf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/4980162de555cb838f1a189ce7d2cbf5d2e7b050"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2e2d08fb070fab4947447171f1c4e3ca5a188e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/14acf9652e5690de3c7486c6db5fb8dafd0a32a3"
        }
      ],
      "title": "xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46116",
    "datePublished": "2026-05-28T09:35:30.689Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:37.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45845 (GCVE-0-2026-45845)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference. The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478) Call Trace: <TASK> tc_fill_tclass (net/sched/sch_api.c:1966) qdisc_class_dump (net/sched/sch_api.c:2326) taprio_walk (net/sched/sch_taprio.c:2514) tc_dump_tclass_qdisc (net/sched/sch_api.c:2352) tc_dump_tclass_root (net/sched/sch_api.c:2370) tc_dump_tclass (net/sched/sch_api.c:2431) rtnl_dumpit (net/core/rtnetlink.c:6864) netlink_dump (net/netlink/af_netlink.c:2325) rtnetlink_rcv_msg (net/core/rtnetlink.c:6959) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks. Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics. After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.

References

URL

Tags

	https://git.kernel.org/stable/c/ec2501e361b08b50bcb1e7b3253fc861abbda28d
	https://git.kernel.org/stable/c/d02e2fbf60de46678e2ea698a6a904fd21e1cc31
	https://git.kernel.org/stable/c/48b26d48e76221dc90b02bf5428bab53643461ca
	https://git.kernel.org/stable/c/8f1ff8866cb9f655e5faea6994eb902960be8e04
	https://git.kernel.org/stable/c/3d07ca5c0fae311226f737963984bd94bb159a87

Impacted products

Vendor

Product

Version

Version: 665338b2a7a0139337d1f85be65ed16e487f84c1
Version: 665338b2a7a0139337d1f85be65ed16e487f84c1
Version: 665338b2a7a0139337d1f85be65ed16e487f84c1
Version: 665338b2a7a0139337d1f85be65ed16e487f84c1
Version: 665338b2a7a0139337d1f85be65ed16e487f84c1

Version: 6.6

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_taprio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec2501e361b08b50bcb1e7b3253fc861abbda28d",
              "status": "affected",
              "version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
              "versionType": "git"
            },
            {
              "lessThan": "d02e2fbf60de46678e2ea698a6a904fd21e1cc31",
              "status": "affected",
              "version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
              "versionType": "git"
            },
            {
              "lessThan": "48b26d48e76221dc90b02bf5428bab53643461ca",
              "status": "affected",
              "version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
              "versionType": "git"
            },
            {
              "lessThan": "8f1ff8866cb9f655e5faea6994eb902960be8e04",
              "status": "affected",
              "version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
              "versionType": "git"
            },
            {
              "lessThan": "3d07ca5c0fae311226f737963984bd94bb159a87",
              "status": "affected",
              "version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_taprio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: fix NULL pointer dereference in class dump\n\nWhen a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()\nis called with new == NULL and stores NULL into q-\u003eqdiscs[cl - 1].\nSubsequent RTM_GETTCLASS dump operations walk all classes via\ntaprio_walk() and call taprio_dump_class(), which calls taprio_leaf()\nreturning the NULL pointer, then dereferences it to read child-\u003ehandle,\ncausing a kernel NULL pointer dereference.\n\nThe bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel\nwith CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user\nnamespaces enabled, an unprivileged local user can trigger a kernel\npanic by creating a taprio qdisc inside a new network namespace,\ngrafting an explicit child qdisc, deleting it, and requesting a class\ndump. The RTM_GETTCLASS dump itself requires no capability.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)\n Call Trace:\n  \u003cTASK\u003e\n  tc_fill_tclass (net/sched/sch_api.c:1966)\n  qdisc_class_dump (net/sched/sch_api.c:2326)\n  taprio_walk (net/sched/sch_taprio.c:2514)\n  tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)\n  tc_dump_tclass_root (net/sched/sch_api.c:2370)\n  tc_dump_tclass (net/sched/sch_api.c:2431)\n  rtnl_dumpit (net/core/rtnetlink.c:6864)\n  netlink_dump (net/netlink/af_netlink.c:2325)\n  rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n  \u003c/TASK\u003e\n\nFix this by substituting \u0026noop_qdisc when new is NULL in\ntaprio_graft(), a common pattern used by other qdiscs (e.g.,\nmultiq_graft()) to ensure the q-\u003eqdiscs[] slots are never NULL.\nThis makes control-plane dump paths safe without requiring individual\nNULL checks.\n\nSince the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)\npreviously had explicit NULL guards that would drop/skip the packet\ncleanly, update those checks to test for \u0026noop_qdisc instead. Without\nthis, packets would reach taprio_enqueue_one() which increments the root\nqdisc\u0027s qlen and backlog before calling the child\u0027s enqueue; noop_qdisc\ndrops the packet but those counters are never rolled back, permanently\ninflating the root qdisc\u0027s statistics.\n\nAfter this change *old can be a valid qdisc, NULL, or \u0026noop_qdisc.\nOnly call qdisc_put(*old) in the first case to avoid decreasing\nnoop_qdisc\u0027s refcount, which was never increased."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:27.191Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec2501e361b08b50bcb1e7b3253fc861abbda28d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d02e2fbf60de46678e2ea698a6a904fd21e1cc31"
        },
        {
          "url": "https://git.kernel.org/stable/c/48b26d48e76221dc90b02bf5428bab53643461ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f1ff8866cb9f655e5faea6994eb902960be8e04"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d07ca5c0fae311226f737963984bd94bb159a87"
        }
      ],
      "title": "net/sched: taprio: fix NULL pointer dereference in class dump",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45845",
    "datePublished": "2026-05-27T09:24:48.438Z",
    "dateReserved": "2026-05-13T15:03:33.078Z",
    "dateUpdated": "2026-06-14T17:46:27.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46273 (GCVE-0-2026-46273)

Vulnerability from cvelistv5

Published

2026-06-03 16:19

Modified

2026-06-14 18:05

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset. Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead. The 224-byte minimum matches ibmvnic commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks on GSO packets") which uses the same physical adapters in SEA configurations. The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation. Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features. Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).

References

URL

Tags

	https://git.kernel.org/stable/c/86fc64584811d43c9ccd74447de58620189d8b77
	https://git.kernel.org/stable/c/9a5e984d7af910e46dcbed3ce77873e000a4f77d
	https://git.kernel.org/stable/c/1cdf5dbcec988d06f5f720bdf89e91073f77fa10
	https://git.kernel.org/stable/c/82bc89fbb82d9396fb4eaee8720ea85e2e787957
	https://git.kernel.org/stable/c/db8012c631cb845e9ae2b4b531e17d86c9519755
	https://git.kernel.org/stable/c/c1f261863e65b508f37416dfbc5c5d911c9b9233
	https://git.kernel.org/stable/c/3af24f0c4c31f18a4a2d927990759194832bb6e9
	https://git.kernel.org/stable/c/cc427d24ac6442ffdeafd157a63c7c5b73ed4de4

Impacted products

Vendor

Product

Version

Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e
Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e
Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e
Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e
Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e
Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e
Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e
Version: 8641dd85799f85bef5f0d1f87356aaa12cb2195e

Version: 4.2

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47634

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmveth.c",
            "drivers/net/ethernet/ibm/ibmveth.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86fc64584811d43c9ccd74447de58620189d8b77",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            },
            {
              "lessThan": "9a5e984d7af910e46dcbed3ce77873e000a4f77d",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            },
            {
              "lessThan": "1cdf5dbcec988d06f5f720bdf89e91073f77fa10",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            },
            {
              "lessThan": "82bc89fbb82d9396fb4eaee8720ea85e2e787957",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            },
            {
              "lessThan": "db8012c631cb845e9ae2b4b531e17d86c9519755",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            },
            {
              "lessThan": "c1f261863e65b508f37416dfbc5c5d911c9b9233",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            },
            {
              "lessThan": "3af24f0c4c31f18a4a2d927990759194832bb6e9",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            },
            {
              "lessThan": "cc427d24ac6442ffdeafd157a63c7c5b73ed4de4",
              "status": "affected",
              "version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmveth.c",
            "drivers/net/ethernet/ibm/ibmveth.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmveth: Disable GSO for packets with small MSS\n\nSome physical adapters on Power systems do not support segmentation\noffload when the MSS is less than 224 bytes. Attempting to send such\npackets causes the adapter to freeze, stopping all traffic until\nmanually reset.\n\nImplement ndo_features_check to disable GSO for packets with small MSS\nvalues. The network stack will perform software segmentation instead.\n\nThe 224-byte minimum matches ibmvnic\ncommit \u003cf10b09ef687f\u003e (\"ibmvnic: Enforce stronger sanity checks\non GSO packets\")\nwhich uses the same physical adapters in SEA configurations.\n\nThe issue occurs specifically when the hardware attempts to perform\nsegmentation (gso_segs \u003e 1) with a small MSS. Single-segment GSO packets\n(gso_segs == 1) do not trigger the problematic LSO code path and are\ntransmitted normally without segmentation.\n\nAdd an ndo_features_check callback to disable GSO when MSS \u003c 224 bytes.\nAlso call vlan_features_check() to ensure proper handling of VLAN packets,\nparticularly QinQ (802.1ad) configurations where the hardware parser may\nnot support certain offload features.\n\nValidated using iptables to force small MSS values. Without the fix,\nthe adapter freezes. With the fix, packets are segmented in software\nand transmission succeeds. Comprehensive regression testing completedd\n(MSS tests, performance, stability)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:05:30.074Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86fc64584811d43c9ccd74447de58620189d8b77"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a5e984d7af910e46dcbed3ce77873e000a4f77d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cdf5dbcec988d06f5f720bdf89e91073f77fa10"
        },
        {
          "url": "https://git.kernel.org/stable/c/82bc89fbb82d9396fb4eaee8720ea85e2e787957"
        },
        {
          "url": "https://git.kernel.org/stable/c/db8012c631cb845e9ae2b4b531e17d86c9519755"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1f261863e65b508f37416dfbc5c5d911c9b9233"
        },
        {
          "url": "https://git.kernel.org/stable/c/3af24f0c4c31f18a4a2d927990759194832bb6e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc427d24ac6442ffdeafd157a63c7c5b73ed4de4"
        }
      ],
      "title": "ibmveth: Disable GSO for packets with small MSS",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46273",
    "datePublished": "2026-06-03T16:19:18.056Z",
    "dateReserved": "2026-05-13T15:03:33.109Z",
    "dateUpdated": "2026-06-14T18:05:30.074Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47634 (GCVE-0-2026-47634)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft SharePoint Server 2019

Version: 16.0.0 < 16.0.10417.20153

Microsoft SharePoint Server Subscription Edition

Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:46:23.417734Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:46:32.860Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:23.513Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47634"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47634",
    "datePublished": "2026-06-09T17:05:48.169Z",
    "dateReserved": "2026-05-19T20:12:27.070Z",
    "dateUpdated": "2026-06-16T18:18:23.513Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46231 (GCVE-0-2026-46231)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: put backbone reference on failed claim hash insert When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.

References

URL

Tags

	https://git.kernel.org/stable/c/6c8b68a7ed667a63aa603ba4d3a7088be143007e
	https://git.kernel.org/stable/c/769f413d374ff2b6ff6d8d8c37b4c1178e6cdf14
	https://git.kernel.org/stable/c/2888c9a154123db0254ae4fb9bea570c7e1f2e06
	https://git.kernel.org/stable/c/65419eb4259a26a3cd3f56fa0e3b3c113bf8c256
	https://git.kernel.org/stable/c/fd0ca034c1e71ca7613cde9dd892836b2c2831bd
	https://git.kernel.org/stable/c/0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0
	https://git.kernel.org/stable/c/7cccf4eb4f96d3c3af91a00b7a9caa652439542e
	https://git.kernel.org/stable/c/ba9d20ee9076dac32c371116bacbe72480eb356c

Impacted products

Vendor

Product

Version

Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3db0decf1185357d6ab2256d0dede1ca9efda03d
Version: 3fdd337ac0b277a1f40aa73b35283520f426e517
Version: 485eedfabc2aefac8f09f98a82ba1c1e3e202a6d
Version: 3.16.39 ≤
Version: 4.4.217 ≤

Version: 4.7

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bridge_loop_avoidance.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6c8b68a7ed667a63aa603ba4d3a7088be143007e",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "lessThan": "769f413d374ff2b6ff6d8d8c37b4c1178e6cdf14",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "lessThan": "2888c9a154123db0254ae4fb9bea570c7e1f2e06",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "lessThan": "65419eb4259a26a3cd3f56fa0e3b3c113bf8c256",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "lessThan": "fd0ca034c1e71ca7613cde9dd892836b2c2831bd",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "lessThan": "0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "lessThan": "7cccf4eb4f96d3c3af91a00b7a9caa652439542e",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "lessThan": "ba9d20ee9076dac32c371116bacbe72480eb356c",
              "status": "affected",
              "version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3fdd337ac0b277a1f40aa73b35283520f426e517",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "485eedfabc2aefac8f09f98a82ba1c1e3e202a6d",
              "versionType": "git"
            },
            {
              "lessThan": "3.17",
              "status": "affected",
              "version": "3.16.39",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.217",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bridge_loop_avoidance.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.217",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: put backbone reference on failed claim hash insert\n\nWhen batadv_bla_add_claim() fails to insert a new claim into the hash, it\nleaked a reference to the backbone_gw for which the claim was intended.\nCall batadv_backbone_gw_put() on the error path to release the reference\nand avoid leaking the backbone_gw object."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:27.129Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6c8b68a7ed667a63aa603ba4d3a7088be143007e"
        },
        {
          "url": "https://git.kernel.org/stable/c/769f413d374ff2b6ff6d8d8c37b4c1178e6cdf14"
        },
        {
          "url": "https://git.kernel.org/stable/c/2888c9a154123db0254ae4fb9bea570c7e1f2e06"
        },
        {
          "url": "https://git.kernel.org/stable/c/65419eb4259a26a3cd3f56fa0e3b3c113bf8c256"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd0ca034c1e71ca7613cde9dd892836b2c2831bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cccf4eb4f96d3c3af91a00b7a9caa652439542e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba9d20ee9076dac32c371116bacbe72480eb356c"
        }
      ],
      "title": "batman-adv: bla: put backbone reference on failed claim hash insert",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46231",
    "datePublished": "2026-05-28T09:40:53.471Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:27.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46113 (GCVE-0-2026-46113)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE", 2026-03-27). The flow is as follows: - a PDE is installed for a 2MB mapping, and a page in that area is accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages; the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because the guest's mapping is a huge page (and thus contiguous). - the PDE mapping is changed from outside the guest. - the guest accesses another page in the same 2MB area. KVM installs a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN (i.e. based on the new mapping, as changed in the previous step) but that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore the rmap entry cannot be found and removed when the kvm_mmu_page is zapped. - the memslot that covers the first 2MB mapping is deleted, and the kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove() only looks at the [sp->gfn, sp->gfn + 511] range established in step 1, and fails to find the rmap entry that was recorded by step 3. - any operation that causes an rmap walk for the same page accessed by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page. This includes dirty logging or MMU notifier invalidations (e.g., from MADV_DONTNEED). The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn. Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write. That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the "wrong" shadow page. However, that was only an imprecision until 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages") came along. Fix it by checking for a target gfn mismatch and zapping the existing SPTE. That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.

References

URL

Tags

	https://git.kernel.org/stable/c/e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0
	https://git.kernel.org/stable/c/488e386484ec8c0e558be6e156edf34ed9f4d5c8
	https://git.kernel.org/stable/c/06c19c967b845b63172601fe459667d973b7e6b7
	https://git.kernel.org/stable/c/738ec97b1855df6c08fe2369f798fa0b972e556b
	https://git.kernel.org/stable/c/14d1e55dfd2cf4711bff164a6aaaddb783552134
	https://git.kernel.org/stable/c/0cb2af2ea66ad8ff195c156ea690f11216285bdf

Impacted products

Vendor

Product

Version

Version: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7
Version: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7
Version: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7
Version: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7
Version: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7
Version: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7

Version: 2.6.20

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47637

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/mmu/mmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0",
              "status": "affected",
              "version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
              "versionType": "git"
            },
            {
              "lessThan": "488e386484ec8c0e558be6e156edf34ed9f4d5c8",
              "status": "affected",
              "version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
              "versionType": "git"
            },
            {
              "lessThan": "06c19c967b845b63172601fe459667d973b7e6b7",
              "status": "affected",
              "version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
              "versionType": "git"
            },
            {
              "lessThan": "738ec97b1855df6c08fe2369f798fa0b972e556b",
              "status": "affected",
              "version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
              "versionType": "git"
            },
            {
              "lessThan": "14d1e55dfd2cf4711bff164a6aaaddb783552134",
              "status": "affected",
              "version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
              "versionType": "git"
            },
            {
              "lessThan": "0cb2af2ea66ad8ff195c156ea690f11216285bdf",
              "status": "affected",
              "version": "6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/mmu/mmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix shadow paging use-after-free due to unexpected GFN\n\nThe shadow MMU computes GFNs for direct shadow pages using sp-\u003egfn plus\nthe SPTE index. This assumption breaks for shadow paging if the guest\npage tables are modified between VM entries (similar to commit\naad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even\nwhen creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:\n\n- a PDE is installed for a 2MB mapping, and a page in that area is\n  accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;\n  the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because\n  the guest\u0027s mapping is a huge page (and thus contiguous).\n\n- the PDE mapping is changed from outside the guest.\n\n- the guest accesses another page in the same 2MB area.  KVM installs\n  a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN\n  (i.e. based on the new mapping, as changed in the previous step) but\n  that GFN is outside of the [sp-\u003egfn, sp-\u003egfn + 511] range; therefore\n  the rmap entry cannot be found and removed when the kvm_mmu_page\n  is zapped.\n\n- the memslot that covers the first 2MB mapping is deleted, and the\n  kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()\n  only looks at the [sp-\u003egfn, sp-\u003egfn + 511] range established in step 1,\n  and fails to find the rmap entry that was recorded by step 3.\n\n- any operation that causes an rmap walk for the same page accessed\n  by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.\n  This includes dirty logging or MMU notifier invalidations (e.g., from\n  MADV_DONTNEED).\n\nThe underlying issue is that KVM\u0027s walking of shadow PTEs assumes that\nif a SPTE is present when KVM wants to install a non-leaf SPTE, then the\nexisting kvm_mmu_page must be for the correct gfn.  Because the only way\nfor the gfn to be wrong is if KVM messed up and failed to zap a SPTE...\nwhich shouldn\u0027t happen, but *actually* only happens in response to a\nguest write.\n\nThat bug dates back literally forever, as even the first version of KVM\nassumes that the GFN matches and walks into the \"wrong\" shadow page.\nHowever, that was only an imprecision until 2032a93d66fa (\"KVM: MMU:\nDon\u0027t allocate gfns page for direct mmu pages\") came along.\n\nFix it by checking for a target gfn mismatch and zapping the existing\nSPTE.  That way the old SP and rmap entries are gone, KVM installs\nthe rmap in the right location, and everyone is happy."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:24.179Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/488e386484ec8c0e558be6e156edf34ed9f4d5c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/06c19c967b845b63172601fe459667d973b7e6b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/738ec97b1855df6c08fe2369f798fa0b972e556b"
        },
        {
          "url": "https://git.kernel.org/stable/c/14d1e55dfd2cf4711bff164a6aaaddb783552134"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cb2af2ea66ad8ff195c156ea690f11216285bdf"
        }
      ],
      "title": "KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46113",
    "datePublished": "2026-05-28T09:35:23.035Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:24.179Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47637 (GCVE-0-2026-47637)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47637",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T18:03:44.666252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T18:03:52.025Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:43.793Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47637"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47637",
    "datePublished": "2026-06-09T17:05:06.398Z",
    "dateReserved": "2026-05-19T20:12:27.070Z",
    "dateUpdated": "2026-06-16T18:17:43.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46124 (GCVE-0-2026-46124)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

References

URL

Tags

	https://git.kernel.org/stable/c/ee0024f5a7e3c73aa253869fae9650ae054093ca
	https://git.kernel.org/stable/c/31dbb4ba0f719ae7774e4c0c95172c9bf81692f5
	https://git.kernel.org/stable/c/908a76f0b1038035e6ebb4f2293ce079f92e0a02
	https://git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21
	https://git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0d
	https://git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b
	https://git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6
	https://git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796

Impacted products

Vendor

Product

Version

Version: 5e7de55602c61c8ff28db075cc49c8dd6989d7e0
Version: 63d5a3e207bf315a32c7d16de6c89753a759f95a
Version: 0fdafdaef796816a9ed0fd7ac812932d569d9beb
Version: 952e7a7e317f126d0a2b879fc531b716932d5ffa
Version: 56dfffea9fd3be0b3795a9ca6401e133a8427e0b
Version: 0405d4b63d082861f4eaff9d39c78ee9dc34f845
Version: 0405d4b63d082861f4eaff9d39c78ee9dc34f845
Version: 0405d4b63d082861f4eaff9d39c78ee9dc34f845
Version: ee01a309ebf598be1ff8174901ed6e91619f1749
Version: 007124c896e7d4614ac1f6bd4dedb975c35a2a8e
Version: 5.10.237   ≤
Version: 5.15.181   ≤
Version: 6.1.135   ≤
Version: 6.6.88   ≤
Version: 6.12.25   ≤
Version: 5.4.293   ≤
Version: 6.14.4   ≤

Version: 6.15

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48562

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/isofs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee0024f5a7e3c73aa253869fae9650ae054093ca",
              "status": "affected",
              "version": "5e7de55602c61c8ff28db075cc49c8dd6989d7e0",
              "versionType": "git"
            },
            {
              "lessThan": "31dbb4ba0f719ae7774e4c0c95172c9bf81692f5",
              "status": "affected",
              "version": "63d5a3e207bf315a32c7d16de6c89753a759f95a",
              "versionType": "git"
            },
            {
              "lessThan": "908a76f0b1038035e6ebb4f2293ce079f92e0a02",
              "status": "affected",
              "version": "0fdafdaef796816a9ed0fd7ac812932d569d9beb",
              "versionType": "git"
            },
            {
              "lessThan": "bb0988ed4f2e26d59bbb58f644cb3a55b7521e21",
              "status": "affected",
              "version": "952e7a7e317f126d0a2b879fc531b716932d5ffa",
              "versionType": "git"
            },
            {
              "lessThan": "0a1af74ae2177bda3aee0837a0546309aa539d0d",
              "status": "affected",
              "version": "56dfffea9fd3be0b3795a9ca6401e133a8427e0b",
              "versionType": "git"
            },
            {
              "lessThan": "afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b",
              "status": "affected",
              "version": "0405d4b63d082861f4eaff9d39c78ee9dc34f845",
              "versionType": "git"
            },
            {
              "lessThan": "4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6",
              "status": "affected",
              "version": "0405d4b63d082861f4eaff9d39c78ee9dc34f845",
              "versionType": "git"
            },
            {
              "lessThan": "24376458138387fb251e782e624c7776e9826796",
              "status": "affected",
              "version": "0405d4b63d082861f4eaff9d39c78ee9dc34f845",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ee01a309ebf598be1ff8174901ed6e91619f1749",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "007124c896e7d4614ac1f6bd4dedb975c35a2a8e",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.258",
              "status": "affected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.88",
              "status": "affected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThan": "6.15",
              "status": "affected",
              "version": "6.14.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/isofs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.10.237",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.12.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.293",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate block number from NFS file handle in isofs_export_iget\n\nisofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-\ncontrolled block number (ifid-\u003eblock or ifid-\u003eparent_block) from\nthe NFS file handle to isofs_export_iget(), which only rejects\nblock == 0 before calling isofs_iget() and ultimately sb_bread().\nA crafted file handle with fh_len sufficient to pass the check\nadded by commit 0405d4b63d08 (\"isofs: Prevent the use of too small\nfid\") can still drive the server to read any in-range block on the\nbacking device as if it were an iso_directory_record.  That earlier\nfix was assigned CVE-2025-37780.\n\nsb_bread() on an out-of-range block returns NULL cleanly via the\nEIO path, so there is no memory-safety violation.  For in-range\nreads of adjacent-partition data on the same block device, the\nunrelated bytes end up in iso_inode_info fields that reach the NFS\nclient as dentry metadata.  The deployment surface (isofs exported\nover NFS from loop-mounted images) is narrow and requires an\nauthenticated NFS peer, but the malformed-file-handle class is\nreportable as hardening next to the existing CVE-2025-37780 fix.\n\nReject block \u003e= ISOFS_SB(sb)-\u003es_nzones in isofs_export_iget() so\nthe check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()\ncall sites with a single line."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:13.681Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee0024f5a7e3c73aa253869fae9650ae054093ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/31dbb4ba0f719ae7774e4c0c95172c9bf81692f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/908a76f0b1038035e6ebb4f2293ce079f92e0a02"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796"
        }
      ],
      "title": "isofs: validate block number from NFS file handle in isofs_export_iget",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46124",
    "datePublished": "2026-05-28T09:35:38.887Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:56:13.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48562 (GCVE-0-2026-48562)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48562",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:22:53.673924Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:31:30.357Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:27.575Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48562"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-48562",
    "datePublished": "2026-06-09T17:05:52.375Z",
    "dateReserved": "2026-05-21T20:00:35.245Z",
    "dateUpdated": "2026-06-16T18:18:27.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46161 (GCVE-0-2026-46161)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix divide-by-zero in setup_geo() with zero far_copies setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the "improved" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero. Validate nc and fc immediately after extraction, returning -1 if either is zero.

References

URL

Tags

	https://git.kernel.org/stable/c/0b43a70394ce492274e67463326be03e0a9897c5
	https://git.kernel.org/stable/c/c716ab3034f84f8a6c226814247b8c5ac9f95da1
	https://git.kernel.org/stable/c/553e32adfa1a96b217651139a3f8c3b92b9984ac
	https://git.kernel.org/stable/c/4af2e558e6fdfb972c61350653fd55d1f62b60a5
	https://git.kernel.org/stable/c/9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cda
	https://git.kernel.org/stable/c/913d556e4bd1b56ed822815655b82c7bb54edc51
	https://git.kernel.org/stable/c/f9ddb621b2325eb69c95692958daf2bab4dea2c4
	https://git.kernel.org/stable/c/9aa6d860b0930e2f72795665c42c44252a558a0c

Impacted products

Vendor

Product

Version

Version: 475901aff15841fb0a81e7546517407779a9b061
Version: 475901aff15841fb0a81e7546517407779a9b061
Version: 475901aff15841fb0a81e7546517407779a9b061
Version: 475901aff15841fb0a81e7546517407779a9b061
Version: 475901aff15841fb0a81e7546517407779a9b061
Version: 475901aff15841fb0a81e7546517407779a9b061
Version: 475901aff15841fb0a81e7546517407779a9b061
Version: 475901aff15841fb0a81e7546517407779a9b061

Version: 3.9

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45465

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid10.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b43a70394ce492274e67463326be03e0a9897c5",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            },
            {
              "lessThan": "c716ab3034f84f8a6c226814247b8c5ac9f95da1",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            },
            {
              "lessThan": "553e32adfa1a96b217651139a3f8c3b92b9984ac",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            },
            {
              "lessThan": "4af2e558e6fdfb972c61350653fd55d1f62b60a5",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            },
            {
              "lessThan": "9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cda",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            },
            {
              "lessThan": "913d556e4bd1b56ed822815655b82c7bb54edc51",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            },
            {
              "lessThan": "f9ddb621b2325eb69c95692958daf2bab4dea2c4",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            },
            {
              "lessThan": "9aa6d860b0930e2f72795665c42c44252a558a0c",
              "status": "affected",
              "version": "475901aff15841fb0a81e7546517407779a9b061",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid10.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix divide-by-zero in setup_geo() with zero far_copies\n\nsetup_geo() extracts near_copies (nc) and far_copies (fc) from the\nuser-provided layout parameter without checking for zero. When fc=0\nwith the \"improved\" far set layout selected, \u0027geo-\u003efar_set_size =\ndisks / fc\u0027 triggers a divide-by-zero.\n\nValidate nc and fc immediately after extraction, returning -1 if\neither is zero."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:59:07.789Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b43a70394ce492274e67463326be03e0a9897c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c716ab3034f84f8a6c226814247b8c5ac9f95da1"
        },
        {
          "url": "https://git.kernel.org/stable/c/553e32adfa1a96b217651139a3f8c3b92b9984ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/4af2e558e6fdfb972c61350653fd55d1f62b60a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cda"
        },
        {
          "url": "https://git.kernel.org/stable/c/913d556e4bd1b56ed822815655b82c7bb54edc51"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9ddb621b2325eb69c95692958daf2bab4dea2c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9aa6d860b0930e2f72795665c42c44252a558a0c"
        }
      ],
      "title": "md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46161",
    "datePublished": "2026-05-28T09:36:16.428Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:59:07.789Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45465 (GCVE-0-2026-45465)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45465",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:22:51.696892Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:31:44.859Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:05.068Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45465"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45465",
    "datePublished": "2026-06-09T17:05:27.035Z",
    "dateReserved": "2026-05-12T16:06:43.098Z",
    "dateUpdated": "2026-06-16T18:18:05.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45842 (GCVE-0-2026-45842)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress). The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate. The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519) Call Trace: <TASK> ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466) ppp_input (drivers/net/ppp/ppp_generic.c:2359) ppp_async_process (drivers/net/ppp/ppp_async.c:492) tasklet_action_common (kernel/softirq.c:926) handle_softirqs (kernel/softirq.c:623) run_ksoftirqd (kernel/softirq.c:1055) smpboot_thread_fn (kernel/smpboot.c:160) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:164) </TASK> Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet. The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.

References

URL

Tags

	https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430
	https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d
	https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586
	https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1
	https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301
	https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf
	https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152
	https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e

Impacted products

Vendor

Product

Version

Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 4ab42d78e37a294ac7bc56901d563c642e03c4ae
Version: 42fc512469e78939c1e419d3310c47de55bdcbb8
Version: df085f1cb3acd3d75408ff94f366983873bce7d2
Version: a1c3860d3c5fc62bd35f089bcb03f18a37242de9
Version: f82699de104eaf8a7ffc2849a566a94818dd8a3c
Version: 354b254af5c1350de9586af75fe5a821b35bfb33
Version: 5148857f5d4c812cc918cf4627f7880521e987eb
Version: 82185755d90c8047c6f4b589c39998ff3d4ca3ad
Version: a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d
Version: 6b4fa561e26526c62636414d267342c945084f44
Version: 2.6.32.70   ≤
Version: 3.2.75   ≤
Version: 3.4.111   ≤
Version: 3.10.96   ≤
Version: 3.12.53   ≤
Version: 3.14.60   ≤
Version: 3.18.27   ≤
Version: 4.1.17   ≤
Version: 4.3.5   ≤

Version: 4.4

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d71c961febddd855d3ae9a519eeb96c8023f430",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "72304fec672e8aac9ee7b9c475db96b37cca8d8d",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "4aa9eca6fda2919027dfd7a7cc69334982d89586",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "c6980e8b1a86288167f34966fa5219031999b6f1",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "de42f86e2cf5028a97e74c25869d1a962b13c301",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "9e1ff0eead073c4f46d874ad2526b7dda5465faf",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "7b0d9e878ec2b21d99ae8051b3dda59cdb66c152",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "e76607442d5b73e1ba6768f501ef815bb58c2c0e",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "42fc512469e78939c1e419d3310c47de55bdcbb8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "df085f1cb3acd3d75408ff94f366983873bce7d2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a1c3860d3c5fc62bd35f089bcb03f18a37242de9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f82699de104eaf8a7ffc2849a566a94818dd8a3c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "354b254af5c1350de9586af75fe5a821b35bfb33",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5148857f5d4c812cc918cf4627f7880521e987eb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "82185755d90c8047c6f4b589c39998ff3d4ca3ad",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6b4fa561e26526c62636414d267342c945084f44",
              "versionType": "git"
            },
            {
              "lessThan": "2.6.33",
              "status": "affected",
              "version": "2.6.32.70",
              "versionType": "semver"
            },
            {
              "lessThan": "3.3",
              "status": "affected",
              "version": "3.2.75",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5",
              "status": "affected",
              "version": "3.4.111",
              "versionType": "semver"
            },
            {
              "lessThan": "3.11",
              "status": "affected",
              "version": "3.10.96",
              "versionType": "semver"
            },
            {
              "lessThan": "3.13",
              "status": "affected",
              "version": "3.12.53",
              "versionType": "semver"
            },
            {
              "lessThan": "3.15",
              "status": "affected",
              "version": "3.14.60",
              "versionType": "semver"
            },
            {
              "lessThan": "3.19",
              "status": "affected",
              "version": "3.18.27",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2",
              "status": "affected",
              "version": "4.1.17",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4",
              "status": "affected",
              "version": "4.3.5",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.32.70",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.111",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.96",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.53",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n       address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n  \u003cTASK\u003e\n  ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n  ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n  ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n  tasklet_action_common (kernel/softirq.c:926)\n  handle_softirqs (kernel/softirq.c:623)\n  run_ksoftirqd (kernel/softirq.c:1055)\n  smpboot_thread_fn (kernel/smpboot.c:160)\n  kthread (kernel/kthread.c:436)\n  ret_from_fork (arch/x86/kernel/process.c:164)\n  \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:17.557Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430"
        },
        {
          "url": "https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
        },
        {
          "url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
        }
      ],
      "title": "slip: reject VJ receive packets on instances with no rstate array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45842",
    "datePublished": "2026-05-27T09:24:42.637Z",
    "dateReserved": "2026-05-13T15:03:33.078Z",
    "dateUpdated": "2026-06-14T17:46:17.557Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46051 (GCVE-0-2026-46051)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix soft lockup in retry_aligned_read() When retry_aligned_read() encounters an overlapped stripe, it releases the stripe via raid5_release_stripe() which puts it on the lockless released_stripes llist. In the next raid5d loop iteration, release_stripe_list() drains the stripe onto handle_list (since STRIPE_HANDLE is set by the original IO), but retry_aligned_read() runs before handle_active_stripes() and removes the stripe from handle_list via find_get_stripe() -> list_del_init(). This prevents handle_stripe() from ever processing the stripe to resolve the overlap, causing an infinite loop and soft lockup. Fix this by using __release_stripe() with temp_inactive_list instead of raid5_release_stripe() in the failure path, so the stripe does not go through the released_stripes llist. This allows raid5d to break out of its loop, and the overlap will be resolved when the stripe is eventually processed by handle_stripe().

References

URL

Tags

	https://git.kernel.org/stable/c/66df9f30673db66ac35145820a8e24906069ae57
	https://git.kernel.org/stable/c/4166d5234fe8b6c3c7f796a6c198605356c5b355
	https://git.kernel.org/stable/c/a9055300e07d9d6800264d3c2560e1d0144689ca
	https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49
	https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b
	https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507
	https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea001e90f
	https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc

Impacted products

Vendor

Product

Version

Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6
Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6
Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6
Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6
Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6
Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6
Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6
Version: 773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6

Version: 3.12

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48560

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid5.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "66df9f30673db66ac35145820a8e24906069ae57",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            },
            {
              "lessThan": "4166d5234fe8b6c3c7f796a6c198605356c5b355",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            },
            {
              "lessThan": "a9055300e07d9d6800264d3c2560e1d0144689ca",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            },
            {
              "lessThan": "09880592f5a9dc73377d6eb5ac123537b5f8df49",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            },
            {
              "lessThan": "80fc6ca2cbde018d52e13f305edcd643911bd94b",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            },
            {
              "lessThan": "1985cb3247e87ff6b8ca4bc5f9626f4f51024507",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            },
            {
              "lessThan": "883cc33b7af1c448663287f069ef9dfea001e90f",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            },
            {
              "lessThan": "7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc",
              "status": "affected",
              "version": "773ca82fa1ee58dd1bf88b6a5ca385ec83a2cac6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid5.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix soft lockup in retry_aligned_read()\n\nWhen retry_aligned_read() encounters an overlapped stripe, it releases\nthe stripe via raid5_release_stripe() which puts it on the lockless\nreleased_stripes llist. In the next raid5d loop iteration,\nrelease_stripe_list() drains the stripe onto handle_list (since\nSTRIPE_HANDLE is set by the original IO), but retry_aligned_read()\nruns before handle_active_stripes() and removes the stripe from\nhandle_list via find_get_stripe() -\u003e list_del_init(). This prevents\nhandle_stripe() from ever processing the stripe to resolve the\noverlap, causing an infinite loop and soft lockup.\n\nFix this by using __release_stripe() with temp_inactive_list instead\nof raid5_release_stripe() in the failure path, so the stripe does not\ngo through the released_stripes llist. This allows raid5d to break out\nof its loop, and the overlap will be resolved when the stripe is\neventually processed by handle_stripe()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:46.976Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/66df9f30673db66ac35145820a8e24906069ae57"
        },
        {
          "url": "https://git.kernel.org/stable/c/4166d5234fe8b6c3c7f796a6c198605356c5b355"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9055300e07d9d6800264d3c2560e1d0144689ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49"
        },
        {
          "url": "https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507"
        },
        {
          "url": "https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea001e90f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc"
        }
      ],
      "title": "md/raid5: fix soft lockup in retry_aligned_read()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46051",
    "datePublished": "2026-05-27T12:57:09.274Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:46.976Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48560 (GCVE-0-2026-48560)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45456

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48560",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T17:48:44.763713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T17:48:51.488Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:26.987Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48560"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-48560",
    "datePublished": "2026-06-09T17:05:51.708Z",
    "dateReserved": "2026-05-21T20:00:35.245Z",
    "dateUpdated": "2026-06-16T18:18:26.987Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45456 (GCVE-0-2026-45456)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Summary

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384
Microsoft	Microsoft Word 2016	Version: 16.0.1 < 16.0.5556.1000

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45456",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:17.462457Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:29:52.574Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Word 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1000",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.5556.1000",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Access of resource using incompatible type (\u0027type confusion\u0027) in Microsoft Office allows an unauthorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-843",
              "description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:20.096Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Outlook and Word Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45456"
        }
      ],
      "title": "Microsoft Outlook and Word Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45456",
    "datePublished": "2026-06-09T17:04:36.685Z",
    "dateReserved": "2026-05-12T16:06:43.097Z",
    "dateUpdated": "2026-06-16T18:17:20.096Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46023 (GCVE-0-2026-46023)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: dm mirror: fix integer overflow in create_dirty_log() The argument count calculation in create_dirty_log() performs `*args_used = 2 + param_count` before validating against argc. When a user provides a param_count close to UINT_MAX via the device mapper table string, this unsigned addition wraps around to a small value, causing the subsequent `argc < *args_used` check to be bypassed. The overflowed param_count is then passed as argc to dm_dirty_log_create(), where it can cause out-of-bounds reads on the argv array. Fix by comparing param_count against argc - 2 before performing the addition, following the same pattern used by parse_features() in the same file. Since argc >= 2 is already guaranteed, the subtraction is safe.

References

URL

Tags

	https://git.kernel.org/stable/c/e5e0ae3237584ebef510366c4cb3d5cc7c22b610
	https://git.kernel.org/stable/c/249c831183fb806c8e3b14c7c4c1d2fb68cf37fb
	https://git.kernel.org/stable/c/ae59b3025609d5a0a39cf5b2b94e2467f6231573
	https://git.kernel.org/stable/c/35f6b3281efd44d19110574663bc17a610bc73b9
	https://git.kernel.org/stable/c/47dad9eea75d33212d3d2cea10e7ed6a1bfc0713
	https://git.kernel.org/stable/c/87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca
	https://git.kernel.org/stable/c/17a08791d428885d00e510864283a7b839792368
	https://git.kernel.org/stable/c/4c788c6f921b22f9b6c3f316c4a071c05683e7de

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-raid1.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5e0ae3237584ebef510366c4cb3d5cc7c22b610",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "249c831183fb806c8e3b14c7c4c1d2fb68cf37fb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ae59b3025609d5a0a39cf5b2b94e2467f6231573",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "35f6b3281efd44d19110574663bc17a610bc73b9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "47dad9eea75d33212d3d2cea10e7ed6a1bfc0713",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "17a08791d428885d00e510864283a7b839792368",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c788c6f921b22f9b6c3f316c4a071c05683e7de",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-raid1.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm mirror: fix integer overflow in create_dirty_log()\n\nThe argument count calculation in create_dirty_log() performs\n`*args_used = 2 + param_count` before validating against argc. When a\nuser provides a param_count close to UINT_MAX via the device mapper\ntable string, this unsigned addition wraps around to a small value,\ncausing the subsequent `argc \u003c *args_used` check to be bypassed.\n\nThe overflowed param_count is then passed as argc to dm_dirty_log_create(),\nwhere it can cause out-of-bounds reads on the argv array.\n\nFix by comparing param_count against argc - 2 before performing the\naddition, following the same pattern used by parse_features() in the\nsame file. Since argc \u003e= 2 is already guaranteed, the subtraction is\nsafe."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:40.907Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5e0ae3237584ebef510366c4cb3d5cc7c22b610"
        },
        {
          "url": "https://git.kernel.org/stable/c/249c831183fb806c8e3b14c7c4c1d2fb68cf37fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae59b3025609d5a0a39cf5b2b94e2467f6231573"
        },
        {
          "url": "https://git.kernel.org/stable/c/35f6b3281efd44d19110574663bc17a610bc73b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/47dad9eea75d33212d3d2cea10e7ed6a1bfc0713"
        },
        {
          "url": "https://git.kernel.org/stable/c/87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/17a08791d428885d00e510864283a7b839792368"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c788c6f921b22f9b6c3f316c4a071c05683e7de"
        }
      ],
      "title": "dm mirror: fix integer overflow in create_dirty_log()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46023",
    "datePublished": "2026-05-27T12:56:28.756Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:48:40.907Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46122 (GCVE-0-2026-46122)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43_rx() The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read. Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.

References

URL

Tags

	https://git.kernel.org/stable/c/135cb49c9a42a02cceeac7b49ec03e267f7ed6d6
	https://git.kernel.org/stable/c/3157ad40b084a8f3932da2641749ab45e99b933e
	https://git.kernel.org/stable/c/765709720e6af9a178abc40244a8d1aa39ac4e71
	https://git.kernel.org/stable/c/c3d7b90dc95020cd9282c4630e402fe224f7644e
	https://git.kernel.org/stable/c/1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14
	https://git.kernel.org/stable/c/d7029879bafdac2006c67553807d122283dc6cbf
	https://git.kernel.org/stable/c/219ba67e69e49681e48c822d6eaafb5def032f34
	https://git.kernel.org/stable/c/1f4f78bf8549e6ac4f04fba4176854f3a6e0c332

Impacted products

Vendor

Product

Version

Version: e4d6b7951812d98417feb10784e400e253caf633
Version: e4d6b7951812d98417feb10784e400e253caf633
Version: e4d6b7951812d98417feb10784e400e253caf633
Version: e4d6b7951812d98417feb10784e400e253caf633
Version: e4d6b7951812d98417feb10784e400e253caf633
Version: e4d6b7951812d98417feb10784e400e253caf633
Version: e4d6b7951812d98417feb10784e400e253caf633
Version: e4d6b7951812d98417feb10784e400e253caf633

Version: 2.6.24

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/b43/xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "135cb49c9a42a02cceeac7b49ec03e267f7ed6d6",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            },
            {
              "lessThan": "3157ad40b084a8f3932da2641749ab45e99b933e",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            },
            {
              "lessThan": "765709720e6af9a178abc40244a8d1aa39ac4e71",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            },
            {
              "lessThan": "c3d7b90dc95020cd9282c4630e402fe224f7644e",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            },
            {
              "lessThan": "1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            },
            {
              "lessThan": "d7029879bafdac2006c67553807d122283dc6cbf",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            },
            {
              "lessThan": "219ba67e69e49681e48c822d6eaafb5def032f34",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            },
            {
              "lessThan": "1f4f78bf8549e6ac4f04fba4176854f3a6e0c332",
              "status": "affected",
              "version": "e4d6b7951812d98417feb10784e400e253caf633",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/b43/xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.24"
            },
            {
              "lessThan": "2.6.24",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43: enforce bounds check on firmware key index in b43_rx()\n\nThe firmware-controlled key index in b43_rx() can exceed the dev-\u003ekey[]\narray size (58 entries). The existing B43_WARN_ON is non-enforcing in\nproduction builds, allowing an out-of-bounds read.\n\nMake the B43_WARN_ON check enforcing by dropping the frame when the\nfirmware returns an invalid key index."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:03.781Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/135cb49c9a42a02cceeac7b49ec03e267f7ed6d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3157ad40b084a8f3932da2641749ab45e99b933e"
        },
        {
          "url": "https://git.kernel.org/stable/c/765709720e6af9a178abc40244a8d1aa39ac4e71"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3d7b90dc95020cd9282c4630e402fe224f7644e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7029879bafdac2006c67553807d122283dc6cbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/219ba67e69e49681e48c822d6eaafb5def032f34"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f4f78bf8549e6ac4f04fba4176854f3a6e0c332"
        }
      ],
      "title": "wifi: b43: enforce bounds check on firmware key index in b43_rx()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46122",
    "datePublished": "2026-05-28T09:35:37.141Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:56:03.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45838 (GCVE-0-2026-45838)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.

References

URL

Tags

	https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
	https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a
	https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6
	https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b
	https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af
	https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377
	https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f
	https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7

Impacted products

Vendor

Product

Version

Version: de9cbbaadba5adf88a19e46df61f7054000838f6
Version: de9cbbaadba5adf88a19e46df61f7054000838f6
Version: de9cbbaadba5adf88a19e46df61f7054000838f6
Version: de9cbbaadba5adf88a19e46df61f7054000838f6
Version: de9cbbaadba5adf88a19e46df61f7054000838f6
Version: de9cbbaadba5adf88a19e46df61f7054000838f6
Version: de9cbbaadba5adf88a19e46df61f7054000838f6
Version: de9cbbaadba5adf88a19e46df61f7054000838f6

Version: 4.19

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/local_storage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0f3d9dd5e1fd52b39e25328307c6a694e994ffe3",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            },
            {
              "lessThan": "26d3339e465e54107bd85884341d1609c5300d6a",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            },
            {
              "lessThan": "2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            },
            {
              "lessThan": "b4b5a20bed82130da2f2818f04d52378952fbd0b",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            },
            {
              "lessThan": "85a2f30e40f7468db732f55659bc6318874f49af",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            },
            {
              "lessThan": "32ce55d424395904986f5066f8755f6cb9993377",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            },
            {
              "lessThan": "fc39753b7f92e09177777e9c648afe5aa3abb81f",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            },
            {
              "lessThan": "5828b9e5b272ecff7cf5d345128d3de7324117f7",
              "status": "affected",
              "version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/local_storage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix end-of-list detection in cgroup_storage_get_next_key()\n\nlist_next_entry() never returns NULL -- when the current element is the\nlast entry it wraps to the list head via container_of(). The subsequent\nNULL check is therefore dead code and get_next_key() never returns\n-ENOENT for the last element, instead reading storage-\u003ekey from a bogus\npointer that aliases internal map fields and copying the result to\nuserspace.\n\nReplace it with list_entry_is_head() so the function correctly returns\n-ENOENT when there are no more entries."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:05.613Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3"
        },
        {
          "url": "https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af"
        },
        {
          "url": "https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7"
        }
      ],
      "title": "bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45838",
    "datePublished": "2026-05-27T09:24:36.561Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-06-14T17:46:05.613Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46015 (GCVE-0-2026-46015)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp: call sk_data_ready() after listener migration When inet_csk_listen_stop() migrates an established child socket from a closing listener to another socket in the same SO_REUSEPORT group, the target listener gets a new accept-queue entry via inet_csk_reqsk_queue_add(), but that path never notifies the target listener's waiters. A nonblocking accept() still works because it checks the queue directly, but poll()/epoll_wait() waiters and blocking accept() callers can also remain asleep indefinitely. Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration in inet_csk_listen_stop(). However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired in reuseport_migrate_sock() is effectively transferred to nreq->rsk_listener. Another CPU can then dequeue nreq via accept() or listener shutdown, hit reqsk_put(), and drop that listener ref. Since listeners are SOCK_RCU_FREE, wrap the post-queue_add() dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also covers the existing sock_net(nsk) access in that path. The reqsk_timer_handler() path does not need the same changes for two reasons: half-open requests become readable only after the final ACK, where tcp_child_process() already wakes the listener; and once nreq is visible via inet_ehash_insert(), the success path no longer touches nsk directly.

References

URL

Tags

	https://git.kernel.org/stable/c/7aa7933a5607b1e5b56f322d17265c1d0ea02c51
	https://git.kernel.org/stable/c/14e9bb6eba8f59dcc637702e4744ae5e30660d76
	https://git.kernel.org/stable/c/ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b
	https://git.kernel.org/stable/c/bebd058ef40c67a81fe6d9ee8beaa4ede90e0704
	https://git.kernel.org/stable/c/83bb57635d7cbafde32f865b577ecfd969f02337
	https://git.kernel.org/stable/c/12625b4da84caf4d84a04988710a7b9bcf702b18
	https://git.kernel.org/stable/c/3864c6ba1e041bc75342353a70fa2a2c6f909923

Impacted products

Vendor

Product

Version

Version: 54b92e84193749c9968aff2dd46e3b0f42643e18
Version: 54b92e84193749c9968aff2dd46e3b0f42643e18
Version: 54b92e84193749c9968aff2dd46e3b0f42643e18
Version: 54b92e84193749c9968aff2dd46e3b0f42643e18
Version: 54b92e84193749c9968aff2dd46e3b0f42643e18
Version: 54b92e84193749c9968aff2dd46e3b0f42643e18
Version: 54b92e84193749c9968aff2dd46e3b0f42643e18

Version: 5.14

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/inet_connection_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7aa7933a5607b1e5b56f322d17265c1d0ea02c51",
              "status": "affected",
              "version": "54b92e84193749c9968aff2dd46e3b0f42643e18",
              "versionType": "git"
            },
            {
              "lessThan": "14e9bb6eba8f59dcc637702e4744ae5e30660d76",
              "status": "affected",
              "version": "54b92e84193749c9968aff2dd46e3b0f42643e18",
              "versionType": "git"
            },
            {
              "lessThan": "ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b",
              "status": "affected",
              "version": "54b92e84193749c9968aff2dd46e3b0f42643e18",
              "versionType": "git"
            },
            {
              "lessThan": "bebd058ef40c67a81fe6d9ee8beaa4ede90e0704",
              "status": "affected",
              "version": "54b92e84193749c9968aff2dd46e3b0f42643e18",
              "versionType": "git"
            },
            {
              "lessThan": "83bb57635d7cbafde32f865b577ecfd969f02337",
              "status": "affected",
              "version": "54b92e84193749c9968aff2dd46e3b0f42643e18",
              "versionType": "git"
            },
            {
              "lessThan": "12625b4da84caf4d84a04988710a7b9bcf702b18",
              "status": "affected",
              "version": "54b92e84193749c9968aff2dd46e3b0f42643e18",
              "versionType": "git"
            },
            {
              "lessThan": "3864c6ba1e041bc75342353a70fa2a2c6f909923",
              "status": "affected",
              "version": "54b92e84193749c9968aff2dd46e3b0f42643e18",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/inet_connection_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: call sk_data_ready() after listener migration\n\nWhen inet_csk_listen_stop() migrates an established child socket from\na closing listener to another socket in the same SO_REUSEPORT group,\nthe target listener gets a new accept-queue entry via\ninet_csk_reqsk_queue_add(), but that path never notifies the target\nlistener\u0027s waiters. A nonblocking accept() still works because it\nchecks the queue directly, but poll()/epoll_wait() waiters and\nblocking accept() callers can also remain asleep indefinitely.\n\nCall READ_ONCE(nsk-\u003esk_data_ready)(nsk) after a successful migration\nin inet_csk_listen_stop().\n\nHowever, after inet_csk_reqsk_queue_add() succeeds, the ref acquired\nin reuseport_migrate_sock() is effectively transferred to\nnreq-\u003ersk_listener. Another CPU can then dequeue nreq via accept()\nor listener shutdown, hit reqsk_put(), and drop that listener ref.\nSince listeners are SOCK_RCU_FREE, wrap the post-queue_add()\ndereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also\ncovers the existing sock_net(nsk) access in that path.\n\nThe reqsk_timer_handler() path does not need the same changes for two\nreasons: half-open requests become readable only after the final ACK,\nwhere tcp_child_process() already wakes the listener; and once nreq is\nvisible via inet_ehash_insert(), the success path no longer touches\nnsk directly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:06.517Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7aa7933a5607b1e5b56f322d17265c1d0ea02c51"
        },
        {
          "url": "https://git.kernel.org/stable/c/14e9bb6eba8f59dcc637702e4744ae5e30660d76"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bebd058ef40c67a81fe6d9ee8beaa4ede90e0704"
        },
        {
          "url": "https://git.kernel.org/stable/c/83bb57635d7cbafde32f865b577ecfd969f02337"
        },
        {
          "url": "https://git.kernel.org/stable/c/12625b4da84caf4d84a04988710a7b9bcf702b18"
        },
        {
          "url": "https://git.kernel.org/stable/c/3864c6ba1e041bc75342353a70fa2a2c6f909923"
        }
      ],
      "title": "tcp: call sk_data_ready() after listener migration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46015",
    "datePublished": "2026-05-27T12:56:17.249Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:48:06.517Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46233 (GCVE-0-2026-46233)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.

References

URL

Tags

	https://git.kernel.org/stable/c/a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe
	https://git.kernel.org/stable/c/6725c523a35eeca611ff37e7d4a8712fae92aefd
	https://git.kernel.org/stable/c/afb5436f6028fd68f408f189230fbaa19c910d72
	https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641
	https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe
	https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3
	https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d
	https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af

Impacted products

Vendor

Product

Version

Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74
Version: 23721387c409087fd3b97e274f34d3ddc0970b74

Version: 3.5

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bridge_loop_avoidance.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "6725c523a35eeca611ff37e7d4a8712fae92aefd",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "afb5436f6028fd68f408f189230fbaa19c910d72",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "7b8fbcee3184d848b5aee085ca16d0cf05c9b641",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "b65365d2b1e6095c538d49baeb140dd1c166c1b3",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            },
            {
              "lessThan": "cf6b604011591865ae39ac82de8978c1120d17af",
              "status": "affected",
              "version": "23721387c409087fd3b97e274f34d3ddc0970b74",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bridge_loop_avoidance.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: only purge non-released claims\n\nWhen batadv_bla_purge_claims() goes through the list of claims, it is only\ntraversing the hash list with an rcu_read_lock(). Due to a potential\nparallel batadv_claim_put(), it can happen that it encounters a claim which\nwas actually in the process of being released+freed by\nbatadv_claim_release(). In this case, backbone_gw is set to NULL before the\ndelayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is\nthen no longer allowed because it would cause a NULL-ptr derefence.\n\nTo avoid this, only claims with a valid reference counter must be purged.\nAll others are already taken care of."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:36.157Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe"
        },
        {
          "url": "https://git.kernel.org/stable/c/6725c523a35eeca611ff37e7d4a8712fae92aefd"
        },
        {
          "url": "https://git.kernel.org/stable/c/afb5436f6028fd68f408f189230fbaa19c910d72"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af"
        }
      ],
      "title": "batman-adv: bla: only purge non-released claims",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46233",
    "datePublished": "2026-05-28T09:40:55.019Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:36.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48962 (GCVE-0-2026-48962)

Vulnerability from cvelistv5

Published

2026-05-27 03:12

Modified

2026-05-27 16:02

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Summary

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

References

URL

Tags

	https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch	patch
	https://metacpan.org/release/PMQS/IO-Compress-2.220/changes	release-notes

Impacted products

	Vendor	Product	Version
	PMQS	IO::Compress	Version: 0 < 2.220

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-27T07:24:58.630Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/27/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48962",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T16:01:45.845766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T16:02:15.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "IO-Compress",
          "product": "IO::Compress",
          "programFiles": [
            "lib/File/GlobMapper.pm"
          ],
          "programRoutines": [
            {
              "name": "File::GlobMapper::_parseOutputGlob"
            },
            {
              "name": "File::GlobMapper::_getFiles"
            }
          ],
          "repo": "https://github.com/pmqs/IO-Compress",
          "vendor": "PMQS",
          "versions": [
            {
              "lessThan": "2.220",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.\n\n_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.\n\nArbitrary Perl in the output glob executes at the calling process\u0027s privilege."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T03:12:38.974Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to IO-Compress 2.220 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-14T00:00:00.000Z",
          "value": "Issue reported."
        },
        {
          "lang": "en",
          "time": "2026-05-16T00:00:00.000Z",
          "value": "Version 2.220 released."
        }
      ],
      "title": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-48962",
    "datePublished": "2026-05-27T03:12:38.974Z",
    "dateReserved": "2026-05-26T18:09:32.365Z",
    "dateUpdated": "2026-05-27T16:02:15.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45986 (GCVE-0-2026-45986)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: ccree - fix a memory leak in cc_mac_digest() Add cc_unmap_result() if cc_map_hash_request_final() fails to prevent potential memory leak.

References

URL

Tags

	https://git.kernel.org/stable/c/7c21d58fcd6ad8e15a539347254093c93224a8b2
	https://git.kernel.org/stable/c/f53458c7c756b3e0838d51cf1e9f41b25079801a
	https://git.kernel.org/stable/c/7cd17993adb8a5d14a7e84d751316a5fdf0c251f
	https://git.kernel.org/stable/c/3061c9bfb3f5b3522ab174e2fa7473b24422d1c6
	https://git.kernel.org/stable/c/22f1dd4ca3bfe77db52cc7df3cc353dc114aab8b
	https://git.kernel.org/stable/c/910f335786a0a0f0b46c3c8c19a13d25cb4454b6
	https://git.kernel.org/stable/c/502440c235fe34cee02b24d7f893841f7565b3bc
	https://git.kernel.org/stable/c/02c64052fad03699b9c6d1df2f9b444d17e4ac50

Impacted products

Vendor

Product

Version

Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e
Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e
Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e
Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e
Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e
Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e
Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e
Version: 63893811b0fcb52f6eaf9811cc08bddd46f81c3e

Version: 4.17

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26142

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/ccree/cc_hash.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7c21d58fcd6ad8e15a539347254093c93224a8b2",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            },
            {
              "lessThan": "f53458c7c756b3e0838d51cf1e9f41b25079801a",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            },
            {
              "lessThan": "7cd17993adb8a5d14a7e84d751316a5fdf0c251f",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            },
            {
              "lessThan": "3061c9bfb3f5b3522ab174e2fa7473b24422d1c6",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            },
            {
              "lessThan": "22f1dd4ca3bfe77db52cc7df3cc353dc114aab8b",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            },
            {
              "lessThan": "910f335786a0a0f0b46c3c8c19a13d25cb4454b6",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            },
            {
              "lessThan": "502440c235fe34cee02b24d7f893841f7565b3bc",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            },
            {
              "lessThan": "02c64052fad03699b9c6d1df2f9b444d17e4ac50",
              "status": "affected",
              "version": "63893811b0fcb52f6eaf9811cc08bddd46f81c3e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/ccree/cc_hash.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccree - fix a memory leak in cc_mac_digest()\n\nAdd cc_unmap_result() if cc_map_hash_request_final()\nfails to prevent potential memory leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:33.494Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7c21d58fcd6ad8e15a539347254093c93224a8b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/f53458c7c756b3e0838d51cf1e9f41b25079801a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cd17993adb8a5d14a7e84d751316a5fdf0c251f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3061c9bfb3f5b3522ab174e2fa7473b24422d1c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/22f1dd4ca3bfe77db52cc7df3cc353dc114aab8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/910f335786a0a0f0b46c3c8c19a13d25cb4454b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/502440c235fe34cee02b24d7f893841f7565b3bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/02c64052fad03699b9c6d1df2f9b444d17e4ac50"
        }
      ],
      "title": "crypto: ccree - fix a memory leak in cc_mac_digest()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45986",
    "datePublished": "2026-05-27T12:55:35.838Z",
    "dateReserved": "2026-05-13T15:03:33.090Z",
    "dateUpdated": "2026-06-14T17:46:33.494Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26142 (GCVE-0-2026-26142)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Nuance PowerScribe 360 4.0

Version: 4.0 < 7.0.11.49

Microsoft	Nuance PowerScribe 360 version 4.0.1	Version: 4.0.1 < 7.0.111.68
Microsoft	Nuance PowerScribe 360 version 4.0.2	Version: 4.0.2 < 7.0.154.18
Microsoft	Nuance PowerScribe 360 version 4.0.3	Version: 4.0.3 < 7.0.197.10
Microsoft	Nuance PowerScribe 360 version 4.0.4	Version: 4.0.4 < 7.0.212.10
Microsoft	Nuance PowerScribe 360 version 4.0.5	Version: 4.0.5 < 7.0.243.19
Microsoft	Nuance PowerScribe 360 version 4.0.6	Version: 4.0.6 < 7.0.277.28
Microsoft	Nuance PowerScribe 360 version 4.0.7	Version: 4.0.7 < 7.0.316.12
Microsoft	Nuance PowerScribe 360 version 4.0.8	Version: 4.0.8 < 7.0.427.15
Microsoft	Nuance PowerScribe 360 version 4.0.9	Version: 4.0.9 < 7.0.528.24
Microsoft	Nuance PowerScribe One version 2019.1	Version: 2019.1 < 2019.1.96.6
Microsoft	Nuance PowerScribe One version 2019.10	Version: 2019.10 < 2019.10.36.14
Microsoft	Nuance PowerScribe One version 2019.2	Version: 2019.2 < 2019.2.9.11
Microsoft	Nuance PowerScribe One version 2019.3	Version: 2019.3 < 2019.3.16.21
Microsoft	Nuance PowerScribe One version 2019.4	Version: 2019.4 < 2019.4.9.17
Microsoft	Nuance PowerScribe One version 2019.5	Version: 2019.5 < 2019.5.14.40
Microsoft	Nuance PowerScribe One version 2019.6	Version: 2019.6 < 2019.6.36.40
Microsoft	Nuance PowerScribe One version 2019.7	Version: 2019.7 < 2019.7.107.26
Microsoft	Nuance PowerScribe One version 2019.8	Version: 2019.8 < 2019.8.43.19
Microsoft	Nuance PowerScribe One version 2019.9	Version: 2019.9 < 2019.9.31.23
Microsoft	PowerScribe One version 2023.1 SP2 Patch 11	Version: 2023.1 < 2023.2.3054
Microsoft	PowerScribe One version 2023.1 SP3 Patch 6	Version: 2023.1 < 2023.3.9072

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:25:12.399806Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:31:57.026Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nuance PowerScribe 360 4.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.11.49",
              "status": "affected",
              "version": "4.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.111.68",
              "status": "affected",
              "version": "4.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.154.18",
              "status": "affected",
              "version": "4.0.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.197.10",
              "status": "affected",
              "version": "4.0.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.4",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.212.10",
              "status": "affected",
              "version": "4.0.4",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.5",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.243.19",
              "status": "affected",
              "version": "4.0.5",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.6",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.277.28",
              "status": "affected",
              "version": "4.0.6",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.7",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.316.12",
              "status": "affected",
              "version": "4.0.7",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.8",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.427.15",
              "status": "affected",
              "version": "4.0.8",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe 360 version 4.0.9",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.528.24",
              "status": "affected",
              "version": "4.0.9",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.1.96.6",
              "status": "affected",
              "version": "2019.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.10",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.10.36.14",
              "status": "affected",
              "version": "2019.10",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.2.9.11",
              "status": "affected",
              "version": "2019.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.3.16.21",
              "status": "affected",
              "version": "2019.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.4",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.4.9.17",
              "status": "affected",
              "version": "2019.4",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.5",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.5.14.40",
              "status": "affected",
              "version": "2019.5",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.6",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.6.36.40",
              "status": "affected",
              "version": "2019.6",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.7",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.7.107.26",
              "status": "affected",
              "version": "2019.7",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.8",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.8.43.19",
              "status": "affected",
              "version": "2019.8",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Nuance PowerScribe One version 2019.9",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2019.9.31.23",
              "status": "affected",
              "version": "2019.9",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PowerScribe One version 2023.1 SP2 Patch 11",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2023.2.3054",
              "status": "affected",
              "version": "2023.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PowerScribe One version 2023.1 SP3 Patch 6",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2023.3.9072",
              "status": "affected",
              "version": "2023.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.243.19",
                  "versionStartIncluding": "4.0.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.277.28",
                  "versionStartIncluding": "4.0.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.316.12",
                  "versionStartIncluding": "4.0.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.427.15",
                  "versionStartIncluding": "4.0.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.528.24",
                  "versionStartIncluding": "4.0.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.1.96.6",
                  "versionStartIncluding": "2019.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.2.9.11",
                  "versionStartIncluding": "2019.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.3.16.21",
                  "versionStartIncluding": "2019.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.11.49",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.111.68",
                  "versionStartIncluding": "4.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.154.18",
                  "versionStartIncluding": "4.0.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.197.10",
                  "versionStartIncluding": "4.0.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.212.10",
                  "versionStartIncluding": "4.0.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.4.9.17",
                  "versionStartIncluding": "2019.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.5.14.40",
                  "versionStartIncluding": "2019.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.6.36.40",
                  "versionStartIncluding": "2019.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.7.107.26",
                  "versionStartIncluding": "2019.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.8.43.19",
                  "versionStartIncluding": "2019.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.9.31.23",
                  "versionStartIncluding": "2019.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2019.10.36.14",
                  "versionStartIncluding": "2019.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2023.2.3054",
                  "versionStartIncluding": "2023.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2023.3.9072",
                  "versionStartIncluding": "2023.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:56.017Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Nuance PowerScribe Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26142"
        }
      ],
      "title": "Nuance PowerScribe Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-26142",
    "datePublished": "2026-06-09T17:05:17.903Z",
    "dateReserved": "2026-02-11T16:24:51.134Z",
    "dateUpdated": "2026-06-16T18:17:56.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46155 (GCVE-0-2026-46155)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:58

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.

References

URL

Tags

	https://git.kernel.org/stable/c/dffb44b2e06a2908e249f0f93156fc987eee1d1c
	https://git.kernel.org/stable/c/9b3af35645ff9cd334edc130249f9a2fb2bea25f
	https://git.kernel.org/stable/c/512d33bc8ea4ea5c19728ee118715f4b1f4d1926
	https://git.kernel.org/stable/c/a16f70a71be4b5a4eccf39a9bf09b47285f4cb7c
	https://git.kernel.org/stable/c/8d09328dfda089675e4c049f3f256064a1d1996b

Impacted products

Vendor

Product

Version

Version: 7449d736bbbd160c76b01b8fcdf72f58a8757d4b
Version: ea41367b2a602f602ea6594fc4a310520dcc64f4
Version: ea41367b2a602f602ea6594fc4a310520dcc64f4
Version: ea41367b2a602f602ea6594fc4a310520dcc64f4
Version: ea41367b2a602f602ea6594fc4a310520dcc64f4
Version: 6.6.32 ≤

Version: 6.9

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dffb44b2e06a2908e249f0f93156fc987eee1d1c",
              "status": "affected",
              "version": "7449d736bbbd160c76b01b8fcdf72f58a8757d4b",
              "versionType": "git"
            },
            {
              "lessThan": "9b3af35645ff9cd334edc130249f9a2fb2bea25f",
              "status": "affected",
              "version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
              "versionType": "git"
            },
            {
              "lessThan": "512d33bc8ea4ea5c19728ee118715f4b1f4d1926",
              "status": "affected",
              "version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
              "versionType": "git"
            },
            {
              "lessThan": "a16f70a71be4b5a4eccf39a9bf09b47285f4cb7c",
              "status": "affected",
              "version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
              "versionType": "git"
            },
            {
              "lessThan": "8d09328dfda089675e4c049f3f256064a1d1996b",
              "status": "affected",
              "version": "ea41367b2a602f602ea6594fc4a310520dcc64f4",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.32",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix out-of-bounds read in smb2_compound_op()\n\nIf a server sends a truncated response but a large OutputBufferLength, and\nterminates the EA list early, check_wsl_eas() returns success without\nvalidating that the entire OutputBufferLength fits within iov_len.\n\nThen smb2_compound_op() does:\n    memcpy(idata-\u003ewsl.eas, data[0], size[0]);\n\nWhere size[0] is OutputBufferLength. If iov_len is smaller than size[0],\nmemcpy can read beyond the end of the rsp_iov allocation and leak adjacent\nkernel heap memory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:58:39.543Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dffb44b2e06a2908e249f0f93156fc987eee1d1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b3af35645ff9cd334edc130249f9a2fb2bea25f"
        },
        {
          "url": "https://git.kernel.org/stable/c/512d33bc8ea4ea5c19728ee118715f4b1f4d1926"
        },
        {
          "url": "https://git.kernel.org/stable/c/a16f70a71be4b5a4eccf39a9bf09b47285f4cb7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d09328dfda089675e4c049f3f256064a1d1996b"
        }
      ],
      "title": "smb/client: fix out-of-bounds read in smb2_compound_op()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46155",
    "datePublished": "2026-05-28T09:36:11.092Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:58:39.543Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45993 (GCVE-0-2026-45993)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Add spectre boundry for syscall dispatch table The LoongArch syscall number is directly controlled by userspace, but does not have a array_index_nospec() boundry to prevent access past the syscall function pointer tables.

References

URL

Tags

	https://git.kernel.org/stable/c/108f2cd13577a410c0ad6ea00708596d9d0dfc90
	https://git.kernel.org/stable/c/07040904ad217545be096d4280ed33c02f6a3750
	https://git.kernel.org/stable/c/85cbf7fb568af5358aae61925c4e66b8f5e1439d
	https://git.kernel.org/stable/c/bc84a109c2082dd0c4b38e8d923c046b41977533
	https://git.kernel.org/stable/c/0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d

Impacted products

Vendor

Product

Version

Version: be769645a2aef577f07afdcb4de8fad20b6d57c0
Version: be769645a2aef577f07afdcb4de8fad20b6d57c0
Version: be769645a2aef577f07afdcb4de8fad20b6d57c0
Version: be769645a2aef577f07afdcb4de8fad20b6d57c0
Version: be769645a2aef577f07afdcb4de8fad20b6d57c0

Version: 5.19

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/kernel/syscall.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "108f2cd13577a410c0ad6ea00708596d9d0dfc90",
              "status": "affected",
              "version": "be769645a2aef577f07afdcb4de8fad20b6d57c0",
              "versionType": "git"
            },
            {
              "lessThan": "07040904ad217545be096d4280ed33c02f6a3750",
              "status": "affected",
              "version": "be769645a2aef577f07afdcb4de8fad20b6d57c0",
              "versionType": "git"
            },
            {
              "lessThan": "85cbf7fb568af5358aae61925c4e66b8f5e1439d",
              "status": "affected",
              "version": "be769645a2aef577f07afdcb4de8fad20b6d57c0",
              "versionType": "git"
            },
            {
              "lessThan": "bc84a109c2082dd0c4b38e8d923c046b41977533",
              "status": "affected",
              "version": "be769645a2aef577f07afdcb4de8fad20b6d57c0",
              "versionType": "git"
            },
            {
              "lessThan": "0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d",
              "status": "affected",
              "version": "be769645a2aef577f07afdcb4de8fad20b6d57c0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/kernel/syscall.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Add spectre boundry for syscall dispatch table\n\nThe LoongArch syscall number is directly controlled by userspace, but\ndoes not have a array_index_nospec() boundry to prevent access past the\nsyscall function pointer tables."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:52.200Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/108f2cd13577a410c0ad6ea00708596d9d0dfc90"
        },
        {
          "url": "https://git.kernel.org/stable/c/07040904ad217545be096d4280ed33c02f6a3750"
        },
        {
          "url": "https://git.kernel.org/stable/c/85cbf7fb568af5358aae61925c4e66b8f5e1439d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc84a109c2082dd0c4b38e8d923c046b41977533"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d"
        }
      ],
      "title": "LoongArch: Add spectre boundry for syscall dispatch table",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45993",
    "datePublished": "2026-05-27T12:55:46.480Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:46:52.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46159 (GCVE-0-2026-46159)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.

References

URL

Tags

	https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a
	https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3
	https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088
	https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641
	https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77

Impacted products

Vendor

Product

Version

Version: 7fde62bffb576d384ea49a3aed3403d5609ee5bc
Version: 7fde62bffb576d384ea49a3aed3403d5609ee5bc
Version: 7fde62bffb576d384ea49a3aed3403d5609ee5bc
Version: 7fde62bffb576d384ea49a3aed3403d5609ee5bc
Version: 7fde62bffb576d384ea49a3aed3403d5609ee5bc

Version: 2.6.34

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f5ee467b56764964027c361641f64953fc0f8f9a",
              "status": "affected",
              "version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
              "versionType": "git"
            },
            {
              "lessThan": "4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3",
              "status": "affected",
              "version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
              "versionType": "git"
            },
            {
              "lessThan": "5d12e0ab009ade48c1bff9324fd9bea2c773d088",
              "status": "affected",
              "version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
              "versionType": "git"
            },
            {
              "lessThan": "d09d67d5de577cedae3de9497dff217e0ac8b641",
              "status": "affected",
              "version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
              "versionType": "git"
            },
            {
              "lessThan": "973e57c726c1f8e77259d1c8e519519f1e9aea77",
              "status": "affected",
              "version": "7fde62bffb576d384ea49a3aed3403d5609ee5bc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak\n\nbtrfs_ioctl_space_info() has a TOCTOU race between two passes over the\nblock group RAID type lists. The first pass counts entries to determine\nthe allocation size, then the second pass fills the buffer. The\ngroups_sem rwlock is released between passes, allowing concurrent block\ngroup removal to reduce the entry count.\n\nWhen the second pass fills fewer entries than the first pass counted,\ncopy_to_user() copies the full alloc_size bytes including trailing\nuninitialized kmalloc bytes to userspace.\n\nFix by copying only total_spaces entries (the actually-filled count from\nthe second pass) instead of alloc_size bytes, and switch to kzalloc so\nany future copy size mismatch cannot leak heap data."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:58:58.225Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088"
        },
        {
          "url": "https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641"
        },
        {
          "url": "https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77"
        }
      ],
      "title": "btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46159",
    "datePublished": "2026-05-28T09:36:14.676Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:58:58.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46164 (GCVE-0-2026-46164)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:59

Severity ?

7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

References

URL

Tags

	https://git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21
	https://git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf
	https://git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1
	https://git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd
	https://git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728

Impacted products

Vendor

Product

Version

Version: 0bd151ce4200ca847990e05cca29a76456982ca5
Version: 190d5a7c4fe42b8c9aa46e3336389e7cb10395bb
Version: f92ee31e031c7819126d2febdda0c3e91f5d2eb9
Version: f92ee31e031c7819126d2febdda0c3e91f5d2eb9
Version: f92ee31e031c7819126d2febdda0c3e91f5d2eb9
Version: 64c7ddda83acfbaa0efb381a1928ce908c584607
Version: 6.6.122   ≤
Version: 6.12.67   ≤
Version: 6.1.162   ≤

Version: 6.16

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/space-info.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d2a675f2e238ec96c8e91e2718c1f910c9c8fb21",
              "status": "affected",
              "version": "0bd151ce4200ca847990e05cca29a76456982ca5",
              "versionType": "git"
            },
            {
              "lessThan": "14b22be1dd844383eb03af9b1ee3b6b25d32aeaf",
              "status": "affected",
              "version": "190d5a7c4fe42b8c9aa46e3336389e7cb10395bb",
              "versionType": "git"
            },
            {
              "lessThan": "dfd05a16b5c9d1d98b47905f37f2fccda52173d1",
              "status": "affected",
              "version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9",
              "versionType": "git"
            },
            {
              "lessThan": "259af6857a1b4f1e9ef8b780353f9d11c26a22bd",
              "status": "affected",
              "version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9",
              "versionType": "git"
            },
            {
              "lessThan": "a7449edf96143f192606ec8647e3167e1ecbd728",
              "status": "affected",
              "version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "64c7ddda83acfbaa0efb381a1928ce908c584607",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.141",
              "status": "affected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.90",
              "status": "affected",
              "version": "6.12.67",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "6.1.162",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/space-info.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "6.6.122",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "6.12.67",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.162",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info_sub_group() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info_sub_group()\n-\u003e btrfs_sysfs_add_space_info_type()\n-\u003e kobject_init_and_add()\n-\u003e failure\n-\u003e kobject_put(\u0026sub_group-\u003ekobj)\n-\u003e space_info_release()\n-\u003e kfree(sub_group)\n\nThen control returns to create_space_info_sub_group(), where:\n\nbtrfs_sysfs_add_space_info_type() returns error\n-\u003e kfree(sub_group)\n\nThus, sub_group is freed twice.\n\nKeep parent-\u003esub_group[index] = NULL for the failure path, but after\nbtrfs_sysfs_add_space_info_type() has called kobject_put(), let the\nkobject release callback handle the cleanup."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:59:24.631Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21"
        },
        {
          "url": "https://git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728"
        }
      ],
      "title": "btrfs: fix double free in create_space_info_sub_group() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46164",
    "datePublished": "2026-05-28T09:36:19.810Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:59:24.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45591 (GCVE-0-2026-45591)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CWE

CWE-400 - Uncontrolled Resource Consumption

Summary

Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

.NET 10.0

Version: 10.0.0 < 10.0.9

Microsoft	.NET 8.0	Version: 8.0.0 < 8.0.28
Microsoft	.NET 9.0	Version: 9.0.0 < 9.0.17
Microsoft	ASP.NET Core 10.0	Version: 10.0 < 10.0.9
Microsoft	ASP.NET Core 8.0	Version: 8.0 < 8.0.28
Microsoft	ASP.NET Core 9.0	Version: 9.0 < 9.0.17
Microsoft	Microsoft Visual Studio 2026 version 18.6	Version: 18.6.0 < 18.6.3

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47281

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45591",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:47:51.768280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:47:58.238Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": ".NET 10.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.9",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.28",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.17",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "ASP.NET Core 10.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.9",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "ASP.NET Core 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.28",
              "status": "affected",
              "version": "8.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "ASP.NET Core 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.17",
              "status": "affected",
              "version": "9.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Visual Studio 2026 version 18.6",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "18.6.3",
              "status": "affected",
              "version": "18.6.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "18.6.3",
                  "versionStartIncluding": "18.6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.9",
                  "versionStartIncluding": "10.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.9",
                  "versionStartIncluding": "10.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.28",
                  "versionStartIncluding": "8.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.28",
                  "versionStartIncluding": "8.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.17",
                  "versionStartIncluding": "9.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.17",
                  "versionStartIncluding": "9.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:07.262Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "ASP.NET Core Denial of Service Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591"
        }
      ],
      "title": "ASP.NET Core Denial of Service Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45591",
    "datePublished": "2026-06-09T17:05:29.575Z",
    "dateReserved": "2026-05-12T19:55:45.730Z",
    "dateUpdated": "2026-06-16T18:18:07.262Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47281 (GCVE-0-2026-47281)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-862 - Missing Authorization
CWE-306 - Missing Authentication for Critical Function
CWE-798 - Use of Hard-coded Credentials

Summary

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Visual Studio Code	Version: 1.0.0 < 1.123.2

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:01.725468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:16:28.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-798",
              "description": "CWE-798: Use of Hard-coded Credentials",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:21.358Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47281"
        }
      ],
      "title": "Visual Studio Code Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47281",
    "datePublished": "2026-06-09T17:05:45.974Z",
    "dateReserved": "2026-05-18T23:53:33.896Z",
    "dateUpdated": "2026-06-16T18:18:21.358Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46195 (GCVE-0-2026-46195)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

References

URL

Tags

	https://git.kernel.org/stable/c/ba7f71b6161c0943dafc367565e5843d16b7d505
	https://git.kernel.org/stable/c/3b1ddba19e77ee35241cd27f16dc3e8d14e08db7
	https://git.kernel.org/stable/c/c688f3ed73d31943334ad2139cb02ec49664322a
	https://git.kernel.org/stable/c/8bd07e417b6bda67e317920584e48cb6ee442a8a
	https://git.kernel.org/stable/c/f98b48151cc502ada59d9778f0112d21f2586ca3

Impacted products

Vendor

Product

Version

Version: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4
Version: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4
Version: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4
Version: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4
Version: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4

Version: 5.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifsacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba7f71b6161c0943dafc367565e5843d16b7d505",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            },
            {
              "lessThan": "3b1ddba19e77ee35241cd27f16dc3e8d14e08db7",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            },
            {
              "lessThan": "c688f3ed73d31943334ad2139cb02ec49664322a",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            },
            {
              "lessThan": "8bd07e417b6bda67e317920584e48cb6ee442a8a",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            },
            {
              "lessThan": "f98b48151cc502ada59d9778f0112d21f2586ca3",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifsacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: validate dacloffset before building DACL pointers\n\nparse_sec_desc(), build_sec_desc(), and the chown path in\nid_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd\nbefore proving a DACL header fits inside the returned security\ndescriptor.\n\nOn 32-bit builds a malicious server can return dacloffset near\nU32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip\npast the later pointer-based bounds checks. build_sec_desc() and\nid_mode_to_cifs_acl() can then dereference DACL fields from the wrapped\npointer in the chmod/chown rewrite paths.\n\nValidate dacloffset numerically before building any DACL pointer and\nreuse the same helper at the three DACL entry points."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:48.626Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba7f71b6161c0943dafc367565e5843d16b7d505"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b1ddba19e77ee35241cd27f16dc3e8d14e08db7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c688f3ed73d31943334ad2139cb02ec49664322a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bd07e417b6bda67e317920584e48cb6ee442a8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f98b48151cc502ada59d9778f0112d21f2586ca3"
        }
      ],
      "title": "smb: client: validate dacloffset before building DACL pointers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46195",
    "datePublished": "2026-05-28T09:36:48.259Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:48.626Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46082 (GCVE-0-2026-46082)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 INVLPGA should cause a #UD when EFER.SVME is not set. Add a check to properly inject #UD when EFER.SVME=0. [sean: tag for stable@]

References

URL

Tags

	https://git.kernel.org/stable/c/ebb63390142c6458fc37758e0892759989cc159f
	https://git.kernel.org/stable/c/491139c17f8ad5773303068411f6ac5eed438b51
	https://git.kernel.org/stable/c/3ac9d4241d205f5d0df06358349ca718ebb0fa12
	https://git.kernel.org/stable/c/643125b66ffc1147c66616b749475ba9efb15971
	https://git.kernel.org/stable/c/c15392ed9e49c1a16b4d3a3ccf1b3bf2318a6c28
	https://git.kernel.org/stable/c/ee24928ecd85db4b68ed111e91fef36af0ca37b0
	https://git.kernel.org/stable/c/d99df02ff427f461102230f9c5b90a6c64ee8e23

Impacted products

Vendor

Product

Version

Version: ff092385e8285c03d8b148f42f46f98c5f4becd5
Version: ff092385e8285c03d8b148f42f46f98c5f4becd5
Version: ff092385e8285c03d8b148f42f46f98c5f4becd5
Version: ff092385e8285c03d8b148f42f46f98c5f4becd5
Version: ff092385e8285c03d8b148f42f46f98c5f4becd5
Version: ff092385e8285c03d8b148f42f46f98c5f4becd5
Version: ff092385e8285c03d8b148f42f46f98c5f4becd5

Version: 2.6.32

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/svm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ebb63390142c6458fc37758e0892759989cc159f",
              "status": "affected",
              "version": "ff092385e8285c03d8b148f42f46f98c5f4becd5",
              "versionType": "git"
            },
            {
              "lessThan": "491139c17f8ad5773303068411f6ac5eed438b51",
              "status": "affected",
              "version": "ff092385e8285c03d8b148f42f46f98c5f4becd5",
              "versionType": "git"
            },
            {
              "lessThan": "3ac9d4241d205f5d0df06358349ca718ebb0fa12",
              "status": "affected",
              "version": "ff092385e8285c03d8b148f42f46f98c5f4becd5",
              "versionType": "git"
            },
            {
              "lessThan": "643125b66ffc1147c66616b749475ba9efb15971",
              "status": "affected",
              "version": "ff092385e8285c03d8b148f42f46f98c5f4becd5",
              "versionType": "git"
            },
            {
              "lessThan": "c15392ed9e49c1a16b4d3a3ccf1b3bf2318a6c28",
              "status": "affected",
              "version": "ff092385e8285c03d8b148f42f46f98c5f4becd5",
              "versionType": "git"
            },
            {
              "lessThan": "ee24928ecd85db4b68ed111e91fef36af0ca37b0",
              "status": "affected",
              "version": "ff092385e8285c03d8b148f42f46f98c5f4becd5",
              "versionType": "git"
            },
            {
              "lessThan": "d99df02ff427f461102230f9c5b90a6c64ee8e23",
              "status": "affected",
              "version": "ff092385e8285c03d8b148f42f46f98c5f4becd5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/svm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.32"
            },
            {
              "lessThan": "2.6.32",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0\n\nINVLPGA should cause a #UD when EFER.SVME is not set. Add a check to\nproperly inject #UD when EFER.SVME=0.\n\n[sean: tag for stable@]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:00.593Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ebb63390142c6458fc37758e0892759989cc159f"
        },
        {
          "url": "https://git.kernel.org/stable/c/491139c17f8ad5773303068411f6ac5eed438b51"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ac9d4241d205f5d0df06358349ca718ebb0fa12"
        },
        {
          "url": "https://git.kernel.org/stable/c/643125b66ffc1147c66616b749475ba9efb15971"
        },
        {
          "url": "https://git.kernel.org/stable/c/c15392ed9e49c1a16b4d3a3ccf1b3bf2318a6c28"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee24928ecd85db4b68ed111e91fef36af0ca37b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/d99df02ff427f461102230f9c5b90a6c64ee8e23"
        }
      ],
      "title": "KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46082",
    "datePublished": "2026-05-27T12:58:21.629Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:53:00.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46186 (GCVE-0-2026-46186)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: validate rx pkt_type header length virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type. After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core. After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path. Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.

References

URL

Tags

	https://git.kernel.org/stable/c/149cfb42ad69c7964fd9f2c43831da9152007129
	https://git.kernel.org/stable/c/7b2d4c04816cdc887f472caaf7fc966cfc107e40
	https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904
	https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c
	https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79
	https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db
	https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47

Impacted products

Vendor

Product

Version

Version: cf2719a21fdb9d4c8e9c834d279163609bef575d
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Version: 9b67438e315b925a699f0178f4a48baf3d2d6ef4
Version: 5.15.78 ≤
Version: 6.0.8 ≤

Version: 6.1

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/virtio_bt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "149cfb42ad69c7964fd9f2c43831da9152007129",
              "status": "affected",
              "version": "cf2719a21fdb9d4c8e9c834d279163609bef575d",
              "versionType": "git"
            },
            {
              "lessThan": "7b2d4c04816cdc887f472caaf7fc966cfc107e40",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "1e1e509b6fd2a42421745bbcd98bd16daad20904",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "2c1143564c71e7497b42d8360a8379ccbb011d3c",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "3485c7236c59c8c34a41af1c4b52982437554e79",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "f743eab6486965f276c7e3f1700895f014fdc6db",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "lessThan": "daf23014e5d975e72ea9c02b5160d3fcf070ea47",
              "status": "affected",
              "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9b67438e315b925a699f0178f4a48baf3d2d6ef4",
              "versionType": "git"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.78",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1",
              "status": "affected",
              "version": "6.0.8",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/virtio_bt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: virtio_bt: validate rx pkt_type header length\n\nvirtbt_rx_handle() reads the leading pkt_type byte from the RX skb\nand forwards the remainder to hci_recv_frame() for every\nevent/ACL/SCO/ISO type, without checking that the remaining payload\nis at least the fixed HCI header for that type.\n\nAfter the preceding patch bounds the backend-supplied used.len to\n[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches\nhci_recv_frame() with skb-\u003elen already pulled to 0. If the byte\nhappened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification\nfast-path in hci_dev_classify_pkt_type() dereferences\nhci_acl_hdr(skb)-\u003ehandle whenever the HCI device has an active\nCIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of\nuninitialized RX-buffer data. The same hazard exists for every\npacket type the driver accepts because none of the switch cases in\nvirtbt_rx_handle() check skb-\u003elen against the per-type minimum HCI\nheader size before handing the frame to the core.\n\nAfter stripping pkt_type, require skb-\u003elen to cover the fixed\nheader size for the selected type (event 2, ACL 4, SCO 3, ISO 4)\nbefore calling hci_recv_frame(); drop ratelimited otherwise.\nUnknown pkt_type values still take the original kfree_skb() default\npath.\n\nUse bt_dev_err_ratelimited() because both the length and pkt_type\nvalues come from an untrusted backend that can otherwise flood the\nkernel log."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:09.675Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/149cfb42ad69c7964fd9f2c43831da9152007129"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b2d4c04816cdc887f472caaf7fc966cfc107e40"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79"
        },
        {
          "url": "https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db"
        },
        {
          "url": "https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47"
        }
      ],
      "title": "Bluetooth: virtio_bt: validate rx pkt_type header length",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46186",
    "datePublished": "2026-05-28T09:36:40.349Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-14T18:01:09.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46176 (GCVE-0-2026-46176)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:00

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.

References

URL

Tags

	https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3
	https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d
	https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e
	https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9
	https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525

Impacted products

Vendor

Product

Version

Version: b6334d2356fc0922ed01457960f74923058a353a
Version: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Version: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Version: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Version: 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Version: 6.6.64 ≤

Version: 6.11

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a13c2ac4d480b734342c6fbf8249fc48afd675f3",
              "status": "affected",
              "version": "b6334d2356fc0922ed01457960f74923058a353a",
              "versionType": "git"
            },
            {
              "lessThan": "bc2cf5935b4665172235341163315905197ae91d",
              "status": "affected",
              "version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
              "versionType": "git"
            },
            {
              "lessThan": "b087913ae88256df66620f7ba0a9776716aeef7e",
              "status": "affected",
              "version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
              "versionType": "git"
            },
            {
              "lessThan": "6fd93142dd1d09000c3750af08270f5792523fe9",
              "status": "affected",
              "version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
              "versionType": "git"
            },
            {
              "lessThan": "c488df06bd552bb8b6e14fa0cfd5ad986c6e9525",
              "status": "affected",
              "version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.64",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()\n\nmlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When\nib_create_srq() fails for s1, the error branch destroys s0 but falls\nthrough and unconditionally assigns the freed s0 and the ERR_PTR s1 to\ndevr-\u003es0 and devr-\u003es1.\n\nThis leads to several problems: the lock-free fast path checks\n\"if (devr-\u003es1) return 0;\" and treats the ERR_PTR as already initialised;\nusers in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via\nto_msrq(devr-\u003es0)-\u003emsrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences\nthe ERR_PTR and double-frees s0 on teardown.\n\nFix by adding the same `goto unlock` in the s1 failure path."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:00:21.186Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525"
        }
      ],
      "title": "RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46176",
    "datePublished": "2026-05-28T09:36:30.398Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-14T18:00:21.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46208 (GCVE-0-2026-46208)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:02

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop tp_meter sessions during mesh teardown TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.

References

URL

Tags

	https://git.kernel.org/stable/c/79bc0eaeef2c5797317bf2da8e3159a74d62ec47
	https://git.kernel.org/stable/c/26dfeee8db81354bfdade155f27f9e16510ad196
	https://git.kernel.org/stable/c/03660dab86f93319178a24667f6998526dc4355d
	https://git.kernel.org/stable/c/8634c1dbd73adb74d40533ebb7e914efb82e71fb
	https://git.kernel.org/stable/c/3d3cf6a7314aca4df0a6dde28ce784a2a30d0166

Impacted products

Vendor

Product

Version

Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e

Version: 4.8

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/main.c",
            "net/batman-adv/tp_meter.c",
            "net/batman-adv/tp_meter.h",
            "net/batman-adv/types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "79bc0eaeef2c5797317bf2da8e3159a74d62ec47",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "26dfeee8db81354bfdade155f27f9e16510ad196",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "03660dab86f93319178a24667f6998526dc4355d",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "8634c1dbd73adb74d40533ebb7e914efb82e71fb",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "3d3cf6a7314aca4df0a6dde28ce784a2a30d0166",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/main.c",
            "net/batman-adv/tp_meter.c",
            "net/batman-adv/tp_meter.h",
            "net/batman-adv/types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: stop tp_meter sessions during mesh teardown\n\nTP meter sessions remain linked on bat_priv-\u003etp_list after the netlink\nrequest has already finished. When the mesh interface is removed,\nbatadv_mesh_free() currently tears down the mesh without first draining\nthese sessions.\n\nA running sender thread or a late incoming tp_meter packet can then keep\nprocessing against a mesh instance which is already shutting down.\nSynchronize tp_meter with the mesh lifetime by stopping all active\nsessions from batadv_mesh_free() and waiting for sender threads to exit\nbefore teardown continues."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:02:50.131Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/79bc0eaeef2c5797317bf2da8e3159a74d62ec47"
        },
        {
          "url": "https://git.kernel.org/stable/c/26dfeee8db81354bfdade155f27f9e16510ad196"
        },
        {
          "url": "https://git.kernel.org/stable/c/03660dab86f93319178a24667f6998526dc4355d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8634c1dbd73adb74d40533ebb7e914efb82e71fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d3cf6a7314aca4df0a6dde28ce784a2a30d0166"
        }
      ],
      "title": "batman-adv: stop tp_meter sessions during mesh teardown",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46208",
    "datePublished": "2026-05-28T09:40:26.341Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-14T18:02:50.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46114 (GCVE-0-2026-46114)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.

References

URL

Tags

	https://git.kernel.org/stable/c/539cabb7b2d8ba70f55bba91db55faef11c2a6d7
	https://git.kernel.org/stable/c/d415fce3fcde6d7aeea6c25362a395b905811452
	https://git.kernel.org/stable/c/105bf79a23b85cf3a761d18a4f3e10ce88526bc1
	https://git.kernel.org/stable/c/7ec1ed4747f5f99f8b797bb438c5efd36079fad5
	https://git.kernel.org/stable/c/1114c87aa6f195cf07da55a27b2122ae26557b26

Impacted products

Vendor

Product

Version

Version: 034e285f8b99062a0cf29112e1232154a6a44aa5
Version: 034e285f8b99062a0cf29112e1232154a6a44aa5
Version: 034e285f8b99062a0cf29112e1232154a6a44aa5
Version: 034e285f8b99062a0cf29112e1232154a6a44aa5
Version: 034e285f8b99062a0cf29112e1232154a6a44aa5

Version: 6.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_resp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "539cabb7b2d8ba70f55bba91db55faef11c2a6d7",
              "status": "affected",
              "version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
              "versionType": "git"
            },
            {
              "lessThan": "d415fce3fcde6d7aeea6c25362a395b905811452",
              "status": "affected",
              "version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
              "versionType": "git"
            },
            {
              "lessThan": "105bf79a23b85cf3a761d18a4f3e10ce88526bc1",
              "status": "affected",
              "version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
              "versionType": "git"
            },
            {
              "lessThan": "7ec1ed4747f5f99f8b797bb438c5efd36079fad5",
              "status": "affected",
              "version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
              "versionType": "git"
            },
            {
              "lessThan": "1114c87aa6f195cf07da55a27b2122ae26557b26",
              "status": "affected",
              "version": "034e285f8b99062a0cf29112e1232154a6a44aa5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_resp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads\n\natomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c\nunconditionally dereferences 8 bytes at payload_addr(pkt):\n\n    value = *(u64 *)payload_addr(pkt);\n\ncheck_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==\nresid == 0 because the length validation only compared pktlen against\nresid. A remote initiator that sets the RETH length to 0 therefore reaches\natomic_write_reply() with a zero-byte logical payload, and the responder\nreads sizeof(u64) bytes from past the logical end of the packet into\nskb-\u003ehead tailroom, then writes those 8 bytes into the attacker\u0027s MR via\nrxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel\ntailroom per probe (the other 4 bytes are the packet\u0027s own trailing ICRC).\n\nIBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is\nprotocol-invalid. Hoist a strict length check into check_rkey() so the\nresponder never reaches the unchecked dereference, and keep the existing\nWRITE-family length logic for the normal RDMA WRITE path.\n\nReproduced on mainline with an unmodified rxe driver: a sustained\nzero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer\nbytes into the attacker\u0027s MR, including recognisable kernel strings and\npartial kernel-direct-map pointer words.  With this patch applied the\nresponder rejects the PDU and the MR stays all-zero."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:27.913Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/539cabb7b2d8ba70f55bba91db55faef11c2a6d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d415fce3fcde6d7aeea6c25362a395b905811452"
        },
        {
          "url": "https://git.kernel.org/stable/c/105bf79a23b85cf3a761d18a4f3e10ce88526bc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ec1ed4747f5f99f8b797bb438c5efd36079fad5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1114c87aa6f195cf07da55a27b2122ae26557b26"
        }
      ],
      "title": "RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46114",
    "datePublished": "2026-05-28T09:35:24.638Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:27.913Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45989 (GCVE-0-2026-45989)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in testdrv_probe() The function testdrv_probe() retrieves the device_node from the PCI device, applies an overlay, and then immediately calls of_node_put(dn). This releases the reference held by the PCI core, potentially freeing the node if the reference count drops to zero. Later, the same freed pointer 'dn' is passed to of_platform_default_populate(), leading to a use-after-free. The reference to pdev->dev.of_node is owned by the device model and should not be released by the driver. Remove the erroneous of_node_put() to prevent premature freeing.

References

URL

Tags

	https://git.kernel.org/stable/c/0ba03e06f037df704d9b032e36d417633e2326bc
	https://git.kernel.org/stable/c/d68347b07b9801791c9eaab8f772770b52b8cd5c
	https://git.kernel.org/stable/c/5b6122a67a295f8a08b7c18d908a1bd974dfaec8
	https://git.kernel.org/stable/c/6b2023286d2c6ed3bf964fb92e34c9c14d42eb69
	https://git.kernel.org/stable/c/07fd339b2c253205794bea5d9b4b7548a4546c56

Impacted products

Vendor

Product

Version

Version: 26409dd045892904b059dc411403e9c8ce7543ca
Version: 26409dd045892904b059dc411403e9c8ce7543ca
Version: 26409dd045892904b059dc411403e9c8ce7543ca
Version: 26409dd045892904b059dc411403e9c8ce7543ca
Version: 26409dd045892904b059dc411403e9c8ce7543ca

Version: 6.6

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/of/unittest.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0ba03e06f037df704d9b032e36d417633e2326bc",
              "status": "affected",
              "version": "26409dd045892904b059dc411403e9c8ce7543ca",
              "versionType": "git"
            },
            {
              "lessThan": "d68347b07b9801791c9eaab8f772770b52b8cd5c",
              "status": "affected",
              "version": "26409dd045892904b059dc411403e9c8ce7543ca",
              "versionType": "git"
            },
            {
              "lessThan": "5b6122a67a295f8a08b7c18d908a1bd974dfaec8",
              "status": "affected",
              "version": "26409dd045892904b059dc411403e9c8ce7543ca",
              "versionType": "git"
            },
            {
              "lessThan": "6b2023286d2c6ed3bf964fb92e34c9c14d42eb69",
              "status": "affected",
              "version": "26409dd045892904b059dc411403e9c8ce7543ca",
              "versionType": "git"
            },
            {
              "lessThan": "07fd339b2c253205794bea5d9b4b7548a4546c56",
              "status": "affected",
              "version": "26409dd045892904b059dc411403e9c8ce7543ca",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/of/unittest.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: fix use-after-free in testdrv_probe()\n\nThe function testdrv_probe() retrieves the device_node from the PCI\ndevice, applies an overlay, and then immediately calls of_node_put(dn).\nThis releases the reference held by the PCI core, potentially freeing\nthe node if the reference count drops to zero. Later, the same freed\npointer \u0027dn\u0027 is passed to of_platform_default_populate(), leading to a\nuse-after-free.\n\nThe reference to pdev-\u003edev.of_node is owned by the device model and\nshould not be released by the driver. Remove the erroneous of_node_put()\nto prevent premature freeing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:43.307Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0ba03e06f037df704d9b032e36d417633e2326bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/d68347b07b9801791c9eaab8f772770b52b8cd5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b6122a67a295f8a08b7c18d908a1bd974dfaec8"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b2023286d2c6ed3bf964fb92e34c9c14d42eb69"
        },
        {
          "url": "https://git.kernel.org/stable/c/07fd339b2c253205794bea5d9b4b7548a4546c56"
        }
      ],
      "title": "of: unittest: fix use-after-free in testdrv_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45989",
    "datePublished": "2026-05-27T12:55:41.276Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:46:43.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46091 (GCVE-0-2026-46091)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: rc: igorplugusb: heed coherency rules In a control request, the USB request structure can be subject to DMA on some HCs. Hence it must obey the rules for DMA coherency. Allocate it separately.

References

URL

Tags

	https://git.kernel.org/stable/c/18d6a7c9e4e63c57157e9a57dd9bf3cd38e4c45a
	https://git.kernel.org/stable/c/0be8fcd9005e3d3b5a61fe34b070a9663adbb4dc
	https://git.kernel.org/stable/c/0adac0ee2c42027d80bac02ea9b576a88f8955d3
	https://git.kernel.org/stable/c/a62ca67e3c72fb297dc7c86495ba8f7329d7f150
	https://git.kernel.org/stable/c/eac69475b01fe1e861dfe3960b57fa95671c132e

Impacted products

Vendor

Product

Version

Version: b1c97193c6437a6083da67f8e97c8ee29b2f1989
Version: b1c97193c6437a6083da67f8e97c8ee29b2f1989
Version: b1c97193c6437a6083da67f8e97c8ee29b2f1989
Version: b1c97193c6437a6083da67f8e97c8ee29b2f1989
Version: b1c97193c6437a6083da67f8e97c8ee29b2f1989

Version: 3.19

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/igorplugusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18d6a7c9e4e63c57157e9a57dd9bf3cd38e4c45a",
              "status": "affected",
              "version": "b1c97193c6437a6083da67f8e97c8ee29b2f1989",
              "versionType": "git"
            },
            {
              "lessThan": "0be8fcd9005e3d3b5a61fe34b070a9663adbb4dc",
              "status": "affected",
              "version": "b1c97193c6437a6083da67f8e97c8ee29b2f1989",
              "versionType": "git"
            },
            {
              "lessThan": "0adac0ee2c42027d80bac02ea9b576a88f8955d3",
              "status": "affected",
              "version": "b1c97193c6437a6083da67f8e97c8ee29b2f1989",
              "versionType": "git"
            },
            {
              "lessThan": "a62ca67e3c72fb297dc7c86495ba8f7329d7f150",
              "status": "affected",
              "version": "b1c97193c6437a6083da67f8e97c8ee29b2f1989",
              "versionType": "git"
            },
            {
              "lessThan": "eac69475b01fe1e861dfe3960b57fa95671c132e",
              "status": "affected",
              "version": "b1c97193c6437a6083da67f8e97c8ee29b2f1989",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/igorplugusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: igorplugusb: heed coherency rules\n\nIn a control request, the USB request structure\ncan be subject to DMA on some HCs. Hence it must obey\nthe rules for DMA coherency. Allocate it separately."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:43.946Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18d6a7c9e4e63c57157e9a57dd9bf3cd38e4c45a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0be8fcd9005e3d3b5a61fe34b070a9663adbb4dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0adac0ee2c42027d80bac02ea9b576a88f8955d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a62ca67e3c72fb297dc7c86495ba8f7329d7f150"
        },
        {
          "url": "https://git.kernel.org/stable/c/eac69475b01fe1e861dfe3960b57fa95671c132e"
        }
      ],
      "title": "media: rc: igorplugusb: heed coherency rules",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46091",
    "datePublished": "2026-05-27T12:58:35.422Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:53:43.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45999 (GCVE-0-2026-45999)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:47

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array. However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path. Let's add an additional check to fix this for backporting. Reproducible image (base64-encoded gzipped blob): H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA= $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1

References

URL

Tags

	https://git.kernel.org/stable/c/43a878639b90e9721ffa5eb616a7e6d8454adef3
	https://git.kernel.org/stable/c/f1374fa6e57fd836623668d782ded9244cfd2938
	https://git.kernel.org/stable/c/c9ce18e6bb2c467ec85756dc7989b547b7584fee
	https://git.kernel.org/stable/c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e
	https://git.kernel.org/stable/c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab

Impacted products

Vendor

Product

Version

Version: 598162d050801e556750defff4ddab499e5d76ed
Version: 598162d050801e556750defff4ddab499e5d76ed
Version: 598162d050801e556750defff4ddab499e5d76ed
Version: 598162d050801e556750defff4ddab499e5d76ed
Version: 598162d050801e556750defff4ddab499e5d76ed

Version: 5.13

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/decompressor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "43a878639b90e9721ffa5eb616a7e6d8454adef3",
              "status": "affected",
              "version": "598162d050801e556750defff4ddab499e5d76ed",
              "versionType": "git"
            },
            {
              "lessThan": "f1374fa6e57fd836623668d782ded9244cfd2938",
              "status": "affected",
              "version": "598162d050801e556750defff4ddab499e5d76ed",
              "versionType": "git"
            },
            {
              "lessThan": "c9ce18e6bb2c467ec85756dc7989b547b7584fee",
              "status": "affected",
              "version": "598162d050801e556750defff4ddab499e5d76ed",
              "versionType": "git"
            },
            {
              "lessThan": "bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e",
              "status": "affected",
              "version": "598162d050801e556750defff4ddab499e5d76ed",
              "versionType": "git"
            },
            {
              "lessThan": "21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab",
              "status": "affected",
              "version": "598162d050801e556750defff4ddab499e5d76ed",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/decompressor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()\n\nSome crafted images can have illegal (!partial_decoding \u0026\u0026\nm_llen \u003c m_plen) extents, and the LZ4 inplace decompression path\ncan be wrongly hit, but it cannot handle (outpages \u003c inpages)\nproperly: \"outpages - inpages\" wraps to a large value and\nthe subsequent rq-\u003eout[] access reads past the decompressed_pages\narray.\n\nHowever, such crafted cases can correctly result in a corruption\nreport in the normal LZ4 non-inplace path.\n\nLet\u0027s add an additional check to fix this for backporting.\n\nReproducible image (base64-encoded gzipped blob):\n\nH4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g\ndilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i\nPNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz\n2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w\nywAAAAAAAADwu14ATsEYtgBQAAA=\n\n$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt\n$ dd if=/mnt/data of=/dev/null bs=4096 count=1"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:09.791Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/43a878639b90e9721ffa5eb616a7e6d8454adef3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1374fa6e57fd836623668d782ded9244cfd2938"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9ce18e6bb2c467ec85756dc7989b547b7584fee"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab"
        }
      ],
      "title": "erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45999",
    "datePublished": "2026-05-27T12:55:53.846Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:09.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46111 (GCVE-0-2026-46111)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().

References

URL

Tags

	https://git.kernel.org/stable/c/6823f730bf195fc296d9edd09e2ca94bc1ff5584
	https://git.kernel.org/stable/c/1750a2df0eab61dc421a7afae74abdd239a44b85
	https://git.kernel.org/stable/c/dc34f8d8240f25dd137dc2758ebbcc75e3779142
	https://git.kernel.org/stable/c/f8eaf92c57ad99358dd372580d5ff87623343a72
	https://git.kernel.org/stable/c/0beddb0c380bed5f5b8e61ddbe14635bb73d0b41

Impacted products

Vendor

Product

Version

Version: eca0ae4aea66914515e5e3098ea051b518ee5316
Version: eca0ae4aea66914515e5e3098ea051b518ee5316
Version: eca0ae4aea66914515e5e3098ea051b518ee5316
Version: eca0ae4aea66914515e5e3098ea051b518ee5316
Version: eca0ae4aea66914515e5e3098ea051b518ee5316

Version: 6.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_conn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6823f730bf195fc296d9edd09e2ca94bc1ff5584",
              "status": "affected",
              "version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
              "versionType": "git"
            },
            {
              "lessThan": "1750a2df0eab61dc421a7afae74abdd239a44b85",
              "status": "affected",
              "version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
              "versionType": "git"
            },
            {
              "lessThan": "dc34f8d8240f25dd137dc2758ebbcc75e3779142",
              "status": "affected",
              "version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
              "versionType": "git"
            },
            {
              "lessThan": "f8eaf92c57ad99358dd372580d5ff87623343a72",
              "status": "affected",
              "version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
              "versionType": "git"
            },
            {
              "lessThan": "0beddb0c380bed5f5b8e61ddbe14635bb73d0b41",
              "status": "affected",
              "version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_conn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in create_big_sync\n\nAdd hci_conn_valid() check in create_big_sync() to detect stale\nconnections before proceeding with BIG creation. Handle the\nresulting -ECANCELED in create_big_complete() and re-validate the\nconnection under hci_dev_lock() before dereferencing, matching the\npattern used by create_le_conn_complete() and create_pa_complete().\n\nKeep the hci_conn object alive across the async boundary by taking\na reference via hci_conn_get() when queueing create_big_sync(), and\ndropping it in the completion callback. The refcount and the lock\nare complementary: the refcount keeps the object allocated, while\nhci_dev_lock() serializes hci_conn_hash_del()\u0027s list_del_rcu() on\nhdev-\u003econn_hash, as required by hci_conn_del().\n\nhci_conn_put() is called outside hci_dev_unlock() so the final put\n(which resolves to kfree() via bt_link_release) does not run under\nhdev-\u003elock, though the release path would be safe either way.\n\nWithout this, create_big_complete() would unconditionally\ndereference the conn pointer on error, causing a use-after-free\nvia hci_connect_cfm() and hci_conn_del()."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:15.599Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6823f730bf195fc296d9edd09e2ca94bc1ff5584"
        },
        {
          "url": "https://git.kernel.org/stable/c/1750a2df0eab61dc421a7afae74abdd239a44b85"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc34f8d8240f25dd137dc2758ebbcc75e3779142"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8eaf92c57ad99358dd372580d5ff87623343a72"
        },
        {
          "url": "https://git.kernel.org/stable/c/0beddb0c380bed5f5b8e61ddbe14635bb73d0b41"
        }
      ],
      "title": "Bluetooth: hci_conn: fix potential UAF in create_big_sync",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46111",
    "datePublished": "2026-05-28T09:35:19.970Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:15.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46128 (GCVE-0-2026-46128)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipmi: Check event message buffer response for bad data The event message buffer response data size got checked later when processing, but check it right after the response comes back. It appears some BMCs may return an empty message instead of an error when fetching events. There are apparently some new BMCs that make this error, so we need to compensate.

References

URL

Tags

	https://git.kernel.org/stable/c/cf1ef30c42a7079e5bad863cd01c52aa3a17c3ac
	https://git.kernel.org/stable/c/474e53d4397087913a5b9c9eb90fa068da4808bf
	https://git.kernel.org/stable/c/01f8387fa5b796f13cf50014c171f6da7abc46ea
	https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d
	https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0
	https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89
	https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482
	https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_si_intf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cf1ef30c42a7079e5bad863cd01c52aa3a17c3ac",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "474e53d4397087913a5b9c9eb90fa068da4808bf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "01f8387fa5b796f13cf50014c171f6da7abc46ea",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2418e4b21fb1355504d095da5d5f0a210564a43d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "42432b579a594b66ac32e5e7b7c26e6bc578ec89",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "24269264c3d59a49eb09b10af2c75b14f2931482",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "36920f30e78e69df01f9691c470b6f3ba8aebf98",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_si_intf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Check event message buffer response for bad data\n\nThe event message buffer response data size got checked later when\nprocessing, but check it right after the response comes back.  It\nappears some BMCs may return an empty message instead of an error\nwhen fetching events.\n\nThere are apparently some new BMCs that make this error, so we need to\ncompensate."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:32.120Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cf1ef30c42a7079e5bad863cd01c52aa3a17c3ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/474e53d4397087913a5b9c9eb90fa068da4808bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/01f8387fa5b796f13cf50014c171f6da7abc46ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89"
        },
        {
          "url": "https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482"
        },
        {
          "url": "https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98"
        }
      ],
      "title": "ipmi: Check event message buffer response for bad data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46128",
    "datePublished": "2026-05-28T09:35:43.326Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-06-14T17:56:32.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45988 (GCVE-0-2026-45988)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:46

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry. Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response. Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.

References

URL

Tags

	https://git.kernel.org/stable/c/d61482be4aae1835b78875761206241835a7510e
	https://git.kernel.org/stable/c/7b89868305052b94a91b708c462bc2281fa42a4a
	https://git.kernel.org/stable/c/76cb9a2d252274adfae6e293a292434631a7d472
	https://git.kernel.org/stable/c/f55b383070170e988e4dec28be2af1714d258521
	https://git.kernel.org/stable/c/0422e7a4883f25101903f3e8105c0808aa5f4ce9

Impacted products

Vendor

Product

Version

Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea

Version: 2.6.22

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/conn_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d61482be4aae1835b78875761206241835a7510e",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "7b89868305052b94a91b708c462bc2281fa42a4a",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "76cb9a2d252274adfae6e293a292434631a7d472",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "f55b383070170e988e4dec28be2af1714d258521",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "0422e7a4883f25101903f3e8105c0808aa5f4ce9",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/conn_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix re-decryption of RESPONSE packets\n\nIf a RESPONSE packet gets a temporary failure during processing, it may end\nup in a partially decrypted state - and then get requeued for a retry.\n\nFix this by just discarding the packet; we will send another CHALLENGE\npacket and thereby elicit a further response.  Similarly, discard an\nincoming CHALLENGE packet if we get an error whilst generating a RESPONSE;\nthe server will send another CHALLENGE."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:40.196Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d61482be4aae1835b78875761206241835a7510e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b89868305052b94a91b708c462bc2281fa42a4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/76cb9a2d252274adfae6e293a292434631a7d472"
        },
        {
          "url": "https://git.kernel.org/stable/c/f55b383070170e988e4dec28be2af1714d258521"
        },
        {
          "url": "https://git.kernel.org/stable/c/0422e7a4883f25101903f3e8105c0808aa5f4ce9"
        }
      ],
      "title": "rxrpc: Fix re-decryption of RESPONSE packets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45988",
    "datePublished": "2026-05-27T12:55:39.740Z",
    "dateReserved": "2026-05-13T15:03:33.090Z",
    "dateUpdated": "2026-06-14T17:46:40.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46300 (GCVE-0-2026-46300)

Vulnerability from cvelistv5

Published

2026-05-23 11:44

Modified

2026-06-14 18:07

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

References

URL

Tags

	https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987
	https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c
	https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5
	https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0
	https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e
	https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a
	https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111
	https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3

Impacted products

Vendor

Product

Version

Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9
Version: cef401de7be8c4e155c6746bfccf721a4fa5fab9

Version: 3.9

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-23T12:24:19.703Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/13/5"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/21/11"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/21/12"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/21/13"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/skbuff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3599e6b3cc1ada96883d496a50a210d3afbb6987",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "9d3e5fd19fe1063bf607219e8562fbd567b8e8d5",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "78bf6b6bb19541d19fbda6242e7cfe2c682763c0",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "3bd9e113d50034db99d7ef69fd8e5242d15e414a",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "3884358a9286b17f389a72b1426fc4547c23c111",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            },
            {
              "lessThan": "f84eca5817390257cef78013d0112481c503b4a3",
              "status": "affected",
              "version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/skbuff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.257",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.208",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.257",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.208",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.174",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to.  If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers.  In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data().  If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags.  The tailroom copy path does not need the marker because it copies\nbytes into @to\u0027s linear data rather than transferring frag descriptors."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:07:34.359Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111"
        },
        {
          "url": "https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3"
        }
      ],
      "title": "net: skbuff: preserve shared-frag marker during coalescing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46300",
    "datePublished": "2026-05-23T11:44:02.231Z",
    "dateReserved": "2026-05-13T15:03:33.111Z",
    "dateUpdated": "2026-06-14T18:07:34.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46079 (GCVE-0-2026-46079)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:52

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rbd: fix null-ptr-deref when device_add_disk() fails do_rbd_add() publishes the device with device_add() before calling device_add_disk(). If device_add_disk() fails after device_add() succeeds, the error path calls rbd_free_disk() directly and then later falls through to rbd_dev_device_release(), which calls rbd_free_disk() again. This double teardown can leave blk-mq cleanup operating on invalid state and trigger a null-ptr-deref in __blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set(). Fix this by following the normal remove ordering: call device_del() before rbd_dev_device_release() when device_add_disk() fails after device_add(). That keeps the teardown sequence consistent and avoids re-entering disk cleanup through the wrong path. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64 guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer confines failslab injections to the __add_disk() range and injects fail-nth while mapping an RBD image through /sys/bus/rbd/add_single_major. On the unpatched kernel, fail-nth=4 reliably triggered the fault: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240 Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00 RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4 RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000 R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004 FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0 PKRU: 55555554 Call Trace: <TASK> blk_mq_free_tag_set+0x77/0x460 do_rbd_add+0x1446/0x2b80 ? __pfx_do_rbd_add+0x10/0x10 ? lock_acquire+0x18c/0x300 ? find_held_lock+0x2b/0x80 ? sysfs_file_kobj+0xb6/0x1b0 ? __pfx_sysfs_kf_write+0x10/0x10 kernfs_fop_write_iter+0x2f4/0x4a0 vfs_write+0x98e/0x1000 ? expand_files+0x51f/0x850 ? __pfx_vfs_write+0x10/0x10 ksys_write+0xf2/0x1d0 ? __pfx_ksys_write+0x10/0x10 do_syscall_64+0x115/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0fbea15907 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907 RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001 RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141 R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058 R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004 </TASK> With this fix applied, rerunning the reproducer over fail-nth=1..256 yields no KASAN reports. [ idryomov: rename err_out_device_del -> err_out_device ]

References

URL

Tags

	https://git.kernel.org/stable/c/78bd0c143dea4b7a4c23c13356987ca0eafb442e
	https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f
	https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc
	https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb
	https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e
	https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb

Impacted products

Vendor

Product

Version

Version: 27c97abc30e2b9ad2288977c0ecbef4d50553f57
Version: 27c97abc30e2b9ad2288977c0ecbef4d50553f57
Version: 27c97abc30e2b9ad2288977c0ecbef4d50553f57
Version: 27c97abc30e2b9ad2288977c0ecbef4d50553f57
Version: 27c97abc30e2b9ad2288977c0ecbef4d50553f57
Version: 27c97abc30e2b9ad2288977c0ecbef4d50553f57

Version: 5.16

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45650

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/rbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "78bd0c143dea4b7a4c23c13356987ca0eafb442e",
              "status": "affected",
              "version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
              "versionType": "git"
            },
            {
              "lessThan": "2f4809a879f0750c7790bbeeae86c9505797a06f",
              "status": "affected",
              "version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
              "versionType": "git"
            },
            {
              "lessThan": "564cd8f4aeb9a938e470c5c91922fd02e4d41acc",
              "status": "affected",
              "version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
              "versionType": "git"
            },
            {
              "lessThan": "ad0126ffcba8777109852979eaaa6dca6703abdb",
              "status": "affected",
              "version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
              "versionType": "git"
            },
            {
              "lessThan": "059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e",
              "status": "affected",
              "version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
              "versionType": "git"
            },
            {
              "lessThan": "d1fef92e414433ca7b89abf85cb0df42b8d475eb",
              "status": "affected",
              "version": "27c97abc30e2b9ad2288977c0ecbef4d50553f57",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/rbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: fix null-ptr-deref when device_add_disk() fails\n\ndo_rbd_add() publishes the device with device_add() before calling\ndevice_add_disk(). If device_add_disk() fails after device_add()\nsucceeds, the error path calls rbd_free_disk() directly and then later\nfalls through to rbd_dev_device_release(), which calls rbd_free_disk()\nagain. This double teardown can leave blk-mq cleanup operating on\ninvalid state and trigger a null-ptr-deref in\n__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().\n\nFix this by following the normal remove ordering: call device_del()\nbefore rbd_dev_device_release() when device_add_disk() fails after\ndevice_add(). That keeps the teardown sequence consistent and avoids\nre-entering disk cleanup through the wrong path.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable.\n\nWe reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64\nguest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer\nconfines failslab injections to the __add_disk() range and injects\nfail-nth while mapping an RBD image through\n/sys/bus/rbd/add_single_major.\n\nOn the unpatched kernel, fail-nth=4 reliably triggered the fault:\n\n\tOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n\tKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\tCPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tRIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240\n\tCode: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 \u003c80\u003e 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00\n\tRSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246\n\tRAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000\n\tRDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4\n\tRBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b\n\tR10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000\n\tR13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004\n\tFS:  00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000\n\tCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0\n\tPKRU: 55555554\n\tCall Trace:\n\t \u003cTASK\u003e\n\t blk_mq_free_tag_set+0x77/0x460\n\t do_rbd_add+0x1446/0x2b80\n\t ? __pfx_do_rbd_add+0x10/0x10\n\t ? lock_acquire+0x18c/0x300\n\t ? find_held_lock+0x2b/0x80\n\t ? sysfs_file_kobj+0xb6/0x1b0\n\t ? __pfx_sysfs_kf_write+0x10/0x10\n\t kernfs_fop_write_iter+0x2f4/0x4a0\n\t vfs_write+0x98e/0x1000\n\t ? expand_files+0x51f/0x850\n\t ? __pfx_vfs_write+0x10/0x10\n\t ksys_write+0xf2/0x1d0\n\t ? __pfx_ksys_write+0x10/0x10\n\t do_syscall_64+0x115/0x690\n\t entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7f0fbea15907\n\tCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\n\tRSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n\tRAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907\n\tRDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001\n\tRBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141\n\tR10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058\n\tR13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004\n\t \u003c/TASK\u003e\n\nWith this fix applied, rerunning the reproducer over fail-nth=1..256\nyields no KASAN reports.\n\n[ idryomov: rename err_out_device_del -\u003e err_out_device ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:46.214Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/78bd0c143dea4b7a4c23c13356987ca0eafb442e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f"
        },
        {
          "url": "https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb"
        },
        {
          "url": "https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb"
        }
      ],
      "title": "rbd: fix null-ptr-deref when device_add_disk() fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46079",
    "datePublished": "2026-05-27T12:58:13.903Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:52:46.214Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45650 (GCVE-0-2026-45650)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-451 - User Interface (UI) Misrepresentation of Critical Information

Summary

User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft Bing Search for Android	Version: 1.0.0 < 33.3

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47641

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45650",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:41:34.950350Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:42:07.349Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Bing Search for Android",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "33.3",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:bing:*:*:*:*:*:android:*:*",
                  "versionEndExcluding": "33.3",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-451",
              "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:35.112Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Bing Search Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45650"
        }
      ],
      "title": "Microsoft Bing Search Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45650",
    "datePublished": "2026-06-09T17:04:55.021Z",
    "dateReserved": "2026-05-12T20:33:35.157Z",
    "dateUpdated": "2026-06-16T18:17:35.112Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47641 (GCVE-0-2026-47641)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-20 - Improper Input Validation

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47641",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:27:21.145957Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:27:48.151Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:46.257Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47641"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47641",
    "datePublished": "2026-06-09T17:05:08.085Z",
    "dateReserved": "2026-05-19T20:12:27.070Z",
    "dateUpdated": "2026-06-16T18:17:46.257Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46172 (GCVE-0-2026-46172)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path.

References

URL

Tags

	https://git.kernel.org/stable/c/a0721bcd72641c32b281f227a94505b31cf54117
	https://git.kernel.org/stable/c/a20b34f6e854fe6f2aa82528fae7a88759919eb4
	https://git.kernel.org/stable/c/870560015ce6e0d8f841c6a8aba33c44be52c727
	https://git.kernel.org/stable/c/c2efc4956981066df2fef1cc77391b523db6d8e4
	https://git.kernel.org/stable/c/554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13
	https://git.kernel.org/stable/c/9d5047782f9bd2829e529df69209bf3232eb561f
	https://git.kernel.org/stable/c/6a5eec0a2a0e99ec9743cf8f1c4082178811d90a
	https://git.kernel.org/stable/c/bc0fcb9823cd0894934cf968b525c575833d7078

Impacted products

Vendor

Product

Version

Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7
Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7
Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7
Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7
Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7
Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7
Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7
Version: 0146dca70b877b73c5fd9c67912b8a0ca8a7bac7

Version: 5.8

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/xfrm6_protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a0721bcd72641c32b281f227a94505b31cf54117",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            },
            {
              "lessThan": "a20b34f6e854fe6f2aa82528fae7a88759919eb4",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            },
            {
              "lessThan": "870560015ce6e0d8f841c6a8aba33c44be52c727",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            },
            {
              "lessThan": "c2efc4956981066df2fef1cc77391b523db6d8e4",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            },
            {
              "lessThan": "554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            },
            {
              "lessThan": "9d5047782f9bd2829e529df69209bf3232eb561f",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            },
            {
              "lessThan": "6a5eec0a2a0e99ec9743cf8f1c4082178811d90a",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            },
            {
              "lessThan": "bc0fcb9823cd0894934cf968b525c575833d7078",
              "status": "affected",
              "version": "0146dca70b877b73c5fd9c67912b8a0ca8a7bac7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/xfrm6_protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: xfrm6: release dst on error in xfrm6_rcv_encap()\n\nxfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not\nalready have a dst attached. ip6_route_input_lookup() returns a\nreferenced dst entry even when the lookup resolves to an error route.\n\nIf dst-\u003eerror is set, xfrm6_rcv_encap() drops the skb without attaching\nthe dst to the skb and without releasing the reference returned by the\nlookup. Repeated packets hitting this path therefore leak dst entries.\n\nRelease the dst before jumping to the drop path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:00:01.373Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a0721bcd72641c32b281f227a94505b31cf54117"
        },
        {
          "url": "https://git.kernel.org/stable/c/a20b34f6e854fe6f2aa82528fae7a88759919eb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/870560015ce6e0d8f841c6a8aba33c44be52c727"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2efc4956981066df2fef1cc77391b523db6d8e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d5047782f9bd2829e529df69209bf3232eb561f"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a5eec0a2a0e99ec9743cf8f1c4082178811d90a"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc0fcb9823cd0894934cf968b525c575833d7078"
        }
      ],
      "title": "ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46172",
    "datePublished": "2026-05-28T09:36:26.926Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-14T18:00:01.373Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45834 (GCVE-0-2026-45834)

Vulnerability from cvelistv5

Published

2026-05-26 16:14

Modified

2026-06-14 17:45

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().

References

URL

Tags

	https://git.kernel.org/stable/c/1b1c0da227bf63479bac9982fc8d12df9aaea0fb
	https://git.kernel.org/stable/c/85426e97dc72f2088ba6d27e74cd58c3fbd43e31
	https://git.kernel.org/stable/c/0c17c8832562b2aac288e89cefd0f46074f54bcb
	https://git.kernel.org/stable/c/5105f3e6b2df619c635b5f6a49fac131a36c7952
	https://git.kernel.org/stable/c/c88c185ae0a1067823661b220aeea613df2c127b
	https://git.kernel.org/stable/c/1810e42ff6716f320c7269d5850eca48b07b7427
	https://git.kernel.org/stable/c/a2dcf1a61d056aef15b63c6eae9441344d624389
	https://git.kernel.org/stable/c/2ff1a41a912de8517b4482e946dd951b7d80edbf

Impacted products

Vendor

Product

Version

Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc
Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc
Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc
Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc
Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc
Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc
Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc
Version: 89bc500e41fc5b48e0573e6b0d927fc97b8951dc

Version: 3.1

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b1c0da227bf63479bac9982fc8d12df9aaea0fb",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            },
            {
              "lessThan": "85426e97dc72f2088ba6d27e74cd58c3fbd43e31",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            },
            {
              "lessThan": "0c17c8832562b2aac288e89cefd0f46074f54bcb",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            },
            {
              "lessThan": "5105f3e6b2df619c635b5f6a49fac131a36c7952",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            },
            {
              "lessThan": "c88c185ae0a1067823661b220aeea613df2c127b",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            },
            {
              "lessThan": "1810e42ff6716f320c7269d5850eca48b07b7427",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            },
            {
              "lessThan": "a2dcf1a61d056aef15b63c6eae9441344d624389",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            },
            {
              "lessThan": "2ff1a41a912de8517b4482e946dd951b7d80edbf",
              "status": "affected",
              "version": "89bc500e41fc5b48e0573e6b0d927fc97b8951dc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "lessThan": "3.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:45:52.350Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b1c0da227bf63479bac9982fc8d12df9aaea0fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/85426e97dc72f2088ba6d27e74cd58c3fbd43e31"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c17c8832562b2aac288e89cefd0f46074f54bcb"
        },
        {
          "url": "https://git.kernel.org/stable/c/5105f3e6b2df619c635b5f6a49fac131a36c7952"
        },
        {
          "url": "https://git.kernel.org/stable/c/c88c185ae0a1067823661b220aeea613df2c127b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1810e42ff6716f320c7269d5850eca48b07b7427"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2dcf1a61d056aef15b63c6eae9441344d624389"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ff1a41a912de8517b4482e946dd951b7d80edbf"
        }
      ],
      "title": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45834",
    "datePublished": "2026-05-26T16:14:11.198Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-06-14T17:45:52.350Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46191 (GCVE-0-2026-46191)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example. Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer. v2: - fix typos in commit message

References

URL

Tags

	https://git.kernel.org/stable/c/594973a2e54924d8ba31c9faac669fc1ba6fcb80
	https://git.kernel.org/stable/c/ab6c34b9829d5de03f1d08a47a2253729a6e7e27
	https://git.kernel.org/stable/c/7105d9f1387d63b15c9a860674fc92c959181f2f
	https://git.kernel.org/stable/c/b44cc78ff46b96e72d333a3be6aaaa0a14797263
	https://git.kernel.org/stable/c/e4ef723d8975a2694cc90733a6b888a5e2841842

Impacted products

Vendor

Product

Version

Version: 6cc50e1c5b57180fd37a31282000f43859b0fe73
Version: 6cc50e1c5b57180fd37a31282000f43859b0fe73
Version: 6cc50e1c5b57180fd37a31282000f43859b0fe73
Version: 6cc50e1c5b57180fd37a31282000f43859b0fe73
Version: 6cc50e1c5b57180fd37a31282000f43859b0fe73

Version: 2.6.15

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45481

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcon_rotate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "594973a2e54924d8ba31c9faac669fc1ba6fcb80",
              "status": "affected",
              "version": "6cc50e1c5b57180fd37a31282000f43859b0fe73",
              "versionType": "git"
            },
            {
              "lessThan": "ab6c34b9829d5de03f1d08a47a2253729a6e7e27",
              "status": "affected",
              "version": "6cc50e1c5b57180fd37a31282000f43859b0fe73",
              "versionType": "git"
            },
            {
              "lessThan": "7105d9f1387d63b15c9a860674fc92c959181f2f",
              "status": "affected",
              "version": "6cc50e1c5b57180fd37a31282000f43859b0fe73",
              "versionType": "git"
            },
            {
              "lessThan": "b44cc78ff46b96e72d333a3be6aaaa0a14797263",
              "status": "affected",
              "version": "6cc50e1c5b57180fd37a31282000f43859b0fe73",
              "versionType": "git"
            },
            {
              "lessThan": "e4ef723d8975a2694cc90733a6b888a5e2841842",
              "status": "affected",
              "version": "6cc50e1c5b57180fd37a31282000f43859b0fe73",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcon_rotate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.15"
            },
            {
              "lessThan": "2.6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Avoid OOB font access if console rotation fails\n\nClear the font buffer if the reallocation during console rotation fails\nin fbcon_rotate_font(). The putcs implementations for the rotated buffer\nwill return early in this case. See [1] for an example.\n\nCurrently, fbcon_rotate_font() keeps the old buffer, which is too small\nfor the rotated font. Printing to the rotated console with a high-enough\ncharacter code will overflow the font buffer.\n\nv2:\n- fix typos in commit message"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:30.640Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/594973a2e54924d8ba31c9faac669fc1ba6fcb80"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab6c34b9829d5de03f1d08a47a2253729a6e7e27"
        },
        {
          "url": "https://git.kernel.org/stable/c/7105d9f1387d63b15c9a860674fc92c959181f2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b44cc78ff46b96e72d333a3be6aaaa0a14797263"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4ef723d8975a2694cc90733a6b888a5e2841842"
        }
      ],
      "title": "fbcon: Avoid OOB font access if console rotation fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46191",
    "datePublished": "2026-05-28T09:36:44.961Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:30.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45481 (GCVE-0-2026-45481)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47639

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45481",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:24:24.807842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:31:36.394Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:25.192Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45481"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45481",
    "datePublished": "2026-06-09T17:05:49.873Z",
    "dateReserved": "2026-05-12T16:07:22.617Z",
    "dateUpdated": "2026-06-16T18:18:25.192Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47639 (GCVE-0-2026-47639)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47639",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:37:13.129869Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:37:30.879Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:45.716Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47639"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47639",
    "datePublished": "2026-06-09T17:05:07.586Z",
    "dateReserved": "2026-05-19T20:12:27.070Z",
    "dateUpdated": "2026-06-16T18:17:45.716Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46072 (GCVE-0-2026-46072)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:52

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ntfs3: add buffer boundary checks to run_unpack() run_unpack() checks `run_buf < run_last` at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted. Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer. Found by fuzzing with a source-patched harness (LibAFL + QEMU).

References

URL

Tags

	https://git.kernel.org/stable/c/bbad75336870b51b81979b97613746237fcb02fe
	https://git.kernel.org/stable/c/425de2aba0d061b3e715d51a3b1992c112ed5b99
	https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9
	https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62
	https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45
	https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586
	https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875

Impacted products

Vendor

Product

Version

Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17

Version: 5.15

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/run.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bbad75336870b51b81979b97613746237fcb02fe",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "425de2aba0d061b3e715d51a3b1992c112ed5b99",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "e64f7dfcaff79e7dfff9121a382dd77f9b462f62",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "d3012690a7065d9ca86521a525ad11e8af491d45",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "41aadf5cb482793a24e05aa136224e179a778586",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "b62567bca47408e6739dee75f02a2113548af875",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/run.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: add buffer boundary checks to run_unpack()\n\nrun_unpack() checks `run_buf \u003c run_last` at the top of the while loop\nbut then reads size_size and offset_size bytes via run_unpack_s64()\nwithout verifying they fit within the remaining buffer.  A crafted NTFS\nimage with truncated run data in an MFT attribute triggers an OOB heap\nread of up to 15 bytes when the filesystem is mounted.\n\nAdd boundary checks before each run_unpack_s64() call to ensure the\ndeclared field size does not exceed the remaining buffer.\n\nFound by fuzzing with a source-patched harness (LibAFL + QEMU)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:15.329Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bbad75336870b51b81979b97613746237fcb02fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/425de2aba0d061b3e715d51a3b1992c112ed5b99"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45"
        },
        {
          "url": "https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586"
        },
        {
          "url": "https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875"
        }
      ],
      "title": "ntfs3: add buffer boundary checks to run_unpack()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46072",
    "datePublished": "2026-05-27T12:58:00.299Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:52:15.329Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46086 (GCVE-0-2026-46086)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: bridge: use a stable FDB dst snapshot in RCU readers Local FDB entries can be rewritten in place by `fdb_delete_local()`, which updates `f->dst` to another port or to `NULL` while keeping the entry alive. Several bridge RCU readers inspect `f->dst`, including `br_fdb_fillbuf()` through the `brforward_read()` sysfs path. These readers currently load `f->dst` multiple times and can therefore observe inconsistent values across the check and later dereference. In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change `f->dst` after the NULL check and before the `port_no` dereference, leading to a NULL-ptr-deref. Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()` with `WRITE_ONCE()` so the readers and writer use matching access patterns.

References

URL

Tags

	https://git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110
	https://git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000ef
	https://git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5
	https://git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341f
	https://git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808

Impacted products

Vendor

Product

Version

Version: 960b589f86c74ce582922fcb996103271081f4de
Version: 960b589f86c74ce582922fcb996103271081f4de
Version: 960b589f86c74ce582922fcb996103271081f4de
Version: 960b589f86c74ce582922fcb996103271081f4de
Version: 960b589f86c74ce582922fcb996103271081f4de

Version: 3.14

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_arp_nd_proxy.c",
            "net/bridge/br_fdb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b9e4bbfb7c949151e3acd44ed4aa33614d2e110",
              "status": "affected",
              "version": "960b589f86c74ce582922fcb996103271081f4de",
              "versionType": "git"
            },
            {
              "lessThan": "81af4137a30c4c2dc694dea8cacb180bd66000ef",
              "status": "affected",
              "version": "960b589f86c74ce582922fcb996103271081f4de",
              "versionType": "git"
            },
            {
              "lessThan": "5424e678f9b304e148cf5dcc047cffc7a56a3bb5",
              "status": "affected",
              "version": "960b589f86c74ce582922fcb996103271081f4de",
              "versionType": "git"
            },
            {
              "lessThan": "9a2d9d4e657b23dc21f24cf139e3aeff0b61341f",
              "status": "affected",
              "version": "960b589f86c74ce582922fcb996103271081f4de",
              "versionType": "git"
            },
            {
              "lessThan": "df4601653201de21b487c3e7fffd464790cab808",
              "status": "affected",
              "version": "960b589f86c74ce582922fcb996103271081f4de",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_arp_nd_proxy.c",
            "net/bridge/br_fdb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use a stable FDB dst snapshot in RCU readers\n\nLocal FDB entries can be rewritten in place by `fdb_delete_local()`, which\nupdates `f-\u003edst` to another port or to `NULL` while keeping the entry\nalive. Several bridge RCU readers inspect `f-\u003edst`, including\n`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.\n\nThese readers currently load `f-\u003edst` multiple times and can therefore\nobserve inconsistent values across the check and later dereference.\nIn `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change\n`f-\u003edst` after the NULL check and before the `port_no` dereference,\nleading to a NULL-ptr-deref.\n\nFix this by taking a single `READ_ONCE()` snapshot of `f-\u003edst` in each\naffected RCU reader and using that snapshot for the rest of the access\nsequence. Also publish the in-place `f-\u003edst` updates in `fdb_delete_local()`\nwith `WRITE_ONCE()` so the readers and writer use matching access patterns."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:19.148Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110"
        },
        {
          "url": "https://git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341f"
        },
        {
          "url": "https://git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808"
        }
      ],
      "title": "net: bridge: use a stable FDB dst snapshot in RCU readers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46086",
    "datePublished": "2026-05-27T12:58:28.137Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:53:19.148Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46107 (GCVE-0-2026-46107)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:54

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.

References

URL

Tags

	https://git.kernel.org/stable/c/f49b41c9eb7c6ff00df27cd49cea210abbadd8ad
	https://git.kernel.org/stable/c/f06f6aededd792a754cd677c02b3d3016d868c2c
	https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad
	https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460
	https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044
	https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c
	https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5

Impacted products

Vendor

Product

Version

Version: 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4
Version: 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4
Version: 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4
Version: 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4
Version: 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4
Version: 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4
Version: 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4

Version: 3.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/persistent-data/dm-btree-remove.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f49b41c9eb7c6ff00df27cd49cea210abbadd8ad",
              "status": "affected",
              "version": "3241b1d3e0aaafbfcd320f4d71ade629728cc4f4",
              "versionType": "git"
            },
            {
              "lessThan": "f06f6aededd792a754cd677c02b3d3016d868c2c",
              "status": "affected",
              "version": "3241b1d3e0aaafbfcd320f4d71ade629728cc4f4",
              "versionType": "git"
            },
            {
              "lessThan": "12161e03d33afce781f68fa11cc6060538862fad",
              "status": "affected",
              "version": "3241b1d3e0aaafbfcd320f4d71ade629728cc4f4",
              "versionType": "git"
            },
            {
              "lessThan": "323d252a4a378834e4fe68298ca61cfc5dd3a460",
              "status": "affected",
              "version": "3241b1d3e0aaafbfcd320f4d71ade629728cc4f4",
              "versionType": "git"
            },
            {
              "lessThan": "85311a585a26640760cd0f3349ab9f2905691044",
              "status": "affected",
              "version": "3241b1d3e0aaafbfcd320f4d71ade629728cc4f4",
              "versionType": "git"
            },
            {
              "lessThan": "5ec0debbcfd43596e32c1239e993de06a704e04c",
              "status": "affected",
              "version": "3241b1d3e0aaafbfcd320f4d71ade629728cc4f4",
              "versionType": "git"
            },
            {
              "lessThan": "09a65adc7d8bbfce06392cb6d375468e2728ead5",
              "status": "affected",
              "version": "3241b1d3e0aaafbfcd320f4d71ade629728cc4f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/persistent-data/dm-btree-remove.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-thin: fix metadata refcount underflow\n\nThere\u0027s a bug in dm-thin in the function rebalance_children. If the\ninternal btree node has one entry, the code tries to copy all btree\nentries from the node\u0027s child to the node itself and then decrement the\nchild\u0027s reference count.\n\nIf the child node is shared (it has reference count \u003e 1), we won\u0027t free\nit, so there would be two pointers to each of the grandchildren nodes.\nBut the reference counts of the grandchildren is not increased, thus the\nreference count doesn\u0027t match the number of pointers that point to the\ngrandchildren. This results in \"device mapper: space map common: unable\nto decrement block\" errors.\n\nFix this bug by incrementing reference counts on the grandchildren if the\nbtree node is shared."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:54:57.856Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f49b41c9eb7c6ff00df27cd49cea210abbadd8ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/f06f6aededd792a754cd677c02b3d3016d868c2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad"
        },
        {
          "url": "https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460"
        },
        {
          "url": "https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c"
        },
        {
          "url": "https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5"
        }
      ],
      "title": "dm-thin: fix metadata refcount underflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46107",
    "datePublished": "2026-05-28T09:35:13.051Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:54:57.856Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46033 (GCVE-0-2026-46033)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:49

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject short ahash digests during instance creation authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data. While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm's default authsize from that value. As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access. Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize.

References

URL

Tags

	https://git.kernel.org/stable/c/77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9
	https://git.kernel.org/stable/c/2f31cd1e64a079c845bca31d2da7b3c90a311726
	https://git.kernel.org/stable/c/d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0
	https://git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3
	https://git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88
	https://git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476
	https://git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112b
	https://git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0

Impacted products

Vendor

Product

Version

Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd
Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd
Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd
Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd
Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd
Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd
Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd
Version: f15f05b0a5de667c821a9727c33bce9d1d9b26dd

Version: 4.11

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/authencesn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            },
            {
              "lessThan": "2f31cd1e64a079c845bca31d2da7b3c90a311726",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            },
            {
              "lessThan": "d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            },
            {
              "lessThan": "b69933e97efea238ebbfcf70c2b1be1cd03f13e3",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            },
            {
              "lessThan": "67f1f0933cc3d78dde222842bcad2778ec7a0b88",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            },
            {
              "lessThan": "b42821c15445f93daea3e76ada682b2b7181c476",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            },
            {
              "lessThan": "9aff81e8217e9de2929084b03b3c7f81988c112b",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            },
            {
              "lessThan": "5db6ef9847717329f12c5ea8aba7e9f588a980c0",
              "status": "affected",
              "version": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/authencesn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject short ahash digests during instance creation\n\nauthencesn requires either a zero authsize or an authsize of at least\n4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of\nhigh-order sequence number data at the end of the authenticated data.\n\nWhile crypto_authenc_esn_setauthsize() already rejects explicit\nnon-zero authsizes in the range 1..3, crypto_authenc_esn_create()\nstill copied auth-\u003edigestsize into inst-\u003ealg.maxauthsize without\nvalidating it.  The AEAD core then initialized the tfm\u0027s default\nauthsize from that value.\n\nAs a result, selecting an ahash with digest size 1..3, such as\ncbcmac(cipher_null), exposed authencesn instances whose default\nauthsize was invalid even though setauthsize() would have rejected the\nsame value.  AF_ALG could then trigger the ESN tail handling with a\ntoo-short tag and hit an out-of-bounds access.\n\nReject authencesn instances whose ahash digest size is in the invalid\nnon-zero range 1..3 so that no tfm can inherit an unsupported default\nauthsize."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:49:24.256Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f31cd1e64a079c845bca31d2da7b3c90a311726"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476"
        },
        {
          "url": "https://git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0"
        }
      ],
      "title": "crypto: authencesn - reject short ahash digests during instance creation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46033",
    "datePublished": "2026-05-27T12:56:42.038Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-06-14T17:49:24.256Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-50292 (GCVE-0-2026-50292)

Vulnerability from cvelistv5

Published

2026-06-04 16:41

Modified

2026-06-04 18:12

Severity ?

7.4 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Summary

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

References

URL

Tags

	https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
	https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55
	https://www.openwall.com/lists/oss-security/2026/06/04/5

Impacted products

	Vendor	Product	Version
	freedesktop	libinput	Version: 0 ≤ Version: 1.31.0 ≤

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50292",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T18:12:00.642730Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T18:12:18.647Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libinput",
          "vendor": "freedesktop",
          "versions": [
            {
              "lessThan": "1.30.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.31.3",
              "status": "affected",
              "version": "1.31.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.30.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.31.3",
                  "versionStartIncluding": "1.31.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T16:41:36.354Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296"
        },
        {
          "url": "https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/06/04/5"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-50292",
    "datePublished": "2026-06-04T16:41:36.354Z",
    "dateReserved": "2026-06-04T16:41:35.817Z",
    "dateUpdated": "2026-06-04T18:12:18.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46021 (GCVE-0-2026-46021)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak. In turn, thermal_zone_device_unregister() calls thermal_set_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case. Address these issues by adding two thermal_set_governor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration.

References

URL

Tags

	https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13
	https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45
	https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761
	https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06
	https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440

Impacted products

Vendor

Product

Version

Version: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8
Version: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8
Version: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8
Version: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8
Version: e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8

Version: 4.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/thermal/thermal_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "37a430a2d4e66ec8238da6c7f7e48809bf265e13",
              "status": "affected",
              "version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
              "versionType": "git"
            },
            {
              "lessThan": "f412e541d25a3dfaf3d53e012ade6ff03cae8a45",
              "status": "affected",
              "version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
              "versionType": "git"
            },
            {
              "lessThan": "75f8f3c3e09122270986de9d7aa347d701676761",
              "status": "affected",
              "version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
              "versionType": "git"
            },
            {
              "lessThan": "64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06",
              "status": "affected",
              "version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
              "versionType": "git"
            },
            {
              "lessThan": "41ff66baf81c6541f4f985dd7eac4494d03d9440",
              "status": "affected",
              "version": "e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/thermal/thermal_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix thermal zone governor cleanup issues\n\nIf thermal_zone_device_register_with_trips() fails after adding\na thermal governor to the thermal zone being registered, the\ngovernor is not removed from it as appropriate which may lead to\na memory leak.\n\nIn turn, thermal_zone_device_unregister() calls thermal_set_governor()\nwithout acquiring the thermal zone lock beforehand which may race with\na governor update via sysfs and may lead to a use-after-free in that\ncase.\n\nAddress these issues by adding two thermal_set_governor() calls, one to\nthermal_release() to remove the governor from the given thermal zone,\nand one to the thermal zone registration error path to cover failures\npreceding the thermal zone device registration."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:31.554Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13"
        },
        {
          "url": "https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45"
        },
        {
          "url": "https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761"
        },
        {
          "url": "https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06"
        },
        {
          "url": "https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440"
        }
      ],
      "title": "thermal: core: Fix thermal zone governor cleanup issues",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46021",
    "datePublished": "2026-05-27T12:56:23.515Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:48:31.554Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46037 (GCVE-0-2026-46037)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:49

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmp_pointers Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES. Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged.

References

URL

Tags

	https://git.kernel.org/stable/c/b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99
	https://git.kernel.org/stable/c/93df2af4f491de33827550b9d420f01808c0706b
	https://git.kernel.org/stable/c/92e7c209036dcc0e8ffdf806fdfd3645b263bea5
	https://git.kernel.org/stable/c/bc64a66e0b9ad937d3d49934242ee62b01ba9a94
	https://git.kernel.org/stable/c/c2178ff1c70ebfc2ab9651b230c58a34683db759
	https://git.kernel.org/stable/c/d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1
	https://git.kernel.org/stable/c/67bf002a2d7387a6312138210d0bd06e3cf4879b

Impacted products

Vendor

Product

Version

Version: d329ea5bd8845f0b196bf41b18b6173340d6e0e4
Version: d329ea5bd8845f0b196bf41b18b6173340d6e0e4
Version: d329ea5bd8845f0b196bf41b18b6173340d6e0e4
Version: d329ea5bd8845f0b196bf41b18b6173340d6e0e4
Version: d329ea5bd8845f0b196bf41b18b6173340d6e0e4
Version: d329ea5bd8845f0b196bf41b18b6173340d6e0e4
Version: d329ea5bd8845f0b196bf41b18b6173340d6e0e4

Version: 5.13

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45467

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/icmp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99",
              "status": "affected",
              "version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
              "versionType": "git"
            },
            {
              "lessThan": "93df2af4f491de33827550b9d420f01808c0706b",
              "status": "affected",
              "version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
              "versionType": "git"
            },
            {
              "lessThan": "92e7c209036dcc0e8ffdf806fdfd3645b263bea5",
              "status": "affected",
              "version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
              "versionType": "git"
            },
            {
              "lessThan": "bc64a66e0b9ad937d3d49934242ee62b01ba9a94",
              "status": "affected",
              "version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
              "versionType": "git"
            },
            {
              "lessThan": "c2178ff1c70ebfc2ab9651b230c58a34683db759",
              "status": "affected",
              "version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
              "versionType": "git"
            },
            {
              "lessThan": "d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1",
              "status": "affected",
              "version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
              "versionType": "git"
            },
            {
              "lessThan": "67bf002a2d7387a6312138210d0bd06e3cf4879b",
              "status": "affected",
              "version": "d329ea5bd8845f0b196bf41b18b6173340d6e0e4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/icmp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: icmp: validate reply type before using icmp_pointers\n\nExtended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.\nThat value is outside the range covered by icmp_pointers[], which only\ndescribes the traditional ICMP types up to NR_ICMP_TYPES.\n\nAvoid consulting icmp_pointers[] for reply types outside that range, and\nuse array_index_nospec() for the remaining in-range lookup. Normal ICMP\nreplies keep their existing behavior unchanged."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:49:43.163Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99"
        },
        {
          "url": "https://git.kernel.org/stable/c/93df2af4f491de33827550b9d420f01808c0706b"
        },
        {
          "url": "https://git.kernel.org/stable/c/92e7c209036dcc0e8ffdf806fdfd3645b263bea5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc64a66e0b9ad937d3d49934242ee62b01ba9a94"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2178ff1c70ebfc2ab9651b230c58a34683db759"
        },
        {
          "url": "https://git.kernel.org/stable/c/d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/67bf002a2d7387a6312138210d0bd06e3cf4879b"
        }
      ],
      "title": "ipv4: icmp: validate reply type before using icmp_pointers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46037",
    "datePublished": "2026-05-27T12:56:47.795Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-06-14T17:49:43.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45467 (GCVE-0-2026-45467)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45467",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:02:48.154392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:03:00.726Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:00.189Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45467"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45467",
    "datePublished": "2026-06-09T17:04:18.437Z",
    "dateReserved": "2026-05-12T16:06:43.098Z",
    "dateUpdated": "2026-06-16T18:17:00.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45991 (GCVE-0-2026-45991)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:46

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: udf: fix partition descriptor append bookkeeping Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in part_descs_loc[]. handle_partition_descriptor() deduplicates entries by partition number, but appended slots never record partnum. As a result duplicate Partition Descriptors are appended repeatedly and num_part_descs keeps growing. Once the table is full, the growth path still sizes the allocation from partnum even though inserts are indexed by num_part_descs. If partnum is already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep the old capacity and the next append writes past the end of the table. Store partnum in the appended slot and size growth from the next append count so deduplication and capacity tracking follow the same model.

References

URL

Tags

	https://git.kernel.org/stable/c/058b451b1039f056d1362c4fec2229e522366ab0
	https://git.kernel.org/stable/c/b5597bb83fc37b5b5da74a4453fa920b932cf39a
	https://git.kernel.org/stable/c/08fa5d818e5bf53c7ca234d88ba334f32004e9b6
	https://git.kernel.org/stable/c/08841b06fa64d8edbd1a21ca6e613420c90cc4b8

Impacted products

Vendor

Product

Version

Version: ee4af50ca94f58afc3532662779b9cf80bbe27c8
Version: ee4af50ca94f58afc3532662779b9cf80bbe27c8
Version: ee4af50ca94f58afc3532662779b9cf80bbe27c8
Version: ee4af50ca94f58afc3532662779b9cf80bbe27c8
Version: 7f401f160a9c7a1ff84ba3cb9b2f636d1f5cfb6b
Version: 4.18.7 ≤

Version: 4.19

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/udf/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "058b451b1039f056d1362c4fec2229e522366ab0",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "lessThan": "b5597bb83fc37b5b5da74a4453fa920b932cf39a",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "lessThan": "08fa5d818e5bf53c7ca234d88ba334f32004e9b6",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "lessThan": "08841b06fa64d8edbd1a21ca6e613420c90cc4b8",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7f401f160a9c7a1ff84ba3cb9b2f636d1f5cfb6b",
              "versionType": "git"
            },
            {
              "lessThan": "4.19",
              "status": "affected",
              "version": "4.18.7",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/udf/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.18.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: fix partition descriptor append bookkeeping\n\nMounting a crafted UDF image with repeated partition descriptors can\ntrigger a heap out-of-bounds write in part_descs_loc[].\n\nhandle_partition_descriptor() deduplicates entries by partition number,\nbut appended slots never record partnum. As a result duplicate\nPartition Descriptors are appended repeatedly and num_part_descs keeps\ngrowing.\n\nOnce the table is full, the growth path still sizes the allocation from\npartnum even though inserts are indexed by num_part_descs. If partnum is\nalready aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep\nthe old capacity and the next append writes past the end of the table.\n\nStore partnum in the appended slot and size growth from the next append\ncount so deduplication and capacity tracking follow the same model."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:48.933Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/058b451b1039f056d1362c4fec2229e522366ab0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5597bb83fc37b5b5da74a4453fa920b932cf39a"
        },
        {
          "url": "https://git.kernel.org/stable/c/08fa5d818e5bf53c7ca234d88ba334f32004e9b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/08841b06fa64d8edbd1a21ca6e613420c90cc4b8"
        }
      ],
      "title": "udf: fix partition descriptor append bookkeeping",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45991",
    "datePublished": "2026-05-27T12:55:43.449Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:46:48.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46168 (GCVE-0-2026-46168)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix scheduling with atomic in timestamp sockopt Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep. Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.

References

URL

Tags

	https://git.kernel.org/stable/c/0949d8bbbedbafe0136a1723c41eb823c2f1e09d
	https://git.kernel.org/stable/c/e792cfb6aeaf65612cdf8e3ac431d65e66283654
	https://git.kernel.org/stable/c/ebeb70e29e37cfce899309cc2665a3bfe960ed94
	https://git.kernel.org/stable/c/b157dab93a7af44a84e78cf0cb311dde475cff5b
	https://git.kernel.org/stable/c/8a005fe451c73fd2b3d1faa5643c11e6bd07acfc
	https://git.kernel.org/stable/c/7eb513b42721bee4b96da69f6188d5a7783f210d
	https://git.kernel.org/stable/c/b5c52908d52c6c8eb8933264aa6087a0600fd892

Impacted products

Vendor

Product

Version

Version: 9061f24bf82ec2e92dd1e7c10b98b680db023d31
Version: 9061f24bf82ec2e92dd1e7c10b98b680db023d31
Version: 9061f24bf82ec2e92dd1e7c10b98b680db023d31
Version: 9061f24bf82ec2e92dd1e7c10b98b680db023d31
Version: 9061f24bf82ec2e92dd1e7c10b98b680db023d31
Version: 9061f24bf82ec2e92dd1e7c10b98b680db023d31
Version: 9061f24bf82ec2e92dd1e7c10b98b680db023d31

Version: 5.14

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/sockopt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0949d8bbbedbafe0136a1723c41eb823c2f1e09d",
              "status": "affected",
              "version": "9061f24bf82ec2e92dd1e7c10b98b680db023d31",
              "versionType": "git"
            },
            {
              "lessThan": "e792cfb6aeaf65612cdf8e3ac431d65e66283654",
              "status": "affected",
              "version": "9061f24bf82ec2e92dd1e7c10b98b680db023d31",
              "versionType": "git"
            },
            {
              "lessThan": "ebeb70e29e37cfce899309cc2665a3bfe960ed94",
              "status": "affected",
              "version": "9061f24bf82ec2e92dd1e7c10b98b680db023d31",
              "versionType": "git"
            },
            {
              "lessThan": "b157dab93a7af44a84e78cf0cb311dde475cff5b",
              "status": "affected",
              "version": "9061f24bf82ec2e92dd1e7c10b98b680db023d31",
              "versionType": "git"
            },
            {
              "lessThan": "8a005fe451c73fd2b3d1faa5643c11e6bd07acfc",
              "status": "affected",
              "version": "9061f24bf82ec2e92dd1e7c10b98b680db023d31",
              "versionType": "git"
            },
            {
              "lessThan": "7eb513b42721bee4b96da69f6188d5a7783f210d",
              "status": "affected",
              "version": "9061f24bf82ec2e92dd1e7c10b98b680db023d31",
              "versionType": "git"
            },
            {
              "lessThan": "b5c52908d52c6c8eb8933264aa6087a0600fd892",
              "status": "affected",
              "version": "9061f24bf82ec2e92dd1e7c10b98b680db023d31",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/sockopt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix scheduling with atomic in timestamp sockopt\n\nUsing lock_sock_fast() (atomic context) around sock_set_timestamp()\nand sock_set_timestamping() is unsafe, as both helpers can sleep.\n\nReplace lock_sock_fast() with sleepable lock_sock()/release_sock()\nto avoid scheduling while atomic panic."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:59:42.888Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0949d8bbbedbafe0136a1723c41eb823c2f1e09d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e792cfb6aeaf65612cdf8e3ac431d65e66283654"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebeb70e29e37cfce899309cc2665a3bfe960ed94"
        },
        {
          "url": "https://git.kernel.org/stable/c/b157dab93a7af44a84e78cf0cb311dde475cff5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a005fe451c73fd2b3d1faa5643c11e6bd07acfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/7eb513b42721bee4b96da69f6188d5a7783f210d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5c52908d52c6c8eb8933264aa6087a0600fd892"
        }
      ],
      "title": "mptcp: fix scheduling with atomic in timestamp sockopt",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46168",
    "datePublished": "2026-05-28T09:36:23.394Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:59:42.888Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46177 (GCVE-0-2026-46177)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:00

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time. In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things. If the attn bit gets stuck, it's a similar problem. So allow messages in between flag fetches so the driver itself doesn't get stuck. This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data. This has been there from the beginning of the driver. It's not a bug per-se, but it is accounting for bugs in BMCs.

References

URL

Tags

	https://git.kernel.org/stable/c/112df8e631636cafda64dcee4561daf09ce74a4a
	https://git.kernel.org/stable/c/304b56883b7eff73eb606c35d062c8101aaf5471
	https://git.kernel.org/stable/c/9059dc94421e1d4f8e5844204608b37ebfddb3da
	https://git.kernel.org/stable/c/67c44e0deba936d5edaebea356b4589eb43acb5c
	https://git.kernel.org/stable/c/e20212b431bef217d3886b86bbc90cc3ed00de68
	https://git.kernel.org/stable/c/3d37d2165df9504ea99d9e6181552dc4d2d1ab37
	https://git.kernel.org/stable/c/c024167fb00489baee08c72182ca2e7dc5fb9f20
	https://git.kernel.org/stable/c/c4cca236968683eb0d59abfb12d5c7e4d8514227

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44819

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_si_intf.c",
            "drivers/char/ipmi/ipmi_ssif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "112df8e631636cafda64dcee4561daf09ce74a4a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "304b56883b7eff73eb606c35d062c8101aaf5471",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9059dc94421e1d4f8e5844204608b37ebfddb3da",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "67c44e0deba936d5edaebea356b4589eb43acb5c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e20212b431bef217d3886b86bbc90cc3ed00de68",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3d37d2165df9504ea99d9e6181552dc4d2d1ab37",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c024167fb00489baee08c72182ca2e7dc5fb9f20",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c4cca236968683eb0d59abfb12d5c7e4d8514227",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_si_intf.c",
            "drivers/char/ipmi/ipmi_ssif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Add limits to event and receive message requests\n\nThe driver would just fetch events and receive messages until the\nBMC said it was done.  To avoid issues with BMCs that never say they are\ndone, add a limit of 10 fetches at a time.\n\nIn addition, an si interface has an attn state it can return from the\nhardware which is supposed to cause a flag fetch to see if the driver\nneeds to fetch events or message or a few other things.  If the attn\nbit gets stuck, it\u0027s a similar problem.  So allow messages in between\nflag fetches so the driver itself doesn\u0027t get stuck.\n\nThis is a more general fix than the previous fix for the specific bad\nBMC, but should fix the more general issue of a BMC that won\u0027t stop\nsaying it has data.\n\nThis has been there from the beginning of the driver.  It\u0027s not a bug\nper-se, but it is accounting for bugs in BMCs."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:00:26.015Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/112df8e631636cafda64dcee4561daf09ce74a4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/304b56883b7eff73eb606c35d062c8101aaf5471"
        },
        {
          "url": "https://git.kernel.org/stable/c/9059dc94421e1d4f8e5844204608b37ebfddb3da"
        },
        {
          "url": "https://git.kernel.org/stable/c/67c44e0deba936d5edaebea356b4589eb43acb5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e20212b431bef217d3886b86bbc90cc3ed00de68"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d37d2165df9504ea99d9e6181552dc4d2d1ab37"
        },
        {
          "url": "https://git.kernel.org/stable/c/c024167fb00489baee08c72182ca2e7dc5fb9f20"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4cca236968683eb0d59abfb12d5c7e4d8514227"
        }
      ],
      "title": "ipmi: Add limits to event and receive message requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46177",
    "datePublished": "2026-05-28T09:36:31.286Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-14T18:00:26.015Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44819 (GCVE-0-2026-44819)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44819",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-05T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T03:57:25.289Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:16.743Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Office Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44819"
        }
      ],
      "title": "Microsoft Office Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-44819",
    "datePublished": "2026-06-09T17:04:32.846Z",
    "dateReserved": "2026-05-07T20:07:18.272Z",
    "dateUpdated": "2026-06-16T18:17:16.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46180 (GCVE-0-2026-46180)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().

References

URL

Tags

	https://git.kernel.org/stable/c/ed4168d1a50fef5be8eca947fbbf05a28507d265
	https://git.kernel.org/stable/c/d16827cb1d3936f7627d0da6044483f743ebde03
	https://git.kernel.org/stable/c/658d2e46c2e9a8eb9b80c5e803ce3c89885b3366
	https://git.kernel.org/stable/c/908b92231e1ded53e43fcfad5e0704d83e1b803c
	https://git.kernel.org/stable/c/c623b63580880cc742255eaed3d79804c1b91143

Impacted products

Vendor

Product

Version

Version: a9ffda88be7416b8336f644806c2b3ed3ce08b26
Version: a9ffda88be7416b8336f644806c2b3ed3ce08b26
Version: a9ffda88be7416b8336f644806c2b3ed3ce08b26
Version: a9ffda88be7416b8336f644806c2b3ed3ce08b26
Version: a9ffda88be7416b8336f644806c2b3ed3ce08b26

Version: 3.3

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ed4168d1a50fef5be8eca947fbbf05a28507d265",
              "status": "affected",
              "version": "a9ffda88be7416b8336f644806c2b3ed3ce08b26",
              "versionType": "git"
            },
            {
              "lessThan": "d16827cb1d3936f7627d0da6044483f743ebde03",
              "status": "affected",
              "version": "a9ffda88be7416b8336f644806c2b3ed3ce08b26",
              "versionType": "git"
            },
            {
              "lessThan": "658d2e46c2e9a8eb9b80c5e803ce3c89885b3366",
              "status": "affected",
              "version": "a9ffda88be7416b8336f644806c2b3ed3ce08b26",
              "versionType": "git"
            },
            {
              "lessThan": "908b92231e1ded53e43fcfad5e0704d83e1b803c",
              "status": "affected",
              "version": "a9ffda88be7416b8336f644806c2b3ed3ce08b26",
              "versionType": "git"
            },
            {
              "lessThan": "c623b63580880cc742255eaed3d79804c1b91143",
              "status": "affected",
              "version": "a9ffda88be7416b8336f644806c2b3ed3ce08b26",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task\n\nWatchdog task might end between send_sig() and kthread_stop() calls, what\nresults in the use-after-free issue. Fix this by increasing watchdog task\nreference count before calling send_sig() and dropping it by switching to\nkthread_stop_put()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:00:40.767Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ed4168d1a50fef5be8eca947fbbf05a28507d265"
        },
        {
          "url": "https://git.kernel.org/stable/c/d16827cb1d3936f7627d0da6044483f743ebde03"
        },
        {
          "url": "https://git.kernel.org/stable/c/658d2e46c2e9a8eb9b80c5e803ce3c89885b3366"
        },
        {
          "url": "https://git.kernel.org/stable/c/908b92231e1ded53e43fcfad5e0704d83e1b803c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c623b63580880cc742255eaed3d79804c1b91143"
        }
      ],
      "title": "wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46180",
    "datePublished": "2026-05-28T09:36:33.904Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-14T18:00:40.767Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46209 (GCVE-0-2026-46209)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:02

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().

References

URL

Tags

	https://git.kernel.org/stable/c/11427ad6c9f0def5ce567982b785da3191946430
	https://git.kernel.org/stable/c/adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad
	https://git.kernel.org/stable/c/22922f7dae74409fc4bf0f1142710cb6b8ce8cc2
	https://git.kernel.org/stable/c/6b992591e04f2cce813bcf239b354f375bbf84d3
	https://git.kernel.org/stable/c/1da4ab7189f1064b3b712b388772c008b4d82580
	https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d
	https://git.kernel.org/stable/c/c5fc49d8470c5ebf3b41607600f277158f159950
	https://git.kernel.org/stable/c/3d4c2268bd7243c3780fe32bf24ff876da272acf

Impacted products

Vendor

Product

Version

Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78
Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78
Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78
Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78
Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78
Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78
Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78
Version: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78

Version: 4.14

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_gem_framebuffer_helper.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "11427ad6c9f0def5ce567982b785da3191946430",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            },
            {
              "lessThan": "adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            },
            {
              "lessThan": "22922f7dae74409fc4bf0f1142710cb6b8ce8cc2",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            },
            {
              "lessThan": "6b992591e04f2cce813bcf239b354f375bbf84d3",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            },
            {
              "lessThan": "1da4ab7189f1064b3b712b388772c008b4d82580",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            },
            {
              "lessThan": "1a17ea9861e89585361caa8bc231bd22dc6dbe7d",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            },
            {
              "lessThan": "c5fc49d8470c5ebf3b41607600f277158f159950",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            },
            {
              "lessThan": "3d4c2268bd7243c3780fe32bf24ff876da272acf",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_gem_framebuffer_helper.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()\n\ndrm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions\nusing plain integer division:\n\n  unsigned int width  = mode_cmd-\u003ewidth  / (i ? info-\u003ehsub : 1);\n  unsigned int height = mode_cmd-\u003eheight / (i ? info-\u003evsub : 1);\n\nHowever, the ioctl-level framebuffer_check() in drm_framebuffer.c uses\ndrm_format_info_plane_width/height() which round up dimensions via\nDIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object\nsize check for certain pixel format and dimension combinations.\n\nFor example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the\nGEM size validation path sees height=0 instead of height=1. The\nexpression (height - 1) then wraps to UINT_MAX as an unsigned int,\ncausing min_size to overflow and wrap back to a small value. A tiny\nGEM object therefore passes the size guard, yet when the GPU accesses\nthe chroma plane it will read or write memory beyond the object\u0027s\nbounds.\n\nFix by replacing the open-coded divisions with drm_format_info_plane_width()\nand drm_format_info_plane_height(), which use DIV_ROUND_UP() and match\nthe calculation already used in framebuffer_check()."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:02:54.931Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/11427ad6c9f0def5ce567982b785da3191946430"
        },
        {
          "url": "https://git.kernel.org/stable/c/adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/22922f7dae74409fc4bf0f1142710cb6b8ce8cc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b992591e04f2cce813bcf239b354f375bbf84d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/1da4ab7189f1064b3b712b388772c008b4d82580"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5fc49d8470c5ebf3b41607600f277158f159950"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d4c2268bd7243c3780fe32bf24ff876da272acf"
        }
      ],
      "title": "drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46209",
    "datePublished": "2026-05-28T09:40:27.092Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-14T18:02:54.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46016 (GCVE-0-2026-46016)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: remoteproc: xlnx: Only access buffer information if IPI is buffered In the receive callback check if message is NULL to prevent possibility of crash by NULL pointer dereferencing.

References

URL

Tags

	https://git.kernel.org/stable/c/5d1451cb2cf6f3d9884d76035a1460aa9bb4b053
	https://git.kernel.org/stable/c/7ddbf21116770b7011f2bb0a6056b7604b24c497
	https://git.kernel.org/stable/c/06d0bed2552fd0dae27d374d4492a2b672e24eed
	https://git.kernel.org/stable/c/8242579859a78c801bb626e9aa4823aca93e28e7
	https://git.kernel.org/stable/c/38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6

Impacted products

Vendor

Product

Version

Version: 5dfb28c257b7c515624ba6b163410ceada451bf2
Version: 5dfb28c257b7c515624ba6b163410ceada451bf2
Version: 5dfb28c257b7c515624ba6b163410ceada451bf2
Version: 5dfb28c257b7c515624ba6b163410ceada451bf2
Version: 5dfb28c257b7c515624ba6b163410ceada451bf2

Version: 6.4

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/xlnx_r5_remoteproc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5d1451cb2cf6f3d9884d76035a1460aa9bb4b053",
              "status": "affected",
              "version": "5dfb28c257b7c515624ba6b163410ceada451bf2",
              "versionType": "git"
            },
            {
              "lessThan": "7ddbf21116770b7011f2bb0a6056b7604b24c497",
              "status": "affected",
              "version": "5dfb28c257b7c515624ba6b163410ceada451bf2",
              "versionType": "git"
            },
            {
              "lessThan": "06d0bed2552fd0dae27d374d4492a2b672e24eed",
              "status": "affected",
              "version": "5dfb28c257b7c515624ba6b163410ceada451bf2",
              "versionType": "git"
            },
            {
              "lessThan": "8242579859a78c801bb626e9aa4823aca93e28e7",
              "status": "affected",
              "version": "5dfb28c257b7c515624ba6b163410ceada451bf2",
              "versionType": "git"
            },
            {
              "lessThan": "38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6",
              "status": "affected",
              "version": "5dfb28c257b7c515624ba6b163410ceada451bf2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/xlnx_r5_remoteproc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: xlnx: Only access buffer information if IPI is buffered\n\nIn the receive callback check if message is NULL to prevent\npossibility of crash by NULL pointer dereferencing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:10.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5d1451cb2cf6f3d9884d76035a1460aa9bb4b053"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ddbf21116770b7011f2bb0a6056b7604b24c497"
        },
        {
          "url": "https://git.kernel.org/stable/c/06d0bed2552fd0dae27d374d4492a2b672e24eed"
        },
        {
          "url": "https://git.kernel.org/stable/c/8242579859a78c801bb626e9aa4823aca93e28e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6"
        }
      ],
      "title": "remoteproc: xlnx: Only access buffer information if IPI is buffered",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46016",
    "datePublished": "2026-05-27T12:56:17.970Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:48:10.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46084 (GCVE-0-2026-46084)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mana_ib: Disable RX steering on RSS QP destroy When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects. If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs: WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails) Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver. Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver's mana_dealloc_queues() is also updated to call this common function.

References

URL

Tags

	https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f
	https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184
	https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc
	https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c
	https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036

Impacted products

Vendor

Product

Version

Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06

Version: 6.2

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45647

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mana/qp.c",
            "drivers/net/ethernet/microsoft/mana/mana_en.c",
            "include/net/mana/mana.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "f1ccc4d500a0b87a5599343fc2f798048836e184",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "8ba804869382ce307f2a15f5f6f2adfd791f41dc",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "3be5ed233de03b00ae868cfc06e95331d8d9007c",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "dbeb256e8dd87233d891b170c0b32a6466467036",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mana/qp.c",
            "drivers/net/ethernet/microsoft/mana/mana_en.c",
            "include/net/mana/mana.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana_ib: Disable RX steering on RSS QP destroy\n\nWhen an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()\ndestroys the RX WQ objects but does not disable vPort RX steering in\nfirmware. This leaves stale steering configuration that still points to\nthe destroyed RX objects.\n\nIf traffic continues to arrive (e.g. peer VM is still transmitting) and\nthe VF interface is subsequently brought up (mana_open), the firmware\nmay deliver completions using stale CQ IDs from the old RX objects.\nThese CQ IDs can be reused by the ethernet driver for new TX CQs,\ncausing RX completions to land on TX CQs:\n\n  WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana]  (is_sq == false)\n  WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)\n\nFix this by disabling vPort RX steering before destroying RX WQ objects.\nNote that mana_fence_rqs() cannot be used here because the fence\ncompletion is delivered on the CQ, which is polled by user-mode (e.g.\nDPDK) and not visible to the kernel driver.\n\nRefactor the disable logic into a shared mana_disable_vport_rx() in\nmana_en, exported for use by mana_ib, replacing the duplicate code.\nThe ethernet driver\u0027s mana_dealloc_queues() is also updated to call\nthis common function."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:09.762Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036"
        }
      ],
      "title": "RDMA/mana_ib: Disable RX steering on RSS QP destroy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46084",
    "datePublished": "2026-05-27T12:58:25.435Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:53:09.762Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45647 (GCVE-0-2026-45647)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

CWE

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Summary

Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft Defender for Endpoint for Mac	Version: 101.0.0 < 101.26042.0011

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45647",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:55:59.706422Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:16:41.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Defender for Endpoint for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "101.26042.0011",
              "status": "affected",
              "version": "101.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:defender_for_endpoint:*:*:*:*:*:macos:*:*",
                  "versionEndExcluding": "101.26042.0011",
                  "versionStartIncluding": "101.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:20.031Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45647"
        }
      ],
      "title": "Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45647",
    "datePublished": "2026-06-09T17:05:44.525Z",
    "dateReserved": "2026-05-12T20:33:35.157Z",
    "dateUpdated": "2026-06-16T18:18:20.031Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46229 (GCVE-0-2026-46229)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels. The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers. This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.

References

URL

Tags

	https://git.kernel.org/stable/c/1db431380879fd9d28b763a88a0c0431be5be8df
	https://git.kernel.org/stable/c/32b153658f017ad2f5bf8aab479e8d16ac95bc3a
	https://git.kernel.org/stable/c/77d0b5d11387071770246fd0185a69fa28e8e109
	https://git.kernel.org/stable/c/047d44d8d29a6a1a5757256837aa9dd78e3cd0b5
	https://git.kernel.org/stable/c/ad52d61d82181dbdb7f05826de38352d5e550cc2

Impacted products

Vendor

Product

Version

Version: 6856e4b65f64eeb3f17148f79b36c1d60c627529
Version: 6856e4b65f64eeb3f17148f79b36c1d60c627529
Version: 6856e4b65f64eeb3f17148f79b36c1d60c627529
Version: 6856e4b65f64eeb3f17148f79b36c1d60c627529
Version: 6856e4b65f64eeb3f17148f79b36c1d60c627529

Version: 5.4

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1db431380879fd9d28b763a88a0c0431be5be8df",
              "status": "affected",
              "version": "6856e4b65f64eeb3f17148f79b36c1d60c627529",
              "versionType": "git"
            },
            {
              "lessThan": "32b153658f017ad2f5bf8aab479e8d16ac95bc3a",
              "status": "affected",
              "version": "6856e4b65f64eeb3f17148f79b36c1d60c627529",
              "versionType": "git"
            },
            {
              "lessThan": "77d0b5d11387071770246fd0185a69fa28e8e109",
              "status": "affected",
              "version": "6856e4b65f64eeb3f17148f79b36c1d60c627529",
              "versionType": "git"
            },
            {
              "lessThan": "047d44d8d29a6a1a5757256837aa9dd78e3cd0b5",
              "status": "affected",
              "version": "6856e4b65f64eeb3f17148f79b36c1d60c627529",
              "versionType": "git"
            },
            {
              "lessThan": "ad52d61d82181dbdb7f05826de38352d5e550cc2",
              "status": "affected",
              "version": "6856e4b65f64eeb3f17148f79b36c1d60c627529",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Clear VRAM on allocation to prevent stale data exposure\n\nKFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE\nbut not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated\nVRAM with stale data from prior use observable by compute kernels.\n\nThe GEM ioctl path already sets VRAM_CLEARED for all userspace\nallocations via amdgpu_gem_create_ioctl() and\namdgpu_mode_dumb_create(). The KFD path was missing this flag,\nallowing stale page table remnants to leak into user buffers.\n\nThis causes crashes in RCCL P2P transport where non-zero data in\nptrExchange/head/tail fields corrupts the protocol handshake."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:17.225Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1db431380879fd9d28b763a88a0c0431be5be8df"
        },
        {
          "url": "https://git.kernel.org/stable/c/32b153658f017ad2f5bf8aab479e8d16ac95bc3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/77d0b5d11387071770246fd0185a69fa28e8e109"
        },
        {
          "url": "https://git.kernel.org/stable/c/047d44d8d29a6a1a5757256837aa9dd78e3cd0b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad52d61d82181dbdb7f05826de38352d5e550cc2"
        }
      ],
      "title": "drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46229",
    "datePublished": "2026-05-28T09:40:51.300Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:17.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46078 (GCVE-0-2026-46078)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:52

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com

References

URL

Tags

	https://git.kernel.org/stable/c/80a23c6d1aba35be8746d74ac14e6ba5ae46da21
	https://git.kernel.org/stable/c/222055e6b4063abd2d9e13c3d49bbd1724c50789
	https://git.kernel.org/stable/c/48b27a955d22391c7f30169fa7b6b2e1977f1ce4
	https://git.kernel.org/stable/c/8ebb951a284b7446e025afc7dc5e9516ef9a7214
	https://git.kernel.org/stable/c/1d55445226c75ddd4e78b09b3e7d99109b28c366
	https://git.kernel.org/stable/c/d18a3b5d337fa412a38e776e6b4b857a58836575

Impacted products

Vendor

Product

Version

Version: 3aa8ec716e52c02360457fa018296629b4d0becf
Version: 3aa8ec716e52c02360457fa018296629b4d0becf
Version: 3aa8ec716e52c02360457fa018296629b4d0becf
Version: 3aa8ec716e52c02360457fa018296629b4d0becf
Version: 3aa8ec716e52c02360457fa018296629b4d0becf
Version: 3aa8ec716e52c02360457fa018296629b4d0becf

Version: 4.19

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45479

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "80a23c6d1aba35be8746d74ac14e6ba5ae46da21",
              "status": "affected",
              "version": "3aa8ec716e52c02360457fa018296629b4d0becf",
              "versionType": "git"
            },
            {
              "lessThan": "222055e6b4063abd2d9e13c3d49bbd1724c50789",
              "status": "affected",
              "version": "3aa8ec716e52c02360457fa018296629b4d0becf",
              "versionType": "git"
            },
            {
              "lessThan": "48b27a955d22391c7f30169fa7b6b2e1977f1ce4",
              "status": "affected",
              "version": "3aa8ec716e52c02360457fa018296629b4d0becf",
              "versionType": "git"
            },
            {
              "lessThan": "8ebb951a284b7446e025afc7dc5e9516ef9a7214",
              "status": "affected",
              "version": "3aa8ec716e52c02360457fa018296629b4d0becf",
              "versionType": "git"
            },
            {
              "lessThan": "1d55445226c75ddd4e78b09b3e7d99109b28c366",
              "status": "affected",
              "version": "3aa8ec716e52c02360457fa018296629b4d0becf",
              "versionType": "git"
            },
            {
              "lessThan": "d18a3b5d337fa412a38e776e6b4b857a58836575",
              "status": "affected",
              "version": "3aa8ec716e52c02360457fa018296629b4d0becf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix the out-of-bounds nameoff handling for trailing dirents\n\nCurrently we already have boundary-checks for nameoffs, but the trailing\ndirents are special since the namelens are calculated with strnlen()\nwith unchecked nameoffs.\n\nIf a crafted EROFS has a trailing dirent with nameoff \u003e= maxsize,\nmaxsize - nameoff can underflow, causing strnlen() to read past the\ndirectory block.\n\nnameoff0 should also be verified to be a multiple of\n`sizeof(struct erofs_dirent)` as well [1].\n\n[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:41.359Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/80a23c6d1aba35be8746d74ac14e6ba5ae46da21"
        },
        {
          "url": "https://git.kernel.org/stable/c/222055e6b4063abd2d9e13c3d49bbd1724c50789"
        },
        {
          "url": "https://git.kernel.org/stable/c/48b27a955d22391c7f30169fa7b6b2e1977f1ce4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ebb951a284b7446e025afc7dc5e9516ef9a7214"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d55445226c75ddd4e78b09b3e7d99109b28c366"
        },
        {
          "url": "https://git.kernel.org/stable/c/d18a3b5d337fa412a38e776e6b4b857a58836575"
        }
      ],
      "title": "erofs: fix the out-of-bounds nameoff handling for trailing dirents",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46078",
    "datePublished": "2026-05-27T12:58:11.916Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:52:41.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45479 (GCVE-0-2026-45479)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45483

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T20:07:07.613521Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T20:07:16.617Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:07.847Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45479"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45479",
    "datePublished": "2026-06-09T17:04:24.021Z",
    "dateReserved": "2026-05-12T16:07:22.616Z",
    "dateUpdated": "2026-06-16T18:17:07.847Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45483 (GCVE-0-2026-45483)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Project Server allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45483",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:03:39.803455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:03:53.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office Project Server allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:09.867Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Office Project Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45483"
        }
      ],
      "title": "Microsoft Office Project Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45483",
    "datePublished": "2026-06-09T17:04:26.419Z",
    "dateReserved": "2026-05-12T16:07:22.617Z",
    "dateUpdated": "2026-06-16T18:17:09.867Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46190 (GCVE-0-2026-46190)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.

References

URL

Tags

	https://git.kernel.org/stable/c/9a80c458320e0514e11945402dd6e48fcee05524
	https://git.kernel.org/stable/c/ca18c180b053f6ce80394322b314ac721c316af7
	https://git.kernel.org/stable/c/34bdcfb496b29f9a52431194f94473b37fb8c162
	https://git.kernel.org/stable/c/c0b654bc0b76a1da102d9138be1ed1223bd99310
	https://git.kernel.org/stable/c/e47029b977e747cb3a9174308fd55762cce70147

Impacted products

Vendor

Product

Version

Version: 0257be79fc4a16a3252ce80aa13b3640f728c425
Version: 0257be79fc4a16a3252ce80aa13b3640f728c425
Version: 0257be79fc4a16a3252ce80aa13b3640f728c425
Version: 0257be79fc4a16a3252ce80aa13b3640f728c425
Version: 0257be79fc4a16a3252ce80aa13b3640f728c425

Version: 5.19

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/spi-nor/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a80c458320e0514e11945402dd6e48fcee05524",
              "status": "affected",
              "version": "0257be79fc4a16a3252ce80aa13b3640f728c425",
              "versionType": "git"
            },
            {
              "lessThan": "ca18c180b053f6ce80394322b314ac721c316af7",
              "status": "affected",
              "version": "0257be79fc4a16a3252ce80aa13b3640f728c425",
              "versionType": "git"
            },
            {
              "lessThan": "34bdcfb496b29f9a52431194f94473b37fb8c162",
              "status": "affected",
              "version": "0257be79fc4a16a3252ce80aa13b3640f728c425",
              "versionType": "git"
            },
            {
              "lessThan": "c0b654bc0b76a1da102d9138be1ed1223bd99310",
              "status": "affected",
              "version": "0257be79fc4a16a3252ce80aa13b3640f728c425",
              "versionType": "git"
            },
            {
              "lessThan": "e47029b977e747cb3a9174308fd55762cce70147",
              "status": "affected",
              "version": "0257be79fc4a16a3252ce80aa13b3640f728c425",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/spi-nor/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()\n\nSashiko noticed an out-of-bounds read [1].\n\nIn spi_nor_params_show(), the snor_f_names array is passed to\nspi_nor_print_flags() using sizeof(snor_f_names).\n\nSince snor_f_names is an array of pointers, sizeof() returns the total\nnumber of bytes occupied by the pointers\n\t(element_count * sizeof(void *))\nrather than the element count itself. On 64-bit systems, this makes the\npassed length 8x larger than intended.\n\nInside spi_nor_print_flags(), the \u0027names_len\u0027 argument is used to\nbounds-check the \u0027names\u0027 array access. An out-of-bounds read occurs\nif a flag bit is set that exceeds the array\u0027s actual element count\nbut is within the inflated byte-size count.\n\nCorrect this by using ARRAY_SIZE() to pass the actual number of\nstring pointers in the array."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:26.530Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a80c458320e0514e11945402dd6e48fcee05524"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca18c180b053f6ce80394322b314ac721c316af7"
        },
        {
          "url": "https://git.kernel.org/stable/c/34bdcfb496b29f9a52431194f94473b37fb8c162"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0b654bc0b76a1da102d9138be1ed1223bd99310"
        },
        {
          "url": "https://git.kernel.org/stable/c/e47029b977e747cb3a9174308fd55762cce70147"
        }
      ],
      "title": "mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46190",
    "datePublished": "2026-05-28T09:36:44.017Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:26.530Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46022 (GCVE-0-2026-46022)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient.

References

URL

Tags

	https://git.kernel.org/stable/c/6f6ecc9153df176e956d0664b56f93080b0a45f0
	https://git.kernel.org/stable/c/bac8643486f854dd53af9b23aea7dbbd9b7c1865
	https://git.kernel.org/stable/c/f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab
	https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b
	https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841
	https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107
	https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9
	https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84

Impacted products

Vendor

Product

Version

Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741
Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741
Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741
Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741
Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741
Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741
Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741
Version: 278d72ae8803ffcd16070c95fe1d53f4466dc741

Version: 2.6.13

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/remote.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f6ecc9153df176e956d0664b56f93080b0a45f0",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "bac8643486f854dd53af9b23aea7dbbd9b7c1865",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "fc7e9a74e32299d7e93e178ca482a0b59ef1595b",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "07c4f18b303106e6b24492c12b95d48a4b985841",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "22a16d3eafee92a165c756081587c95850127107",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "1ca75f6b74ec7f685464e5745ecfcf3a76d284e9",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "4b6e6ead556734bdc14024c5f837132b1e7a4b84",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/remote.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.13"
            },
            {
              "lessThan": "2.6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()\n\nibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read\nwhen the queue reader or writer index from hardware exceeds\nREMOTE_QUEUE_SIZE (60).\n\nA compromised service processor can trigger this by writing an\nout-of-range value to the reader or writer MMIO register before\nasserting an interrupt. Since writer is re-read from hardware on\nevery loop iteration, it can also be set to an out-of-range value\nafter the loop has already started.\n\nThe root cause is that get_queue_reader() and get_queue_writer() return\nraw readl() values that are passed directly into get_queue_entry(),\nwhich computes:\n\n  queue_begin + reader * sizeof(struct remote_input)\n\nwith no bounds check. This unchecked MMIO address is then passed to\nmemcpy_fromio(), reading 8 bytes from unintended device registers.\nFor sufficiently large values the address falls outside the PCI BAR\nmapping entirely, triggering a machine check exception.\n\nFix by checking both indices against REMOTE_QUEUE_SIZE at the top of\nthe loop body, before any call to get_queue_entry(). On an out-of-range\nvalue, reset the reader register to 0 via set_queue_reader() before\nbreaking, so that normal queue operation can resume if the corrupted\nhardware state is transient."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:35.855Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f6ecc9153df176e956d0664b56f93080b0a45f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/bac8643486f854dd53af9b23aea7dbbd9b7c1865"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b"
        },
        {
          "url": "https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841"
        },
        {
          "url": "https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84"
        }
      ],
      "title": "misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46022",
    "datePublished": "2026-05-27T12:56:26.791Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:48:35.855Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39833 (GCVE-0-2026-39833)

Vulnerability from cvelistv5

Published

2026-05-22 02:31

Modified

2026-05-22 18:58

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-358: Improperly Implemented Security Check for Standard

Summary

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

References

URL

Tags

	https://go.dev/issue/79436
	https://go.dev/cl/778640
	https://go.dev/cl/778641
	https://groups.google.com/g/golang-announce/c/a082jnz-LvI
	https://pkg.go.dev/vuln/GO-2026-5005

Impacted products

	Vendor	Product	Version
	golang.org/x/crypto	golang.org/x/crypto/ssh/agent	Version: 0 ≤

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45583

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39833",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T18:57:41.103317Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T18:58:08.489Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh/agent",
          "product": "golang.org/x/crypto/ssh/agent",
          "programRoutines": [
            {
              "name": "keyring.Add"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.52.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NCC Group Cryptography Services, sponsored by Teleport"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-358: Improperly Implemented Security Check for Standard",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T02:31:26.294Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79436"
        },
        {
          "url": "https://go.dev/cl/778640"
        },
        {
          "url": "https://go.dev/cl/778641"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5005"
        }
      ],
      "title": "Invoking  key constraints not enforced in golang.org/x/crypto/ssh/agent"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39833",
    "datePublished": "2026-05-22T02:31:26.294Z",
    "dateReserved": "2026-04-07T18:13:03.529Z",
    "dateUpdated": "2026-05-22T18:58:08.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45583 (GCVE-0-2026-45583)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft Exchange Server 2016 Cumulative Update 23

Version: 15.01.0.0 < 15.01.2507.069

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 14	Version: 15.02.0.0 < 15.02.1544.041
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 15	Version: 15.02.0.0 < 15.02.1748.046
Microsoft	Microsoft Exchange Server Subscription Edition RTM	Version: 15.02.0.0 < 15.02.2562.043

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45583",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:06.048278Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:28:44.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.069",
              "status": "affected",
              "version": "15.01.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1544.041",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 15",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1748.046",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server Subscription Edition RTM",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.2562.043",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.069",
                  "versionStartIncluding": "15.01.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1544.041",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1748.046",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.2562.043",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper control of generation of code (\u0027code injection\u0027) in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:27.666Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45583"
        }
      ],
      "title": "Microsoft Exchange Server Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45583",
    "datePublished": "2026-06-09T17:04:47.793Z",
    "dateReserved": "2026-05-12T19:55:45.729Z",
    "dateUpdated": "2026-06-16T18:17:27.666Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46101 (GCVE-0-2026-46101)

Vulnerability from cvelistv5

Published

2026-05-27 12:59

Modified

2026-06-14 17:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: reject zero shift in nft_bitwise Reject zero shift operands for nft_bitwise left and right shift expressions during initialization. The carry propagation logic computes the carry from the adjacent 32-bit word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this into a 32-bit shift, which is undefined behaviour. Reject zero shift operands in the control plane, alongside the existing check for values greater than or equal to 32, so malformed rules never reach the packet path.

References

URL

Tags

	https://git.kernel.org/stable/c/9baa08d6b6b096fad70049533f0d705d85fdc979
	https://git.kernel.org/stable/c/4fccea585631621c975883911a08d15b6671f7dc
	https://git.kernel.org/stable/c/9ad26c272405f53834871cc2e46b9b5393a666c3
	https://git.kernel.org/stable/c/bffef0acec9c3b837a785248a893137fb7f26c95
	https://git.kernel.org/stable/c/ca24f1243ad1a4d12d6a23876bbbe3ed02099853
	https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14
	https://git.kernel.org/stable/c/f370205974f171a5868c13ff30d7642fed46e47b
	https://git.kernel.org/stable/c/fe11e5c40817b84abaa5d83bfb6586d8412bfd07

Impacted products

Vendor

Product

Version

Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93
Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93
Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93
Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93
Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93
Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93
Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93
Version: 567d746b55bc66d3800c9ae91d50f0c5deb2fd93

Version: 5.6

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_bitwise.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9baa08d6b6b096fad70049533f0d705d85fdc979",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            },
            {
              "lessThan": "4fccea585631621c975883911a08d15b6671f7dc",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            },
            {
              "lessThan": "9ad26c272405f53834871cc2e46b9b5393a666c3",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            },
            {
              "lessThan": "bffef0acec9c3b837a785248a893137fb7f26c95",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            },
            {
              "lessThan": "ca24f1243ad1a4d12d6a23876bbbe3ed02099853",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            },
            {
              "lessThan": "6f820139d16a4c9865a145d4a9cf9c92cc632c14",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            },
            {
              "lessThan": "f370205974f171a5868c13ff30d7642fed46e47b",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            },
            {
              "lessThan": "fe11e5c40817b84abaa5d83bfb6586d8412bfd07",
              "status": "affected",
              "version": "567d746b55bc66d3800c9ae91d50f0c5deb2fd93",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_bitwise.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: reject zero shift in nft_bitwise\n\nReject zero shift operands for nft_bitwise left and right shift\nexpressions during initialization.\n\nThe carry propagation logic computes the carry from the adjacent 32-bit\nword using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this\ninto a 32-bit shift, which is undefined behaviour.\n\nReject zero shift operands in the control plane, alongside the existing\ncheck for values greater than or equal to 32, so malformed rules never\nreach the packet path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:54:30.068Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9baa08d6b6b096fad70049533f0d705d85fdc979"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fccea585631621c975883911a08d15b6671f7dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ad26c272405f53834871cc2e46b9b5393a666c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/bffef0acec9c3b837a785248a893137fb7f26c95"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca24f1243ad1a4d12d6a23876bbbe3ed02099853"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14"
        },
        {
          "url": "https://git.kernel.org/stable/c/f370205974f171a5868c13ff30d7642fed46e47b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe11e5c40817b84abaa5d83bfb6586d8412bfd07"
        }
      ],
      "title": "netfilter: reject zero shift in nft_bitwise",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46101",
    "datePublished": "2026-05-27T12:59:08.220Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:54:30.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46080 (GCVE-0-2026-46080)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:52

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ocfs2: split transactions in dio completion to avoid credit exhaustion During ocfs2 dio operations, JBD2 may report warnings via following call trace: ocfs2_dio_end_io_write ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_split_extent ocfs2_try_to_merge_extent ocfs2_extend_rotate_transaction ocfs2_extend_trans jbd2__journal_restart start_this_handle output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449 To prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to handle extents in a batch of transaction. Additionally, relocate ocfs2_del_inode_from_orphan(). The orphan inode should only be removed from the orphan list after the extent tree update is complete. This ensures that if a crash occurs in the middle of extent tree updates, we won't leave stale blocks beyond EOF. This patch also changes the logic for updating the inode size and removing orphan, making it similar to ext4_dio_write_end_io(). Both operations are performed only when everything looks good. Finally, thanks to Jans and Joseph for providing the bug fix prototype and suggestions.

References

URL

Tags

	https://git.kernel.org/stable/c/97c03c0e9f73a5049794b3c69ee60fb5e8b0ebd8
	https://git.kernel.org/stable/c/1e99bb19994246514d63e656492904176f9d5edd
	https://git.kernel.org/stable/c/91e05ac2336d00d5b99fc774be4bd50039084796
	https://git.kernel.org/stable/c/886f97fa59d0bbfa9859fb1a66dd9e014b522d89
	https://git.kernel.org/stable/c/ea5bb1d20da756e4f41a48dad42b2e7d6e73f71e
	https://git.kernel.org/stable/c/3c636a3edca9c3f180b3079f94fe7e115730d9c6
	https://git.kernel.org/stable/c/069c3fb310e9336cf48cfdf8748a32c29fd0193d
	https://git.kernel.org/stable/c/d647c5b2fbf81560818dacade360abc8c00a9665

Impacted products

Vendor

Product

Version

Version: c15471f79506830f80eca0e7fe09b8213953ab5f
Version: c15471f79506830f80eca0e7fe09b8213953ab5f
Version: c15471f79506830f80eca0e7fe09b8213953ab5f
Version: c15471f79506830f80eca0e7fe09b8213953ab5f
Version: c15471f79506830f80eca0e7fe09b8213953ab5f
Version: c15471f79506830f80eca0e7fe09b8213953ab5f
Version: c15471f79506830f80eca0e7fe09b8213953ab5f
Version: c15471f79506830f80eca0e7fe09b8213953ab5f

Version: 4.6

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ocfs2/aops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97c03c0e9f73a5049794b3c69ee60fb5e8b0ebd8",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            },
            {
              "lessThan": "1e99bb19994246514d63e656492904176f9d5edd",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            },
            {
              "lessThan": "91e05ac2336d00d5b99fc774be4bd50039084796",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            },
            {
              "lessThan": "886f97fa59d0bbfa9859fb1a66dd9e014b522d89",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            },
            {
              "lessThan": "ea5bb1d20da756e4f41a48dad42b2e7d6e73f71e",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            },
            {
              "lessThan": "3c636a3edca9c3f180b3079f94fe7e115730d9c6",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            },
            {
              "lessThan": "069c3fb310e9336cf48cfdf8748a32c29fd0193d",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            },
            {
              "lessThan": "d647c5b2fbf81560818dacade360abc8c00a9665",
              "status": "affected",
              "version": "c15471f79506830f80eca0e7fe09b8213953ab5f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ocfs2/aops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: split transactions in dio completion to avoid credit exhaustion\n\nDuring ocfs2 dio operations, JBD2 may report warnings via following\ncall trace:\nocfs2_dio_end_io_write\n ocfs2_mark_extent_written\n  ocfs2_change_extent_flag\n   ocfs2_split_extent\n    ocfs2_try_to_merge_extent\n     ocfs2_extend_rotate_transaction\n      ocfs2_extend_trans\n       jbd2__journal_restart\n        start_this_handle\n         output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449\n\nTo prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to\nhandle extents in a batch of transaction.\n\nAdditionally, relocate ocfs2_del_inode_from_orphan().  The orphan inode\nshould only be removed from the orphan list after the extent tree update\nis complete.  This ensures that if a crash occurs in the middle of extent\ntree updates, we won\u0027t leave stale blocks beyond EOF.\n\nThis patch also changes the logic for updating the inode size and removing\norphan, making it similar to ext4_dio_write_end_io().  Both operations are\nperformed only when everything looks good.\n\nFinally, thanks to Jans and Joseph for providing the bug fix prototype and\nsuggestions."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:50.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97c03c0e9f73a5049794b3c69ee60fb5e8b0ebd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e99bb19994246514d63e656492904176f9d5edd"
        },
        {
          "url": "https://git.kernel.org/stable/c/91e05ac2336d00d5b99fc774be4bd50039084796"
        },
        {
          "url": "https://git.kernel.org/stable/c/886f97fa59d0bbfa9859fb1a66dd9e014b522d89"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea5bb1d20da756e4f41a48dad42b2e7d6e73f71e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c636a3edca9c3f180b3079f94fe7e115730d9c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/069c3fb310e9336cf48cfdf8748a32c29fd0193d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d647c5b2fbf81560818dacade360abc8c00a9665"
        }
      ],
      "title": "ocfs2: split transactions in dio completion to avoid credit exhaustion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46080",
    "datePublished": "2026-05-27T12:58:17.103Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:52:50.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46065 (GCVE-0-2026-46065)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:51

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal. Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state.

References

URL

Tags

	https://git.kernel.org/stable/c/2a40f8bc9bb713329f1c35ffc199ee961a7135b0
	https://git.kernel.org/stable/c/2b53d3a52e8e5403a4f4fb57ac6cad3fd2cb1066
	https://git.kernel.org/stable/c/25c2b77bc463f29ee71a54b883548baf9386a0db
	https://git.kernel.org/stable/c/a0aafb421dd15e935d81543152617f2742cefa70
	https://git.kernel.org/stable/c/9ded47ad003f09a94b6a710b5c47f4aa5ceb7429

Impacted products

Vendor

Product

Version

Version: 60b59beafba875aef6d378078bce0baf2287ae14
Version: 60b59beafba875aef6d378078bce0baf2287ae14
Version: 60b59beafba875aef6d378078bce0baf2287ae14
Version: 60b59beafba875aef6d378078bce0baf2287ae14
Version: 60b59beafba875aef6d378078bce0baf2287ae14

Version: 2.6.22

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fb_defio.c",
            "include/linux/fb.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a40f8bc9bb713329f1c35ffc199ee961a7135b0",
              "status": "affected",
              "version": "60b59beafba875aef6d378078bce0baf2287ae14",
              "versionType": "git"
            },
            {
              "lessThan": "2b53d3a52e8e5403a4f4fb57ac6cad3fd2cb1066",
              "status": "affected",
              "version": "60b59beafba875aef6d378078bce0baf2287ae14",
              "versionType": "git"
            },
            {
              "lessThan": "25c2b77bc463f29ee71a54b883548baf9386a0db",
              "status": "affected",
              "version": "60b59beafba875aef6d378078bce0baf2287ae14",
              "versionType": "git"
            },
            {
              "lessThan": "a0aafb421dd15e935d81543152617f2742cefa70",
              "status": "affected",
              "version": "60b59beafba875aef6d378078bce0baf2287ae14",
              "versionType": "git"
            },
            {
              "lessThan": "9ded47ad003f09a94b6a710b5c47f4aa5ceb7429",
              "status": "affected",
              "version": "60b59beafba875aef6d378078bce0baf2287ae14",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fb_defio.c",
            "include/linux/fb.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info\n\nHold state of deferred I/O in struct fb_deferred_io_state. Allocate an\ninstance as part of initializing deferred I/O and remove it only after\nthe final mapping has been closed. If the fb_info and the contained\ndeferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info\nto invalidate the mapping. Any access will then result in a SIGBUS\nsignal.\n\nFixes a long-standing problem, where a device hot-unplug happens while\nuser space still has an active mapping of the graphics memory. The hot-\nunplug frees the instance of struct fb_info. Accessing the memory will\noperate on undefined state."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:51:47.030Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a40f8bc9bb713329f1c35ffc199ee961a7135b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b53d3a52e8e5403a4f4fb57ac6cad3fd2cb1066"
        },
        {
          "url": "https://git.kernel.org/stable/c/25c2b77bc463f29ee71a54b883548baf9386a0db"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0aafb421dd15e935d81543152617f2742cefa70"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ded47ad003f09a94b6a710b5c47f4aa5ceb7429"
        }
      ],
      "title": "fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46065",
    "datePublished": "2026-05-27T12:57:32.968Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:51:47.030Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45843 (GCVE-0-2026-45843)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.

References

URL

Tags

	https://git.kernel.org/stable/c/6268f01ae989013671b526c883e92655342c6f6f
	https://git.kernel.org/stable/c/9aafba2f49e1fcccc2018816f5836a609c925879
	https://git.kernel.org/stable/c/335957df4ed60f02a2ec0432fbedbf0cc7241d8b
	https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10
	https://git.kernel.org/stable/c/4cefe32639933d652614b0bd50f818f9af4af78f
	https://git.kernel.org/stable/c/0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d
	https://git.kernel.org/stable/c/d42bec6e4f6d6d658be365539400b3314b76b2a7
	https://git.kernel.org/stable/c/4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6268f01ae989013671b526c883e92655342c6f6f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9aafba2f49e1fcccc2018816f5836a609c925879",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "335957df4ed60f02a2ec0432fbedbf0cc7241d8b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "37537e42e6df387398bee85cb85070cc80bb1e10",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4cefe32639933d652614b0bd50f818f9af4af78f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d42bec6e4f6d6d658be365539400b3314b76b2a7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: bound decode() reads against the compressed packet length\n\nslhc_uncompress() parses a VJ-compressed TCP header by advancing a\npointer through the packet via decode() and pull16(). Neither helper\nbounds-checks against isize, and decode() masks its return with\n\u0026 0xffff so it can never return the -1 that callers test for -- those\nerror paths are dead code.\n\nA short compressed frame whose change byte requests optional fields\nlets decode() read past the end of the packet. The over-read bytes\nare folded into the cached cstate and reflected into subsequent\nreconstructed packets.\n\nMake decode() and pull16() take the packet end pointer and return -1\nwhen exhausted. Add a bounds check before the TCP-checksum read.\nThe existing == -1 tests now do what they were always meant to."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:20.617Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6268f01ae989013671b526c883e92655342c6f6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9aafba2f49e1fcccc2018816f5836a609c925879"
        },
        {
          "url": "https://git.kernel.org/stable/c/335957df4ed60f02a2ec0432fbedbf0cc7241d8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cefe32639933d652614b0bd50f818f9af4af78f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d42bec6e4f6d6d658be365539400b3314b76b2a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7"
        }
      ],
      "title": "slip: bound decode() reads against the compressed packet length",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45843",
    "datePublished": "2026-05-27T09:24:45.516Z",
    "dateReserved": "2026-05-13T15:03:33.078Z",
    "dateUpdated": "2026-06-14T17:46:20.617Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46011 (GCVE-0-2026-46011)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:47

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.

References

URL

Tags

	https://git.kernel.org/stable/c/2209fdae5c2f615930c9af1379c1cfca199ec5d8
	https://git.kernel.org/stable/c/0498b27a1542021d90269d58347501d4c3ccd84e
	https://git.kernel.org/stable/c/26506a30e0e26d612f82a7bf0e395626968a44e6
	https://git.kernel.org/stable/c/e78c39f720679fcf3a2eacd82725ec3ea2648301
	https://git.kernel.org/stable/c/34c519feef3e4fcff1078dc8bdb25fbbbd10303f

Impacted products

Vendor

Product

Version

Version: 5fb1c2361e5630491d2a2f9359654eb022601bc0
Version: 5fb1c2361e5630491d2a2f9359654eb022601bc0
Version: 5fb1c2361e5630491d2a2f9359654eb022601bc0
Version: 5fb1c2361e5630491d2a2f9359654eb022601bc0
Version: 5fb1c2361e5630491d2a2f9359654eb022601bc0

Version: 6.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2209fdae5c2f615930c9af1379c1cfca199ec5d8",
              "status": "affected",
              "version": "5fb1c2361e5630491d2a2f9359654eb022601bc0",
              "versionType": "git"
            },
            {
              "lessThan": "0498b27a1542021d90269d58347501d4c3ccd84e",
              "status": "affected",
              "version": "5fb1c2361e5630491d2a2f9359654eb022601bc0",
              "versionType": "git"
            },
            {
              "lessThan": "26506a30e0e26d612f82a7bf0e395626968a44e6",
              "status": "affected",
              "version": "5fb1c2361e5630491d2a2f9359654eb022601bc0",
              "versionType": "git"
            },
            {
              "lessThan": "e78c39f720679fcf3a2eacd82725ec3ea2648301",
              "status": "affected",
              "version": "5fb1c2361e5630491d2a2f9359654eb022601bc0",
              "versionType": "git"
            },
            {
              "lessThan": "34c519feef3e4fcff1078dc8bdb25fbbbd10303f",
              "status": "affected",
              "version": "5fb1c2361e5630491d2a2f9359654eb022601bc0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-jpeg: fix use-after-free in release path due to uncancelled work\n\nThe mtk_jpeg_release() function frees the context structure (ctx) without\nfirst cancelling any pending or running work in ctx-\u003ejpeg_work. This\ncreates a race window where the workqueue callback may still be accessing\nthe context memory after it has been freed.\n\nRace condition:\n\n    CPU 0 (release)                    CPU 1 (workqueue)\n    ----------------                   ------------------\n    close()\n      mtk_jpeg_release()\n                                       mtk_jpegenc_worker()\n                                         ctx = work-\u003edata\n                                         // accessing ctx\n\n        kfree(ctx)  // freed!\n                                         access ctx  // UAF!\n\nThe work is queued via queue_work() during JPEG encode/decode operations\n(via mtk_jpeg_device_run). If the device is closed while work is pending\nor running, the work handler will access freed memory.\n\nFix this by calling cancel_work_sync() BEFORE acquiring the mutex. This\nordering is critical: if cancel_work_sync() is called after mutex_lock(),\nand the work handler also tries to acquire the same mutex, it would cause\na deadlock.\n\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during ioctl operations."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:51.841Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2209fdae5c2f615930c9af1379c1cfca199ec5d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0498b27a1542021d90269d58347501d4c3ccd84e"
        },
        {
          "url": "https://git.kernel.org/stable/c/26506a30e0e26d612f82a7bf0e395626968a44e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e78c39f720679fcf3a2eacd82725ec3ea2648301"
        },
        {
          "url": "https://git.kernel.org/stable/c/34c519feef3e4fcff1078dc8bdb25fbbbd10303f"
        }
      ],
      "title": "media: mtk-jpeg: fix use-after-free in release path due to uncancelled work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46011",
    "datePublished": "2026-05-27T12:56:13.198Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:47:51.841Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46225 (GCVE-0-2026-46225)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:03

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: rspi: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.

References

URL

Tags

	https://git.kernel.org/stable/c/77defd64b405b680db73d767313fce770d368368
	https://git.kernel.org/stable/c/c5090db1b31de3ef4db0cda7e822ab49cb572292
	https://git.kernel.org/stable/c/aee76c1dd189562c6678313caec12761f78a9ef3
	https://git.kernel.org/stable/c/fee6abd9845c3edd217b0e429d09f764f9a5690e
	https://git.kernel.org/stable/c/9944fa6726afb1e6eb7e2212764e7da0c97f2dcc

Impacted products

Vendor

Product

Version

Version: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2
Version: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2
Version: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2
Version: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2
Version: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2

Version: 3.14

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50511

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-rspi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "77defd64b405b680db73d767313fce770d368368",
              "status": "affected",
              "version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
              "versionType": "git"
            },
            {
              "lessThan": "c5090db1b31de3ef4db0cda7e822ab49cb572292",
              "status": "affected",
              "version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
              "versionType": "git"
            },
            {
              "lessThan": "aee76c1dd189562c6678313caec12761f78a9ef3",
              "status": "affected",
              "version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
              "versionType": "git"
            },
            {
              "lessThan": "fee6abd9845c3edd217b0e429d09f764f9a5690e",
              "status": "affected",
              "version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
              "versionType": "git"
            },
            {
              "lessThan": "9944fa6726afb1e6eb7e2212764e7da0c97f2dcc",
              "status": "affected",
              "version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-rspi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: rspi: fix controller deregistration\n\nMake sure to deregister the controller before releasing underlying\nresources like DMA during driver unbind."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:03:59.436Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/77defd64b405b680db73d767313fce770d368368"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5090db1b31de3ef4db0cda7e822ab49cb572292"
        },
        {
          "url": "https://git.kernel.org/stable/c/aee76c1dd189562c6678313caec12761f78a9ef3"
        },
        {
          "url": "https://git.kernel.org/stable/c/fee6abd9845c3edd217b0e429d09f764f9a5690e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9944fa6726afb1e6eb7e2212764e7da0c97f2dcc"
        }
      ],
      "title": "spi: rspi: fix controller deregistration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46225",
    "datePublished": "2026-05-28T09:40:44.066Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:03:59.436Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-50511 (GCVE-0-2026-50511)

Vulnerability from cvelistv5

Published

2026-06-09 17:37

Modified

2026-06-16 18:18

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Summary

Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft PC Manager	Version: 1.0.0 < 3.21.6.0

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50511",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:24:29.601754Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:31:07.002Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft PC Manager",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "3.21.6.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:pc_manager:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.21.6.0",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft PC Manager allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:30.781Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft PC Manager Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50511"
        }
      ],
      "title": "Microsoft PC Manager Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-50511",
    "datePublished": "2026-06-09T17:37:00.911Z",
    "dateReserved": "2026-06-04T19:00:41.292Z",
    "dateUpdated": "2026-06-16T18:18:30.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45839 (GCVE-0-2026-45839)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N. When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF: BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228) </TASK> CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.

References

URL

Tags

	https://git.kernel.org/stable/c/a9e777f856cd2f1efc106afc7bf21aef868509d5
	https://git.kernel.org/stable/c/669349b4612c26b3d7aacfa99d7174681bd19223
	https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994
	https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a
	https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f
	https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2
	https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc

Impacted products

Vendor

Product

Version

Version: ddc7c3042614e273044f698d2beab25cc3842d45
Version: ddc7c3042614e273044f698d2beab25cc3842d45
Version: ddc7c3042614e273044f698d2beab25cc3842d45
Version: ddc7c3042614e273044f698d2beab25cc3842d45
Version: ddc7c3042614e273044f698d2beab25cc3842d45
Version: ddc7c3042614e273044f698d2beab25cc3842d45
Version: ddc7c3042614e273044f698d2beab25cc3842d45

Version: 5.4

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "tools/lib/bpf/relo_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9e777f856cd2f1efc106afc7bf21aef868509d5",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "669349b4612c26b3d7aacfa99d7174681bd19223",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "3ff85ae79e1a74baeb916b78a63d821f6d19a994",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "76f2ebaf79a9ae6d0737b87f045fe769e425d78f",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            },
            {
              "lessThan": "1c22483a2c4bbf747787f328392ca3e68619c4dc",
              "status": "affected",
              "version": "ddc7c3042614e273044f698d2beab25cc3842d45",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "tools/lib/bpf/relo_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()\n\nCO-RE accessor strings are colon-separated indices that describe a path\nfrom a root BTF type to a target field, e.g. \"0:1:2\" walks through\nnested struct members. bpf_core_parse_spec() parses each component with\nsscanf(\"%d\"), so negative values like -1 are silently accepted.  The\nsubsequent bounds checks (access_idx \u003e= btf_vlen(t)) only guard the\nupper bound and always pass for negative values because C integer\npromotion converts the __u16 btf_vlen result to int, making the\ncomparison (int)(-1) \u003e= (int)(N) false for any positive N.\n\nWhen -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,\nproducing an out-of-bounds read far past the members array.  A crafted\nBPF program with a negative CO-RE accessor on any struct that exists in\nvmlinux BTF (e.g. task_struct) crashes the kernel deterministically\nduring BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y\n(default on major distributions).  The bug is reachable with CAP_BPF:\n\n BUG: unable to handle page fault for address: ffffed11818b6626\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)\n RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)\n RAX: 00000000ffffffff\n Call Trace:\n  \u003cTASK\u003e\n  bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)\n  bpf_core_apply (kernel/bpf/btf.c:9507)\n  check_core_relo (kernel/bpf/verifier.c:19475)\n  bpf_check (kernel/bpf/verifier.c:26031)\n  bpf_prog_load (kernel/bpf/syscall.c:3089)\n  __sys_bpf (kernel/bpf/syscall.c:6228)\n  \u003c/TASK\u003e\n\nCO-RE accessor indices are inherently non-negative (struct member index,\narray element index, or enumerator index), so reject them immediately\nafter parsing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:08.677Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9e777f856cd2f1efc106afc7bf21aef868509d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/669349b4612c26b3d7aacfa99d7174681bd19223"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994"
        },
        {
          "url": "https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f"
        },
        {
          "url": "https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc"
        }
      ],
      "title": "bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45839",
    "datePublished": "2026-05-27T09:24:37.855Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-06-14T17:46:08.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46214 (GCVE-0-2026-46214)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:03

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix accept queue count leak on transport mismatch virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections. Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.

References

URL

Tags

	https://git.kernel.org/stable/c/2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f
	https://git.kernel.org/stable/c/fd51e810affa38d735d04261e673b2a5fe9c8665
	https://git.kernel.org/stable/c/f66c7904fb6f0e420a654bc90909e64a25d00896
	https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390
	https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f
	https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a
	https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d
	https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d

Impacted products

Vendor

Product

Version

Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a

Version: 5.5

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/virtio_transport_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "fd51e810affa38d735d04261e673b2a5fe9c8665",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "f66c7904fb6f0e420a654bc90909e64a25d00896",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "65c484726e74013a2ec7ba67a34d87760ae8f390",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "29371f3cc83e2a92265b4768014a30b80234112f",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "e9edf9893cf26d060705c910a9b62d8cc96ed56a",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "6d3275fc4ed968938e1d556c344798046776668d",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "52bcb57a4e8a0865a76c587c2451906342ae1b2d",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/virtio_transport_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix accept queue count leak on transport mismatch\n\nvirtio_transport_recv_listen() calls sk_acceptq_added() before\nvsock_assign_transport(). If vsock_assign_transport() fails or\nselects a different transport, the error path returns without\ncalling sk_acceptq_removed(), permanently incrementing\nsk_ack_backlog.\n\nAfter approximately backlog+1 such failures, sk_acceptq_is_full()\nreturns true, causing the listener to reject all new connections.\n\nFix by moving sk_acceptq_added() to after the transport validation,\nmatching the pattern used by vmci_transport and hyperv_transport."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:03:15.809Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd51e810affa38d735d04261e673b2a5fe9c8665"
        },
        {
          "url": "https://git.kernel.org/stable/c/f66c7904fb6f0e420a654bc90909e64a25d00896"
        },
        {
          "url": "https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390"
        },
        {
          "url": "https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d"
        },
        {
          "url": "https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d"
        }
      ],
      "title": "vsock/virtio: fix accept queue count leak on transport mismatch",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46214",
    "datePublished": "2026-05-28T09:40:31.245Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-14T18:03:15.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46063 (GCVE-0-2026-46063)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:51

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/shstk: Prevent deadlock during shstk sigreturn During sigreturn the shadow stack signal frame is popped. The kernel does this by reading the shadow stack using normal read accesses. When it can't assume the memory is shadow stack, it takes extra steps to makes sure it is reading actual shadow stack memory and not other normal readable memory. It does this by holding the mmap read lock while doing the access and checking the flags of the VMA. Unfortunately that is not safe. If the read of the shadow stack sigframe hits a page fault, the fault handler will try to recursively grab another mmap read lock. This normally works ok, but if a writer on another CPU is also waiting, the second read lock could fail and cause a deadlock. Fix this by not holding mmap lock during the read access to userspace. Instead use mmap_lock_speculate_...() to watch for changes between dropping mmap lock and the userspace access. Retry if anything grabbed an mmap write lock in between and could have changed the VMA. These mmap_lock_speculate_...() helpers use mm::mm_lock_seq, which is only available when PER_VMA_LOCK is configured. So make X86_USER_SHADOW_STACK depend on it. On x86, PER_VMA_LOCK is a default configuration for SMP kernels. So drop support for the other configs under the assumption that the !SMP shadow stack user base does not exist. Currently there is a check that skips the lookup work when the SSP can be assumed to be on a shadow stack. While reorganizing the function, remove the optimization to make the tricky code flows more common, such that issues like this cannot escape detection for so long.

References

URL

Tags

	https://git.kernel.org/stable/c/e2c2b044458cbf22da05264fa707308e8d4f86f9
	https://git.kernel.org/stable/c/d042d69b417515959e49021fef008c9b04a99bd5
	https://git.kernel.org/stable/c/4f3374c990fb2adec06d20fd6d780927811c9aa0
	https://git.kernel.org/stable/c/3d29db827502067626062f5c74dd502d14ab15bc
	https://git.kernel.org/stable/c/9874b2917b9fbc30956fee209d3c4aa47201c64e

Impacted products

Vendor

Product

Version

Version: 7fad2a432cd35bbf104d2d9d426e74902f22aa95
Version: 7fad2a432cd35bbf104d2d9d426e74902f22aa95
Version: 7fad2a432cd35bbf104d2d9d426e74902f22aa95
Version: 7fad2a432cd35bbf104d2d9d426e74902f22aa95
Version: 7fad2a432cd35bbf104d2d9d426e74902f22aa95

Version: 6.6

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/Kconfig",
            "arch/x86/kernel/shstk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e2c2b044458cbf22da05264fa707308e8d4f86f9",
              "status": "affected",
              "version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
              "versionType": "git"
            },
            {
              "lessThan": "d042d69b417515959e49021fef008c9b04a99bd5",
              "status": "affected",
              "version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
              "versionType": "git"
            },
            {
              "lessThan": "4f3374c990fb2adec06d20fd6d780927811c9aa0",
              "status": "affected",
              "version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
              "versionType": "git"
            },
            {
              "lessThan": "3d29db827502067626062f5c74dd502d14ab15bc",
              "status": "affected",
              "version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
              "versionType": "git"
            },
            {
              "lessThan": "9874b2917b9fbc30956fee209d3c4aa47201c64e",
              "status": "affected",
              "version": "7fad2a432cd35bbf104d2d9d426e74902f22aa95",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/Kconfig",
            "arch/x86/kernel/shstk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/shstk: Prevent deadlock during shstk sigreturn\n\nDuring sigreturn the shadow stack signal frame is popped. The kernel does\nthis by reading the shadow stack using normal read accesses. When it can\u0027t\nassume the memory is shadow stack, it takes extra steps to makes sure it is\nreading actual shadow stack memory and not other normal readable memory. It\ndoes this by holding the mmap read lock while doing the access and checking\nthe flags of the VMA.\n\nUnfortunately that is not safe. If the read of the shadow stack sigframe\nhits a page fault, the fault handler will try to recursively grab another\nmmap read lock. This normally works ok, but if a writer on another CPU is\nalso waiting, the second read lock could fail and cause a deadlock.\n\nFix this by not holding mmap lock during the read access to userspace.\n\nInstead use mmap_lock_speculate_...() to watch for changes between dropping\nmmap lock and the userspace access. Retry if anything grabbed an mmap write\nlock in between and could have changed the VMA.\n\nThese mmap_lock_speculate_...() helpers use mm::mm_lock_seq, which is only\navailable when PER_VMA_LOCK is configured. So make X86_USER_SHADOW_STACK\ndepend on it. On x86, PER_VMA_LOCK is a default configuration for SMP\nkernels. So drop support for the other configs under the assumption that\nthe !SMP shadow stack user base does not exist.\n\nCurrently there is a check that skips the lookup work when the SSP can be\nassumed to be on a shadow stack. While reorganizing the function, remove\nthe optimization to make the tricky code flows more common, such that\nissues like this cannot escape detection for so long."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:51:37.005Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e2c2b044458cbf22da05264fa707308e8d4f86f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d042d69b417515959e49021fef008c9b04a99bd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f3374c990fb2adec06d20fd6d780927811c9aa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d29db827502067626062f5c74dd502d14ab15bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/9874b2917b9fbc30956fee209d3c4aa47201c64e"
        }
      ],
      "title": "x86/shstk: Prevent deadlock during shstk sigreturn",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46063",
    "datePublished": "2026-05-27T12:57:27.336Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:51:37.005Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46046 (GCVE-0-2026-46046)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() The commit c8e008b60492 ("ext4: ignore xattrs past end") introduced a refcount leak in when block_csum is false. ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to get iloc.bh, but never releases it with brelse().

References

URL

Tags

	https://git.kernel.org/stable/c/dd98a5603a212ea9c96c6982ccdbcc748fdb9a56
	https://git.kernel.org/stable/c/153ab2c52355fbebcae622db8e7b506492c73a29
	https://git.kernel.org/stable/c/b706d00206a9e82362a9633efbd8b5775650169b
	https://git.kernel.org/stable/c/1bc1107a3a403a6d440673ed6666f7b07ef868a8
	https://git.kernel.org/stable/c/097227f1ffe1a85bc3c359f81c71e3d40e06e920
	https://git.kernel.org/stable/c/1e6b0a69bf2c9c819255c7566e4355536d81d9cf
	https://git.kernel.org/stable/c/f072906688933bf47fabbaf63560be03357c8298
	https://git.kernel.org/stable/c/77d059519382bd66283e6a4e83ee186e87e7708f

Impacted products

Vendor

Product

Version

Version: 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3
Version: f737418b6de31c962c7192777ee4018906975383
Version: cf9291a3449b04688b81e32621e88de8f4314b54
Version: 362a90cecd36e8a5c415966d0b75b04a0270e4dd
Version: eb59cc31b6ea076021d14b04e7faab1636b87d0e
Version: c8e008b60492cf6fd31ef127aea6d02fd3d314cd
Version: c8e008b60492cf6fd31ef127aea6d02fd3d314cd
Version: c8e008b60492cf6fd31ef127aea6d02fd3d314cd
Version: 6aff941cb0f7d0c897c3698ad2e30672709135e3
Version: 3bc6317033f365ce578eb6039445fb66162722fd
Version: 836e625b03a666cf93ff5be328c8cb30336db872
Version: 5.10.237   ≤
Version: 5.15.181   ≤
Version: 6.1.135   ≤
Version: 6.6.88   ≤
Version: 6.12.24   ≤
Version: 5.4.293   ≤
Version: 6.13.12   ≤
Version: 6.14.3   ≤

Version: 6.15

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47638

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dd98a5603a212ea9c96c6982ccdbcc748fdb9a56",
              "status": "affected",
              "version": "76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3",
              "versionType": "git"
            },
            {
              "lessThan": "153ab2c52355fbebcae622db8e7b506492c73a29",
              "status": "affected",
              "version": "f737418b6de31c962c7192777ee4018906975383",
              "versionType": "git"
            },
            {
              "lessThan": "b706d00206a9e82362a9633efbd8b5775650169b",
              "status": "affected",
              "version": "cf9291a3449b04688b81e32621e88de8f4314b54",
              "versionType": "git"
            },
            {
              "lessThan": "1bc1107a3a403a6d440673ed6666f7b07ef868a8",
              "status": "affected",
              "version": "362a90cecd36e8a5c415966d0b75b04a0270e4dd",
              "versionType": "git"
            },
            {
              "lessThan": "097227f1ffe1a85bc3c359f81c71e3d40e06e920",
              "status": "affected",
              "version": "eb59cc31b6ea076021d14b04e7faab1636b87d0e",
              "versionType": "git"
            },
            {
              "lessThan": "1e6b0a69bf2c9c819255c7566e4355536d81d9cf",
              "status": "affected",
              "version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
              "versionType": "git"
            },
            {
              "lessThan": "f072906688933bf47fabbaf63560be03357c8298",
              "status": "affected",
              "version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
              "versionType": "git"
            },
            {
              "lessThan": "77d059519382bd66283e6a4e83ee186e87e7708f",
              "status": "affected",
              "version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6aff941cb0f7d0c897c3698ad2e30672709135e3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3bc6317033f365ce578eb6039445fb66162722fd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "836e625b03a666cf93ff5be328c8cb30336db872",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.258",
              "status": "affected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.86",
              "status": "affected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThan": "6.14",
              "status": "affected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThan": "6.15",
              "status": "affected",
              "version": "6.14.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.10.237",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.293",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()\n\nThe commit c8e008b60492 (\"ext4: ignore xattrs past end\")\nintroduced a refcount leak in when block_csum is false.\n\next4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to\nget iloc.bh, but never releases it with brelse()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:25.177Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dd98a5603a212ea9c96c6982ccdbcc748fdb9a56"
        },
        {
          "url": "https://git.kernel.org/stable/c/153ab2c52355fbebcae622db8e7b506492c73a29"
        },
        {
          "url": "https://git.kernel.org/stable/c/b706d00206a9e82362a9633efbd8b5775650169b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bc1107a3a403a6d440673ed6666f7b07ef868a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/097227f1ffe1a85bc3c359f81c71e3d40e06e920"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e6b0a69bf2c9c819255c7566e4355536d81d9cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/f072906688933bf47fabbaf63560be03357c8298"
        },
        {
          "url": "https://git.kernel.org/stable/c/77d059519382bd66283e6a4e83ee186e87e7708f"
        }
      ],
      "title": "ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46046",
    "datePublished": "2026-05-27T12:57:02.610Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:25.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47638 (GCVE-0-2026-47638)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47638",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:22:47.572935Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:32:04.097Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:45.081Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47638"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47638",
    "datePublished": "2026-06-09T17:05:06.962Z",
    "dateReserved": "2026-05-19T20:12:27.070Z",
    "dateUpdated": "2026-06-16T18:17:45.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46197 (GCVE-0-2026-46197)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:01

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: validate SVM ioctl nattr against buffer size Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)

References

URL

Tags

	https://git.kernel.org/stable/c/daa8bc5f83814b55b71d2b5b3a090d57a5219c21
	https://git.kernel.org/stable/c/fb07a0c9c8419164812e07274947f11b1d92dd61
	https://git.kernel.org/stable/c/91c6dc5a41695d02dfc6299f106ac38a6c493e52
	https://git.kernel.org/stable/c/ccd060b5c7cc75ae7e211c250b97c5b6272e7efc
	https://git.kernel.org/stable/c/db9530a9873a7c85d2266a922589ebcf427fa631
	https://git.kernel.org/stable/c/6abd3a4417cb73a7d0db7e25bf11fae1074bdba3
	https://git.kernel.org/stable/c/045e0ff208f0838a246c10204105126611b267a1

Impacted products

Vendor

Product

Version

Version: 42de677f79999791bee4e21be318c32d90ab62c6
Version: 42de677f79999791bee4e21be318c32d90ab62c6
Version: 42de677f79999791bee4e21be318c32d90ab62c6
Version: 42de677f79999791bee4e21be318c32d90ab62c6
Version: 42de677f79999791bee4e21be318c32d90ab62c6
Version: 42de677f79999791bee4e21be318c32d90ab62c6
Version: 42de677f79999791bee4e21be318c32d90ab62c6

Version: 5.14

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_chardev.c",
            "drivers/gpu/drm/amd/amdkfd/kfd_priv.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "daa8bc5f83814b55b71d2b5b3a090d57a5219c21",
              "status": "affected",
              "version": "42de677f79999791bee4e21be318c32d90ab62c6",
              "versionType": "git"
            },
            {
              "lessThan": "fb07a0c9c8419164812e07274947f11b1d92dd61",
              "status": "affected",
              "version": "42de677f79999791bee4e21be318c32d90ab62c6",
              "versionType": "git"
            },
            {
              "lessThan": "91c6dc5a41695d02dfc6299f106ac38a6c493e52",
              "status": "affected",
              "version": "42de677f79999791bee4e21be318c32d90ab62c6",
              "versionType": "git"
            },
            {
              "lessThan": "ccd060b5c7cc75ae7e211c250b97c5b6272e7efc",
              "status": "affected",
              "version": "42de677f79999791bee4e21be318c32d90ab62c6",
              "versionType": "git"
            },
            {
              "lessThan": "db9530a9873a7c85d2266a922589ebcf427fa631",
              "status": "affected",
              "version": "42de677f79999791bee4e21be318c32d90ab62c6",
              "versionType": "git"
            },
            {
              "lessThan": "6abd3a4417cb73a7d0db7e25bf11fae1074bdba3",
              "status": "affected",
              "version": "42de677f79999791bee4e21be318c32d90ab62c6",
              "versionType": "git"
            },
            {
              "lessThan": "045e0ff208f0838a246c10204105126611b267a1",
              "status": "affected",
              "version": "42de677f79999791bee4e21be318c32d90ab62c6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_chardev.c",
            "drivers/gpu/drm/amd/amdkfd/kfd_priv.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: validate SVM ioctl nattr against buffer size\n\nValidate nattr field against the buffer size, preventing\nout-of-bounds buffer access via user-controlled attribute count.\n\n(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:58.427Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/daa8bc5f83814b55b71d2b5b3a090d57a5219c21"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb07a0c9c8419164812e07274947f11b1d92dd61"
        },
        {
          "url": "https://git.kernel.org/stable/c/91c6dc5a41695d02dfc6299f106ac38a6c493e52"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccd060b5c7cc75ae7e211c250b97c5b6272e7efc"
        },
        {
          "url": "https://git.kernel.org/stable/c/db9530a9873a7c85d2266a922589ebcf427fa631"
        },
        {
          "url": "https://git.kernel.org/stable/c/6abd3a4417cb73a7d0db7e25bf11fae1074bdba3"
        },
        {
          "url": "https://git.kernel.org/stable/c/045e0ff208f0838a246c10204105126611b267a1"
        }
      ],
      "title": "drm/amdkfd: validate SVM ioctl nattr against buffer size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46197",
    "datePublished": "2026-05-28T09:40:13.722Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:58.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45835 (GCVE-0-2026-45835)

Vulnerability from cvelistv5

Published

2026-05-26 16:14

Modified

2026-06-14 17:45

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().

References

URL

Tags

	https://git.kernel.org/stable/c/140b63cb46f2855ac4ec8fba2f1e974a9c2974e8
	https://git.kernel.org/stable/c/2422eaed0925973c0f318c94eb13e76f14c7381e
	https://git.kernel.org/stable/c/684a1f9ee2325437ae18ac5371884e4c6a25ae73
	https://git.kernel.org/stable/c/ab77c8bc30269bee15d917059a66bea48909f5f0
	https://git.kernel.org/stable/c/bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9
	https://git.kernel.org/stable/c/741e6024e31587b0c021b6616a9e428a4ea0b64a
	https://git.kernel.org/stable/c/76083fb80f5a38ac13326b2d810f66bd07771eea
	https://git.kernel.org/stable/c/0a120d96166301d7a95be75b52f843837dbd1219

Impacted products

Vendor

Product

Version

Version: 80808e431e1ef25856457de82ce141bed6a6313a
Version: 80808e431e1ef25856457de82ce141bed6a6313a
Version: 80808e431e1ef25856457de82ce141bed6a6313a
Version: 80808e431e1ef25856457de82ce141bed6a6313a
Version: 80808e431e1ef25856457de82ce141bed6a6313a
Version: 80808e431e1ef25856457de82ce141bed6a6313a
Version: 80808e431e1ef25856457de82ce141bed6a6313a
Version: 80808e431e1ef25856457de82ce141bed6a6313a

Version: 3.1

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45464

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "140b63cb46f2855ac4ec8fba2f1e974a9c2974e8",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            },
            {
              "lessThan": "2422eaed0925973c0f318c94eb13e76f14c7381e",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            },
            {
              "lessThan": "684a1f9ee2325437ae18ac5371884e4c6a25ae73",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            },
            {
              "lessThan": "ab77c8bc30269bee15d917059a66bea48909f5f0",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            },
            {
              "lessThan": "bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            },
            {
              "lessThan": "741e6024e31587b0c021b6616a9e428a4ea0b64a",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            },
            {
              "lessThan": "76083fb80f5a38ac13326b2d810f66bd07771eea",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            },
            {
              "lessThan": "0a120d96166301d7a95be75b52f843837dbd1219",
              "status": "affected",
              "version": "80808e431e1ef25856457de82ce141bed6a6313a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "lessThan": "3.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:45:55.302Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/140b63cb46f2855ac4ec8fba2f1e974a9c2974e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2422eaed0925973c0f318c94eb13e76f14c7381e"
        },
        {
          "url": "https://git.kernel.org/stable/c/684a1f9ee2325437ae18ac5371884e4c6a25ae73"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab77c8bc30269bee15d917059a66bea48909f5f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9"
        },
        {
          "url": "https://git.kernel.org/stable/c/741e6024e31587b0c021b6616a9e428a4ea0b64a"
        },
        {
          "url": "https://git.kernel.org/stable/c/76083fb80f5a38ac13326b2d810f66bd07771eea"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a120d96166301d7a95be75b52f843837dbd1219"
        }
      ],
      "title": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45835",
    "datePublished": "2026-05-26T16:14:12.195Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-06-14T17:45:55.302Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45464 (GCVE-0-2026-45464)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45464",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T18:02:22.225330Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T18:02:29.859Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:04.474Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45464"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45464",
    "datePublished": "2026-06-09T17:05:26.441Z",
    "dateReserved": "2026-05-12T16:06:43.097Z",
    "dateUpdated": "2026-06-16T18:18:04.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45844 (GCVE-0-2026-45844)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload parsing Weiming Shi says: "arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices. As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa. The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()." Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394. Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394. Moreover, adjust arpt_mangle to drop the packet too as AI suggests: In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload. This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported. Based on patch from Weiming Shi <bestswngs@gmail.com>.

References

URL

Tags

	https://git.kernel.org/stable/c/0f23a1457695f1a61f64367e39f0f9cfa29947d1
	https://git.kernel.org/stable/c/1e285362ef7096eb12733370d59e033f4a1d294a
	https://git.kernel.org/stable/c/84e8536c981338d0d8cc6e712cf71a936a93e13f
	https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b
	https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b
	https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b
	https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7
	https://git.kernel.org/stable/c/1e8e3f449b1e73b73a843257635b9c50f0cc0f0a

Impacted products

Vendor

Product

Version

Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000
Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000
Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000
Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000
Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000
Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000
Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000
Version: 6752c8db8e0cfedb44ba62806dd15b383ed64000

Version: 3.10

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/netfilter/arp_tables.c",
            "net/ipv4/netfilter/arpt_mangle.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0f23a1457695f1a61f64367e39f0f9cfa29947d1",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            },
            {
              "lessThan": "1e285362ef7096eb12733370d59e033f4a1d294a",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            },
            {
              "lessThan": "84e8536c981338d0d8cc6e712cf71a936a93e13f",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            },
            {
              "lessThan": "ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            },
            {
              "lessThan": "03ea11dbefaa55c502735ee551c89ef773fe753b",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            },
            {
              "lessThan": "1c55053f8ffdc060006df898fd3664e3d1bfac7b",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            },
            {
              "lessThan": "ac698d81fd6619c7504cee913f1cab5285fba1b7",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            },
            {
              "lessThan": "1e8e3f449b1e73b73a843257635b9c50f0cc0f0a",
              "status": "affected",
              "version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/netfilter/arp_tables.c",
            "net/ipv4/netfilter/arpt_mangle.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: arp_tables: fix IEEE1394 ARP payload parsing\n\nWeiming Shi says:\n\n\"arp_packet_match() unconditionally parses the ARP payload assuming two\nhardware addresses are present (source and target). However,\nIPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\nfield, and arp_hdr_len() already accounts for this by returning a\nshorter length for ARPHRD_IEEE1394 devices.\n\nAs a result, on IEEE1394 interfaces arp_packet_match() advances past a\nnonexistent target hardware address and reads the wrong bytes for both\nthe target device address comparison and the target IP address. This\ncauses arptables rules to match against garbage data, leading to\nincorrect filtering decisions: packets that should be accepted may be\ndropped and vice versa.\n\nThe ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\nhandles this correctly by skipping the target hardware address for\nARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"\n\nMangle the original patch to always return 0 (no match) in case user\nmatches on the target hardware address which is never present in\nIEEE1394.\n\nNote that this returns 0 (no match) for either normal and inverse match\nbecause matching in the target hardware address in ARPHRD_IEEE1394 has\nnever been supported by arptables. This is intentional, matching on the\ntarget hardware address should never evaluate true for ARPHRD_IEEE1394.\n\nMoreover, adjust arpt_mangle to drop the packet too as AI suggests:\n\nIn arpt_mangle, the logic assumes a standard ARP layout. Because\nIEEE1394 (FireWire) omits the target hardware address, the linear\npointer arithmetic miscalculates the offset for the target IP address.\nThis causes mangling operations to write to the wrong location, leading\nto packet corruption. To ensure safety, this patch drops packets\n(NF_DROP) when mangling is requested for these fields on IEEE1394\ndevices, as the current implementation cannot correctly map the FireWire\nARP payload.\n\nThis omits both mangling target hardware and IP address. Even if IP\naddress mangling should be possible in IEEE1394, this would require\nto adjust arpt_mangle offset calculation, which has never been\nsupported.\n\nBased on patch from Weiming Shi \u003cbestswngs@gmail.com\u003e."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:23.877Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0f23a1457695f1a61f64367e39f0f9cfa29947d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e285362ef7096eb12733370d59e033f4a1d294a"
        },
        {
          "url": "https://git.kernel.org/stable/c/84e8536c981338d0d8cc6e712cf71a936a93e13f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e8e3f449b1e73b73a843257635b9c50f0cc0f0a"
        }
      ],
      "title": "netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45844",
    "datePublished": "2026-05-27T09:24:47.041Z",
    "dateReserved": "2026-05-13T15:03:33.078Z",
    "dateUpdated": "2026-06-14T17:46:23.877Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46040 (GCVE-0-2026-46040)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:49

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active. Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback. Add the missing dec_inotify_watches() call in the error path.

References

URL

Tags

	https://git.kernel.org/stable/c/3ab58cf42c46bf2366d2f55ae5c59299d5e178b7
	https://git.kernel.org/stable/c/10edf7e0ffdc7faa18e2244b17722c1b882b8273
	https://git.kernel.org/stable/c/3ad9ccea1b25435f6179b57aa891960beb7ce8f9
	https://git.kernel.org/stable/c/8bcc1cd237ab5ccfdd102869fa031c541943cf40
	https://git.kernel.org/stable/c/73ddc8518a32baff6bc17afda4ee1ebae5b4ed12
	https://git.kernel.org/stable/c/fdaa42ca370d056428e5e171247c8fdce8dff36a
	https://git.kernel.org/stable/c/9e48844f708eb48bae4e79cb21edc097c966306d
	https://git.kernel.org/stable/c/6a320935fa4293e9e599ec9f85dc9eb3be7029f8

Impacted products

Vendor

Product

Version

Version: 1cce1eea0aff51201753fcaca421df825b0813b6
Version: 1cce1eea0aff51201753fcaca421df825b0813b6
Version: 1cce1eea0aff51201753fcaca421df825b0813b6
Version: 1cce1eea0aff51201753fcaca421df825b0813b6
Version: 1cce1eea0aff51201753fcaca421df825b0813b6
Version: 1cce1eea0aff51201753fcaca421df825b0813b6
Version: 1cce1eea0aff51201753fcaca421df825b0813b6
Version: 1cce1eea0aff51201753fcaca421df825b0813b6

Version: 4.11

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/inotify/inotify_user.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ab58cf42c46bf2366d2f55ae5c59299d5e178b7",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            },
            {
              "lessThan": "10edf7e0ffdc7faa18e2244b17722c1b882b8273",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            },
            {
              "lessThan": "3ad9ccea1b25435f6179b57aa891960beb7ce8f9",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            },
            {
              "lessThan": "8bcc1cd237ab5ccfdd102869fa031c541943cf40",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            },
            {
              "lessThan": "73ddc8518a32baff6bc17afda4ee1ebae5b4ed12",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            },
            {
              "lessThan": "fdaa42ca370d056428e5e171247c8fdce8dff36a",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            },
            {
              "lessThan": "9e48844f708eb48bae4e79cb21edc097c966306d",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            },
            {
              "lessThan": "6a320935fa4293e9e599ec9f85dc9eb3be7029f8",
              "status": "affected",
              "version": "1cce1eea0aff51201753fcaca421df825b0813b6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/inotify/inotify_user.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails\n\nWhen fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),\nthe error path calls inotify_remove_from_idr() but does not call\ndec_inotify_watches() to undo the preceding inc_inotify_watches().\nThis leaks a watch count, and repeated failures can exhaust the\nmax_user_watches limit with -ENOSPC even when no watches are active.\n\nPrior to commit 1cce1eea0aff (\"inotify: Convert to using per-namespace\nlimits\"), the watch count was incremented after fsnotify_add_mark_locked()\nsucceeded, so this path was not affected. The conversion moved\ninc_inotify_watches() before the mark insertion without adding the\ncorresponding rollback.\n\nAdd the missing dec_inotify_watches() call in the error path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:49:57.876Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ab58cf42c46bf2366d2f55ae5c59299d5e178b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/10edf7e0ffdc7faa18e2244b17722c1b882b8273"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ad9ccea1b25435f6179b57aa891960beb7ce8f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bcc1cd237ab5ccfdd102869fa031c541943cf40"
        },
        {
          "url": "https://git.kernel.org/stable/c/73ddc8518a32baff6bc17afda4ee1ebae5b4ed12"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdaa42ca370d056428e5e171247c8fdce8dff36a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e48844f708eb48bae4e79cb21edc097c966306d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a320935fa4293e9e599ec9f85dc9eb3be7029f8"
        }
      ],
      "title": "inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46040",
    "datePublished": "2026-05-27T12:56:52.161Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:49:57.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46050 (GCVE-0-2026-46050)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn't happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30

References

URL

Tags

	https://git.kernel.org/stable/c/2249983d971e6839b36284e6610390b2c217dfa1
	https://git.kernel.org/stable/c/ae356d5eb1331d678985799f893e436314834a87
	https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523
	https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963
	https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45
	https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379
	https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436

Impacted products

Vendor

Product

Version

Version: 10c6021a609deb95f23f0cc2f89aa9d4bffb14c7
Version: 9af149ca9d0dab6e59e813519d309eff62499864
Version: 8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d
Version: 2941155d9a5ae098b480d551f3a5f8605d4f9af5
Version: 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24
Version: 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24
Version: 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24
Version: ed7bcd9f617e4107ac0813c516e72e6b8f6029bd
Version: 5.15.189   ≤
Version: 6.1.146   ≤
Version: 6.6.99   ≤
Version: 6.12.39   ≤
Version: 6.15.7   ≤

Version: 6.16

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid10.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2249983d971e6839b36284e6610390b2c217dfa1",
              "status": "affected",
              "version": "10c6021a609deb95f23f0cc2f89aa9d4bffb14c7",
              "versionType": "git"
            },
            {
              "lessThan": "ae356d5eb1331d678985799f893e436314834a87",
              "status": "affected",
              "version": "9af149ca9d0dab6e59e813519d309eff62499864",
              "versionType": "git"
            },
            {
              "lessThan": "965d6162dd88cc7cc193cf7f5bfc132d8bbf0523",
              "status": "affected",
              "version": "8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d",
              "versionType": "git"
            },
            {
              "lessThan": "42fe37c90184cd1568838b84b488934c3671c963",
              "status": "affected",
              "version": "2941155d9a5ae098b480d551f3a5f8605d4f9af5",
              "versionType": "git"
            },
            {
              "lessThan": "cac2106bb9a2180b288079b49ed626414fb5bc45",
              "status": "affected",
              "version": "43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24",
              "versionType": "git"
            },
            {
              "lessThan": "1cdff2937c618f81058422bbdc4974a3e7ec9379",
              "status": "affected",
              "version": "43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24",
              "versionType": "git"
            },
            {
              "lessThan": "7d96f3120a7fb7210d21b520c5b6f495da6ba436",
              "status": "affected",
              "version": "43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ed7bcd9f617e4107ac0813c516e72e6b8f6029bd",
              "versionType": "git"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.86",
              "status": "affected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThan": "6.16",
              "status": "affected",
              "version": "6.15.7",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid10.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.189",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.146",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.12.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.15.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix deadlock with check operation and nowait requests\n\nWhen an array check is running it will raise the barrier at which point\nnormal requests will become blocked and increment the nr_pending value to\nsignal there is work pending inside of wait_barrier(). NOWAIT requests\ndo not block and so will return immediately with an error, and additionally\ndo not increment nr_pending in wait_barrier(). Upstream change commit\n43806c3d5b9b (\"raid10: cleanup memleak at raid10_make_request\") added a\ncall to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit\nthis condition. raid_end_bio_io() eventually calls allow_barrier() and\nit will unconditionally do an atomic_dec_and_test(\u0026conf-\u003enr_pending) even\nthough the corresponding increment on nr_pending didn\u0027t happen in the\nNOWAIT case.\n\nThis can be easily seen by starting a check operation while an application\nis doing nowait IO on the same array. This results in a deadlocked state\ndue to nr_pending value underflowing and so the md resync thread gets stuck\nwaiting for nr_pending to == 0.\n\nOutput of r10conf state of the array when we hit this condition:\n\ncrash\u003e struct r10conf\n\tbarrier = 1,\n        nr_pending = {\n          counter = -41\n        },\n        nr_waiting = 15,\n        nr_queued = 0,\n\nExample of md_sync thread stuck waiting on raise_barrier() and other\nrequests stuck in wait_barrier():\n\nmd1_resync\n[\u003c0\u003e] raise_barrier+0xce/0x1c0\n[\u003c0\u003e] raid10_sync_request+0x1ca/0x1ed0\n[\u003c0\u003e] md_do_sync+0x779/0x1110\n[\u003c0\u003e] md_thread+0x90/0x160\n[\u003c0\u003e] kthread+0xbe/0xf0\n[\u003c0\u003e] ret_from_fork+0x34/0x50\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30\n\nkworker/u1040:2+flush-253:4\n[\u003c0\u003e] wait_barrier+0x1de/0x220\n[\u003c0\u003e] regular_request_wait+0x30/0x180\n[\u003c0\u003e] raid10_make_request+0x261/0x1000\n[\u003c0\u003e] md_handle_request+0x13b/0x230\n[\u003c0\u003e] __submit_bio+0x107/0x1f0\n[\u003c0\u003e] submit_bio_noacct_nocheck+0x16f/0x390\n[\u003c0\u003e] ext4_io_submit+0x24/0x40\n[\u003c0\u003e] ext4_do_writepages+0x254/0xc80\n[\u003c0\u003e] ext4_writepages+0x84/0x120\n[\u003c0\u003e] do_writepages+0x7a/0x260\n[\u003c0\u003e] __writeback_single_inode+0x3d/0x300\n[\u003c0\u003e] writeback_sb_inodes+0x1dd/0x470\n[\u003c0\u003e] __writeback_inodes_wb+0x4c/0xe0\n[\u003c0\u003e] wb_writeback+0x18b/0x2d0\n[\u003c0\u003e] wb_workfn+0x2a1/0x400\n[\u003c0\u003e] process_one_work+0x149/0x330\n[\u003c0\u003e] worker_thread+0x2d2/0x410\n[\u003c0\u003e] kthread+0xbe/0xf0\n[\u003c0\u003e] ret_from_fork+0x34/0x50\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:41.899Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2249983d971e6839b36284e6610390b2c217dfa1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae356d5eb1331d678985799f893e436314834a87"
        },
        {
          "url": "https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523"
        },
        {
          "url": "https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963"
        },
        {
          "url": "https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436"
        }
      ],
      "title": "md/raid10: fix deadlock with check operation and nowait requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46050",
    "datePublished": "2026-05-27T12:57:06.732Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:41.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46198 (GCVE-0-2026-46198)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:02

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix integer overflow on buff_pos Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.

References

URL

Tags

	https://git.kernel.org/stable/c/867cd090760e8f5cd206f387b47ff9c56fac04e9
	https://git.kernel.org/stable/c/10bb1f366d884d506c38a947b43026a75d1afe9a
	https://git.kernel.org/stable/c/96c9c0ed9a9579a9085765aceaa4556a6666eb82
	https://git.kernel.org/stable/c/f61499359fa529f0d45a53bf7c573a49eb6322e6
	https://git.kernel.org/stable/c/974542d1efc48b7e9fe16184e647615cba39969b
	https://git.kernel.org/stable/c/bf872db54f91ffe70104b98c20068b2d5910e018
	https://git.kernel.org/stable/c/b252797bfced986d6d92ec2f4cfcca842ce8aa78
	https://git.kernel.org/stable/c/0799e5943611006b346b8813c7daf7dd5aa26bfd

Impacted products

Vendor

Product

Version

Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3

Version: 2.6.38

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_iv_ogm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "867cd090760e8f5cd206f387b47ff9c56fac04e9",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "10bb1f366d884d506c38a947b43026a75d1afe9a",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "96c9c0ed9a9579a9085765aceaa4556a6666eb82",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "f61499359fa529f0d45a53bf7c573a49eb6322e6",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "974542d1efc48b7e9fe16184e647615cba39969b",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "bf872db54f91ffe70104b98c20068b2d5910e018",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "b252797bfced986d6d92ec2f4cfcca842ce8aa78",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "0799e5943611006b346b8813c7daf7dd5aa26bfd",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_iv_ogm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix integer overflow on buff_pos\n\nFixing an integer overflow present in batadv_iv_ogm_send_to_if. The size\ncheck is done using the int type in batadv_iv_ogm_aggr_packet whereas the\nbuff_pos variable uses the s16 type. This could lead to an out-of-bound\nread."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:02:03.705Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/867cd090760e8f5cd206f387b47ff9c56fac04e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/10bb1f366d884d506c38a947b43026a75d1afe9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/96c9c0ed9a9579a9085765aceaa4556a6666eb82"
        },
        {
          "url": "https://git.kernel.org/stable/c/f61499359fa529f0d45a53bf7c573a49eb6322e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/974542d1efc48b7e9fe16184e647615cba39969b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf872db54f91ffe70104b98c20068b2d5910e018"
        },
        {
          "url": "https://git.kernel.org/stable/c/b252797bfced986d6d92ec2f4cfcca842ce8aa78"
        },
        {
          "url": "https://git.kernel.org/stable/c/0799e5943611006b346b8813c7daf7dd5aa26bfd"
        }
      ],
      "title": "batman-adv: fix integer overflow on buff_pos",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46198",
    "datePublished": "2026-05-28T09:40:14.558Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:02:03.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48959 (GCVE-0-2026-48959)

Vulnerability from cvelistv5

Published

2026-05-27 02:29

Modified

2026-05-29 15:50

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Summary

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.

References

URL

Tags

	https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch	patch
	https://metacpan.org/release/PMQS/IO-Compress-2.220/changes	release-notes

Impacted products

	Vendor	Product	Version
	PMQS	IO::Uncompress::Unzip	Version: 0 < 2.220

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45502

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-27T07:24:56.426Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/27/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48959",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T15:50:09.916092Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T15:50:39.869Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "IO-Compress",
          "product": "IO::Uncompress::Unzip",
          "programFiles": [
            "lib/IO/Uncompress/Unzip.pm"
          ],
          "programRoutines": [
            {
              "name": "IO::Uncompress::Unzip::fastForward"
            }
          ],
          "repo": "https://github.com/pmqs/IO-Compress",
          "vendor": "PMQS",
          "versions": [
            {
              "lessThan": "2.220",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.\n\nfastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.\n\nExtracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip-\u003enew($zip, Name =\u003e $target) drives a per-byte read loop scaling with the entry\u0027s compressed size, up to the non-Zip64 4 GiB cap."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407 Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T02:29:07.027Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to IO-Compress 2.220 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-14T00:00:00.000Z",
          "value": "Issue reported."
        },
        {
          "lang": "en",
          "time": "2026-05-16T00:00:00.000Z",
          "value": "Version 2.220 released."
        }
      ],
      "title": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-48959",
    "datePublished": "2026-05-27T02:29:07.027Z",
    "dateReserved": "2026-05-26T18:09:32.365Z",
    "dateUpdated": "2026-05-29T15:50:39.869Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45502 (GCVE-0-2026-45502)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft Exchange Server 2016 Cumulative Update 23

Version: 15.01.0.0 < 15.01.2507.069

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 14	Version: 15.02.0.0 < 15.02.1544.041
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 15	Version: 15.02.0.0 < 15.02.1748.046
Microsoft	Microsoft Exchange Server Subscription Edition RTM	Version: 15.02.0.0 < 15.02.2562.043

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45502",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:22:44.991826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:32:14.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.069",
              "status": "affected",
              "version": "15.01.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1544.041",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 15",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1748.046",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server Subscription Edition RTM",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.2562.043",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1544.041",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1748.046",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.069",
                  "versionStartIncluding": "15.01.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.2562.043",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:25.899Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45502"
        }
      ],
      "title": "Microsoft Exchange Server Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45502",
    "datePublished": "2026-06-09T17:04:46.157Z",
    "dateReserved": "2026-05-12T16:07:22.619Z",
    "dateUpdated": "2026-06-16T18:17:25.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46089 (GCVE-0-2026-46089)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: zram: do not forget to endio for partial discard requests As reported by Qu Wenruo and Avinesh Kumar, the following getconf PAGESIZE 65536 blkdiscard -p 4k /dev/zram0 takes literally forever to complete. zram doesn't support partial discards and just returns immediately w/o doing any discard work in such cases. The problem is that we forget to endio on our way out, so blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to end_bio label, which does bio_endio().

References

URL

Tags

	https://git.kernel.org/stable/c/2d1f18efccdb8b29552399d024c36b705447e975
	https://git.kernel.org/stable/c/35d3300f6357cfaa72db2721dc2b345b19bac5df
	https://git.kernel.org/stable/c/a02363f71a79b755daa78a70d6b217f9c13c8c85
	https://git.kernel.org/stable/c/68ce397e8236088fc53b9532d383a722288c8194
	https://git.kernel.org/stable/c/e3668b371329ea036ff022ce8ecc82f8befcf003

Impacted products

Vendor

Product

Version

Version: 0120dd6e4e202e19a0e011e486fb2da40a5ea279
Version: 0120dd6e4e202e19a0e011e486fb2da40a5ea279
Version: 0120dd6e4e202e19a0e011e486fb2da40a5ea279
Version: 0120dd6e4e202e19a0e011e486fb2da40a5ea279
Version: 0120dd6e4e202e19a0e011e486fb2da40a5ea279

Version: 6.4

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/zram/zram_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2d1f18efccdb8b29552399d024c36b705447e975",
              "status": "affected",
              "version": "0120dd6e4e202e19a0e011e486fb2da40a5ea279",
              "versionType": "git"
            },
            {
              "lessThan": "35d3300f6357cfaa72db2721dc2b345b19bac5df",
              "status": "affected",
              "version": "0120dd6e4e202e19a0e011e486fb2da40a5ea279",
              "versionType": "git"
            },
            {
              "lessThan": "a02363f71a79b755daa78a70d6b217f9c13c8c85",
              "status": "affected",
              "version": "0120dd6e4e202e19a0e011e486fb2da40a5ea279",
              "versionType": "git"
            },
            {
              "lessThan": "68ce397e8236088fc53b9532d383a722288c8194",
              "status": "affected",
              "version": "0120dd6e4e202e19a0e011e486fb2da40a5ea279",
              "versionType": "git"
            },
            {
              "lessThan": "e3668b371329ea036ff022ce8ecc82f8befcf003",
              "status": "affected",
              "version": "0120dd6e4e202e19a0e011e486fb2da40a5ea279",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/zram/zram_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: do not forget to endio for partial discard requests\n\nAs reported by Qu Wenruo and Avinesh Kumar, the following\n\n getconf PAGESIZE\n 65536\n blkdiscard -p 4k /dev/zram0\n\ntakes literally forever to complete.  zram doesn\u0027t support partial\ndiscards and just returns immediately w/o doing any discard work in such\ncases.  The problem is that we forget to endio on our way out, so\nblkdiscard sleeps forever in submit_bio_wait().  Fix this by jumping to\nend_bio label, which does bio_endio()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:34.164Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2d1f18efccdb8b29552399d024c36b705447e975"
        },
        {
          "url": "https://git.kernel.org/stable/c/35d3300f6357cfaa72db2721dc2b345b19bac5df"
        },
        {
          "url": "https://git.kernel.org/stable/c/a02363f71a79b755daa78a70d6b217f9c13c8c85"
        },
        {
          "url": "https://git.kernel.org/stable/c/68ce397e8236088fc53b9532d383a722288c8194"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3668b371329ea036ff022ce8ecc82f8befcf003"
        }
      ],
      "title": "zram: do not forget to endio for partial discard requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46089",
    "datePublished": "2026-05-27T12:58:32.606Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:53:34.164Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46009 (GCVE-0-2026-46009)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to do later. This leads to an oops when .allow_link fails or when .drop_link is performed. Remove the helper. Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient.

References

URL

Tags

	https://git.kernel.org/stable/c/c3029721b84f59e790285ad27544ed5d3cb0f2a6
	https://git.kernel.org/stable/c/c72f6a7ea638f95c486a5cfd86e567b646027687
	https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a
	https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3
	https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d
	https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d
	https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3

Impacted products

Vendor

Product

Version

Version: 8b821cf761503b80d0bd052f932adfe1bc1a0088
Version: 8b821cf761503b80d0bd052f932adfe1bc1a0088
Version: 8b821cf761503b80d0bd052f932adfe1bc1a0088
Version: 8b821cf761503b80d0bd052f932adfe1bc1a0088
Version: 8b821cf761503b80d0bd052f932adfe1bc1a0088
Version: 8b821cf761503b80d0bd052f932adfe1bc1a0088
Version: 8b821cf761503b80d0bd052f932adfe1bc1a0088

Version: 5.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/endpoint/functions/pci-epf-ntb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c3029721b84f59e790285ad27544ed5d3cb0f2a6",
              "status": "affected",
              "version": "8b821cf761503b80d0bd052f932adfe1bc1a0088",
              "versionType": "git"
            },
            {
              "lessThan": "c72f6a7ea638f95c486a5cfd86e567b646027687",
              "status": "affected",
              "version": "8b821cf761503b80d0bd052f932adfe1bc1a0088",
              "versionType": "git"
            },
            {
              "lessThan": "72099f015d3c77bf2eb703d1aab113bd7a60915a",
              "status": "affected",
              "version": "8b821cf761503b80d0bd052f932adfe1bc1a0088",
              "versionType": "git"
            },
            {
              "lessThan": "756ca5e7ed22d9045bb4de4c981f9149278d5cd3",
              "status": "affected",
              "version": "8b821cf761503b80d0bd052f932adfe1bc1a0088",
              "versionType": "git"
            },
            {
              "lessThan": "65fc57c8b8f0b31be62be291cb1bb01755cec85d",
              "status": "affected",
              "version": "8b821cf761503b80d0bd052f932adfe1bc1a0088",
              "versionType": "git"
            },
            {
              "lessThan": "e813c95e4c8edd31599081e6356e20ada30e266d",
              "status": "affected",
              "version": "8b821cf761503b80d0bd052f932adfe1bc1a0088",
              "versionType": "git"
            },
            {
              "lessThan": "3446beddba450c8d6f9aca2f028712ac527fead3",
              "status": "affected",
              "version": "8b821cf761503b80d0bd052f932adfe1bc1a0088",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/endpoint/functions/pci-epf-ntb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown\n\nepf_ntb_epc_destroy() duplicates the teardown that the caller is\nsupposed to do later. This leads to an oops when .allow_link fails or\nwhen .drop_link is performed. Remove the helper.\n\nAlso drop pci_epc_put(). EPC device refcounting is tied to configfs EPC\ngroup lifetime, and pci_epc_put() in the .drop_link path is sufficient."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:44.154Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c3029721b84f59e790285ad27544ed5d3cb0f2a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c72f6a7ea638f95c486a5cfd86e567b646027687"
        },
        {
          "url": "https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a"
        },
        {
          "url": "https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3"
        }
      ],
      "title": "PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46009",
    "datePublished": "2026-05-27T12:56:09.581Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:47:44.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46220 (GCVE-0-2026-46220)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:03

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread. Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace. The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it. (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)

References

URL

Tags

	https://git.kernel.org/stable/c/ecaa80318e900ca0c3f687742ede33b41cfd2f8e
	https://git.kernel.org/stable/c/25e7d56a39657d56d1ea6d78992f7ed15dedb412
	https://git.kernel.org/stable/c/d4c56932d29773e278be6a65a5384a36c95b89a4
	https://git.kernel.org/stable/c/4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe
	https://git.kernel.org/stable/c/d331fb241a4602253976ddd65144a8ba2b05665d
	https://git.kernel.org/stable/c/0b91ea46bb68abf98a082bf239092253bbd6aaa2
	https://git.kernel.org/stable/c/a4fd82fb0757c180bf622907397c528b89a827b2
	https://git.kernel.org/stable/c/78d2e624fa073c14970aa097adcf3ea31c157a66

Impacted products

Vendor

Product

Version

Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7
Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7
Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7
Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7
Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7
Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7
Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7
Version: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7

Version: 4.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ecaa80318e900ca0c3f687742ede33b41cfd2f8e",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            },
            {
              "lessThan": "25e7d56a39657d56d1ea6d78992f7ed15dedb412",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            },
            {
              "lessThan": "d4c56932d29773e278be6a65a5384a36c95b89a4",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            },
            {
              "lessThan": "4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            },
            {
              "lessThan": "d331fb241a4602253976ddd65144a8ba2b05665d",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            },
            {
              "lessThan": "0b91ea46bb68abf98a082bf239092253bbd6aaa2",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            },
            {
              "lessThan": "a4fd82fb0757c180bf622907397c528b89a827b2",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            },
            {
              "lessThan": "78d2e624fa073c14970aa097adcf3ea31c157a66",
              "status": "affected",
              "version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission\n\nsdma_v4_0_ring_emit_fence() contains two BUG_ON(addr \u0026 0x3) assertions\nthat verify fence writeback addresses are dword-aligned.  These\nassertions can be reached from unprivileged userspace via crafted\nDRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a\nscheduler worker thread.\n\nReplace both BUG_ON() calls with WARN_ON() to log the condition without\ncrashing the kernel.  A misaligned fence address at this point indicates\na driver bug, but crashing the kernel is never the correct response when\nthe assertion is reachable from userspace.\n\nThe CS IOCTL path is the correct place to filter invalid submissions;\nthe ring emission callback is too late to do anything about it.\n\n(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:03:38.077Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ecaa80318e900ca0c3f687742ede33b41cfd2f8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/25e7d56a39657d56d1ea6d78992f7ed15dedb412"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4c56932d29773e278be6a65a5384a36c95b89a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/d331fb241a4602253976ddd65144a8ba2b05665d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b91ea46bb68abf98a082bf239092253bbd6aaa2"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4fd82fb0757c180bf622907397c528b89a827b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/78d2e624fa073c14970aa097adcf3ea31c157a66"
        }
      ],
      "title": "drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46220",
    "datePublished": "2026-05-28T09:40:35.971Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:03:38.077Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46145 (GCVE-0-2026-46145)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:57

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.

References

URL

Tags

	https://git.kernel.org/stable/c/7d7c9f0fcd19c4d2f0164347c58d49cafa961b72
	https://git.kernel.org/stable/c/11c1431d641e0e4e0529e96957995820600c7287
	https://git.kernel.org/stable/c/012796f9541fcd0c1fa8ae4da7eb4d83931ef838
	https://git.kernel.org/stable/c/7d94f155f354b961c598f71bafa804dceded513f
	https://git.kernel.org/stable/c/6dd2d4ad9c8429523b1c220c5132bd551c006425

Impacted products

Vendor

Product

Version

Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06

Version: 6.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mana/qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7d7c9f0fcd19c4d2f0164347c58d49cafa961b72",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "11c1431d641e0e4e0529e96957995820600c7287",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "012796f9541fcd0c1fa8ae4da7eb4d83931ef838",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "7d94f155f354b961c598f71bafa804dceded513f",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "6dd2d4ad9c8429523b1c220c5132bd551c006425",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mana/qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana: Validate rx_hash_key_len\n\nSashiko points out that rx_hash_key_len comes from a uAPI structure and is\nblindly passed to memcpy, allowing the userspace to trash kernel\nmemory. Bounds check it so the memcpy cannot overflow."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:57:54.214Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7d7c9f0fcd19c4d2f0164347c58d49cafa961b72"
        },
        {
          "url": "https://git.kernel.org/stable/c/11c1431d641e0e4e0529e96957995820600c7287"
        },
        {
          "url": "https://git.kernel.org/stable/c/012796f9541fcd0c1fa8ae4da7eb4d83931ef838"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d94f155f354b961c598f71bafa804dceded513f"
        },
        {
          "url": "https://git.kernel.org/stable/c/6dd2d4ad9c8429523b1c220c5132bd551c006425"
        }
      ],
      "title": "RDMA/mana: Validate rx_hash_key_len",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46145",
    "datePublished": "2026-05-28T09:36:01.805Z",
    "dateReserved": "2026-05-13T15:03:33.100Z",
    "dateUpdated": "2026-06-14T17:57:54.214Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46119 (GCVE-0-2026-46119)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.

References

URL

Tags

	https://git.kernel.org/stable/c/c2374b92c729d0388a538b3cde7b3e3b5e55ef39
	https://git.kernel.org/stable/c/38fdf04c602d52c42c67fc1617211492753b7e8b
	https://git.kernel.org/stable/c/2ae0afd98432536562fa8261538ae795446f0589
	https://git.kernel.org/stable/c/408e85ee708b6aa03eeb0220ffa0915f4d407181
	https://git.kernel.org/stable/c/b7df9fbd4869fdfe09a3f501ffd228486521e062
	https://git.kernel.org/stable/c/8517b6c8d2c759918ba0058cb6c7e14d59643202
	https://git.kernel.org/stable/c/1c439de70b1c3eb3c6bffa8245c16b9fc318f114

Impacted products

Vendor

Product

Version

Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc

Version: 2.6.34

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/auth.c",
            "net/ceph/mon_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c2374b92c729d0388a538b3cde7b3e3b5e55ef39",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "38fdf04c602d52c42c67fc1617211492753b7e8b",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "2ae0afd98432536562fa8261538ae795446f0589",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "408e85ee708b6aa03eeb0220ffa0915f4d407181",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "b7df9fbd4869fdfe09a3f501ffd228486521e062",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "8517b6c8d2c759918ba0058cb6c7e14d59643202",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "1c439de70b1c3eb3c6bffa8245c16b9fc318f114",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/auth.c",
            "net/ceph/mon_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix slab-out-of-bounds access in auth message processing\n\nIf a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY\ncontains a positive value in its result field, it is treated as an\nerror code by ceph_handle_auth_reply() and returned to\nhandle_auth_reply(). Thereafter, an attempt is made to send the\npreallocated message of type CEPH_MSG_AUTH, where the returned value is\ninterpreted as the size of the front segment to send. If the result\nvalue in the message is greater than the size of the memory buffer\nallocated for the front segment, an out-of-bounds access occurs, and\nthe content of the memory region beyond this buffer is sent out.\n\nThis patch fixes the issue by treating only negative values in the\nresult field as errors. Positive values are therefore treated as success\nin the same way as a zero value. Additionally, a BUG_ON is added to\n__send_prepared_auth_request() comparing the len parameter to\nfront_alloc_len to prevent sending the message if it exceeds the bounds\nof the allocation and to make it easier to catch any logic flaws leading\nto this."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:49.923Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c2374b92c729d0388a538b3cde7b3e3b5e55ef39"
        },
        {
          "url": "https://git.kernel.org/stable/c/38fdf04c602d52c42c67fc1617211492753b7e8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ae0afd98432536562fa8261538ae795446f0589"
        },
        {
          "url": "https://git.kernel.org/stable/c/408e85ee708b6aa03eeb0220ffa0915f4d407181"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7df9fbd4869fdfe09a3f501ffd228486521e062"
        },
        {
          "url": "https://git.kernel.org/stable/c/8517b6c8d2c759918ba0058cb6c7e14d59643202"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c439de70b1c3eb3c6bffa8245c16b9fc318f114"
        }
      ],
      "title": "libceph: Fix slab-out-of-bounds access in auth message processing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46119",
    "datePublished": "2026-05-28T09:35:34.543Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:49.923Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46163 (GCVE-0-2026-46163)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: b43legacy: enforce bounds check on firmware key index in RX path Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[]. Make the check enforcing by dropping the frame for invalid indices.

References

URL

Tags

	https://git.kernel.org/stable/c/a92bd0503df2488f2cc040f329ebccff1c1934cb
	https://git.kernel.org/stable/c/df805c1d085b7a96077f0964185764c87060950d
	https://git.kernel.org/stable/c/4242db36de99de734cc1f60e5edd86cda7e598c6
	https://git.kernel.org/stable/c/1baaeb6adecb9691748c0253dab6ddd19a2b4e9e
	https://git.kernel.org/stable/c/6ee946077607d7783ae6709a899213fc4fe08f35
	https://git.kernel.org/stable/c/9d1bc155802943e92c57a5fb923d23edfbf0b525
	https://git.kernel.org/stable/c/fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5
	https://git.kernel.org/stable/c/a035766f970bde2d4298346a31a80685be5c0205

Impacted products

Vendor

Product

Version

Version: 75388acd0cd827dc1498043daa7d1c760902cd67
Version: 75388acd0cd827dc1498043daa7d1c760902cd67
Version: 75388acd0cd827dc1498043daa7d1c760902cd67
Version: 75388acd0cd827dc1498043daa7d1c760902cd67
Version: 75388acd0cd827dc1498043daa7d1c760902cd67
Version: 75388acd0cd827dc1498043daa7d1c760902cd67
Version: 75388acd0cd827dc1498043daa7d1c760902cd67
Version: 75388acd0cd827dc1498043daa7d1c760902cd67

Version: 2.6.24

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/b43legacy/xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a92bd0503df2488f2cc040f329ebccff1c1934cb",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            },
            {
              "lessThan": "df805c1d085b7a96077f0964185764c87060950d",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            },
            {
              "lessThan": "4242db36de99de734cc1f60e5edd86cda7e598c6",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            },
            {
              "lessThan": "1baaeb6adecb9691748c0253dab6ddd19a2b4e9e",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            },
            {
              "lessThan": "6ee946077607d7783ae6709a899213fc4fe08f35",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            },
            {
              "lessThan": "9d1bc155802943e92c57a5fb923d23edfbf0b525",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            },
            {
              "lessThan": "fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            },
            {
              "lessThan": "a035766f970bde2d4298346a31a80685be5c0205",
              "status": "affected",
              "version": "75388acd0cd827dc1498043daa7d1c760902cd67",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/b43legacy/xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.24"
            },
            {
              "lessThan": "2.6.24",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43legacy: enforce bounds check on firmware key index in RX path\n\nSame fix as b43: the firmware-controlled key index in b43legacy_rx()\ncan exceed dev-\u003emax_nr_keys. The existing B43legacy_WARN_ON is\nnon-enforcing in production builds, allowing an out-of-bounds read of\ndev-\u003ekey[].\n\nMake the check enforcing by dropping the frame for invalid indices."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:59:18.913Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a92bd0503df2488f2cc040f329ebccff1c1934cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/df805c1d085b7a96077f0964185764c87060950d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4242db36de99de734cc1f60e5edd86cda7e598c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/1baaeb6adecb9691748c0253dab6ddd19a2b4e9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ee946077607d7783ae6709a899213fc4fe08f35"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d1bc155802943e92c57a5fb923d23edfbf0b525"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a035766f970bde2d4298346a31a80685be5c0205"
        }
      ],
      "title": "wifi: b43legacy: enforce bounds check on firmware key index in RX path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46163",
    "datePublished": "2026-05-28T09:36:18.946Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:59:18.913Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46234 (GCVE-0-2026-46234)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock: fix buffer size clamping order In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint. This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.

References

URL

Tags

	https://git.kernel.org/stable/c/f6ec135941d2c1c2dbb87b5ce1783f4f6ac6ccca
	https://git.kernel.org/stable/c/caf11dfea5233a69298a1c448bbf8d1639c80536
	https://git.kernel.org/stable/c/01ef69785dc3162f588a361ab770b1e312800188
	https://git.kernel.org/stable/c/a998a7e250bf976539e05a00ec64a81292afecaa
	https://git.kernel.org/stable/c/310da27932dd0afe7ce7456dfe1f0814c3301f41
	https://git.kernel.org/stable/c/2602f7bb5818e92315feeaeb71d8ce4d5c9ab160
	https://git.kernel.org/stable/c/0b68881501460c3761f196469e1e503218c5e536
	https://git.kernel.org/stable/c/d114bfdc9b76bf93b881e195b7ec957c14227bab

Impacted products

Vendor

Product

Version

Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97
Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97
Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97
Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97
Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97
Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97
Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97
Version: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97

Version: 5.5

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f6ec135941d2c1c2dbb87b5ce1783f4f6ac6ccca",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            },
            {
              "lessThan": "caf11dfea5233a69298a1c448bbf8d1639c80536",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            },
            {
              "lessThan": "01ef69785dc3162f588a361ab770b1e312800188",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            },
            {
              "lessThan": "a998a7e250bf976539e05a00ec64a81292afecaa",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            },
            {
              "lessThan": "310da27932dd0afe7ce7456dfe1f0814c3301f41",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            },
            {
              "lessThan": "2602f7bb5818e92315feeaeb71d8ce4d5c9ab160",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            },
            {
              "lessThan": "0b68881501460c3761f196469e1e503218c5e536",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            },
            {
              "lessThan": "d114bfdc9b76bf93b881e195b7ec957c14227bab",
              "status": "affected",
              "version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix buffer size clamping order\n\nIn vsock_update_buffer_size(), the buffer size was being clamped to the\nmaximum first, and then to the minimum. If a user sets a minimum buffer\nsize larger than the maximum, the minimum check overrides the maximum\ncheck, inverting the constraint.\n\nThis breaks the intended socket memory boundaries by allowing the\nvsk-\u003ebuffer_size to grow beyond the configured vsk-\u003ebuffer_max_size.\n\nFix this by checking the minimum first, and then the maximum. This\nensures the buffer size never exceeds the buffer_max_size."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:40.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f6ec135941d2c1c2dbb87b5ce1783f4f6ac6ccca"
        },
        {
          "url": "https://git.kernel.org/stable/c/caf11dfea5233a69298a1c448bbf8d1639c80536"
        },
        {
          "url": "https://git.kernel.org/stable/c/01ef69785dc3162f588a361ab770b1e312800188"
        },
        {
          "url": "https://git.kernel.org/stable/c/a998a7e250bf976539e05a00ec64a81292afecaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/310da27932dd0afe7ce7456dfe1f0814c3301f41"
        },
        {
          "url": "https://git.kernel.org/stable/c/2602f7bb5818e92315feeaeb71d8ce4d5c9ab160"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b68881501460c3761f196469e1e503218c5e536"
        },
        {
          "url": "https://git.kernel.org/stable/c/d114bfdc9b76bf93b881e195b7ec957c14227bab"
        }
      ],
      "title": "vsock: fix buffer size clamping order",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46234",
    "datePublished": "2026-05-28T09:40:58.373Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:40.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46094 (GCVE-0-2026-46094)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access The bounds check for the next xattr entry in check_xattrs() uses (void *)next >= end, which allows next to point within sizeof(u32) bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4 bytes via *(__u32 *)(entry), which can overrun the valid xattr region. For example, if next lands at end - 1, the check passes since next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1, accessing 3 bytes beyond the valid region. Fix this by changing the check to (void *)next + sizeof(u32) > end, ensuring there is always enough space for the IS_LAST_ENTRY() read on the subsequent iteration.

References

URL

Tags

	https://git.kernel.org/stable/c/ab6da97bc310db35d4e4ef5354bc3ff626b0698c
	https://git.kernel.org/stable/c/5a5314d2387633a272a04d1bd8727f99058e4e68
	https://git.kernel.org/stable/c/537e065977022aa22f2c2503e8accaf16622e0fd
	https://git.kernel.org/stable/c/520986722dbf869c122252123fc161c7302eab7d
	https://git.kernel.org/stable/c/eceafc31ea7b42c984ece10d79d505c0bb6615d5

Impacted products

Vendor

Product

Version

Version: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e
Version: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e
Version: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e
Version: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e
Version: 3478c83cf26bbffd026ae6a56bcb1fe544f0834e

Version: 6.3

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ab6da97bc310db35d4e4ef5354bc3ff626b0698c",
              "status": "affected",
              "version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
              "versionType": "git"
            },
            {
              "lessThan": "5a5314d2387633a272a04d1bd8727f99058e4e68",
              "status": "affected",
              "version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
              "versionType": "git"
            },
            {
              "lessThan": "537e065977022aa22f2c2503e8accaf16622e0fd",
              "status": "affected",
              "version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
              "versionType": "git"
            },
            {
              "lessThan": "520986722dbf869c122252123fc161c7302eab7d",
              "status": "affected",
              "version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
              "versionType": "git"
            },
            {
              "lessThan": "eceafc31ea7b42c984ece10d79d505c0bb6615d5",
              "status": "affected",
              "version": "3478c83cf26bbffd026ae6a56bcb1fe544f0834e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bounds check in check_xattrs() to prevent out-of-bounds access\n\nThe bounds check for the next xattr entry in check_xattrs() uses\n(void *)next \u003e= end, which allows next to point within sizeof(u32)\nbytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4\nbytes via *(__u32 *)(entry), which can overrun the valid xattr region.\n\nFor example, if next lands at end - 1, the check passes since\nnext \u003c end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1,\naccessing 3 bytes beyond the valid region.\n\nFix this by changing the check to (void *)next + sizeof(u32) \u003e end,\nensuring there is always enough space for the IS_LAST_ENTRY() read\non the subsequent iteration."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:57.266Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ab6da97bc310db35d4e4ef5354bc3ff626b0698c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a5314d2387633a272a04d1bd8727f99058e4e68"
        },
        {
          "url": "https://git.kernel.org/stable/c/537e065977022aa22f2c2503e8accaf16622e0fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/520986722dbf869c122252123fc161c7302eab7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/eceafc31ea7b42c984ece10d79d505c0bb6615d5"
        }
      ],
      "title": "ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46094",
    "datePublished": "2026-05-27T12:58:45.304Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:53:57.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46049 (GCVE-0-2026-46049)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Add fallback to default RSR for S/PDIF spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR for the MSR calculation loop. However, pll_rate is only updated in atc_pll_init() and not in hw_pll_init(), so it remains 0 after the card init. When spdif_passthru_playback_setup() skips atc_pll_init() for 32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin indefinitely. Add fallback to use atc->rsr when atc->pll_rate is 0. This reflects the hardware state, since hw_card_init() already configures the PLL to the default RSR.

References

URL

Tags

	https://git.kernel.org/stable/c/d0b53842211f73a10ea174100a213f7fa14b9f33
	https://git.kernel.org/stable/c/615b7a5e5d8be68d52f262579906f7e015ba4606
	https://git.kernel.org/stable/c/dfc00979ff00d9dfdfa1df32144a272ee2728102
	https://git.kernel.org/stable/c/25ded535ee261161bcf19dafd525c542e606559d
	https://git.kernel.org/stable/c/30f9494c6f2b53a78822cfb653ffbb1d092d44c8
	https://git.kernel.org/stable/c/09496158f6ebba8830593f8972035c02f97124c1
	https://git.kernel.org/stable/c/95b1ee8442cabbde83b2848e7c6100df90f3a00d
	https://git.kernel.org/stable/c/7d61662197ecdc458e33e475b6ada7f6da61d364

Impacted products

Vendor

Product

Version

Version: 8cc72361481f00253f1e468ade5795427386d593
Version: 8cc72361481f00253f1e468ade5795427386d593
Version: 8cc72361481f00253f1e468ade5795427386d593
Version: 8cc72361481f00253f1e468ade5795427386d593
Version: 8cc72361481f00253f1e468ade5795427386d593
Version: 8cc72361481f00253f1e468ade5795427386d593
Version: 8cc72361481f00253f1e468ade5795427386d593
Version: 8cc72361481f00253f1e468ade5795427386d593

Version: 2.6.31

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/pci/ctxfi/ctatc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d0b53842211f73a10ea174100a213f7fa14b9f33",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            },
            {
              "lessThan": "615b7a5e5d8be68d52f262579906f7e015ba4606",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            },
            {
              "lessThan": "dfc00979ff00d9dfdfa1df32144a272ee2728102",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            },
            {
              "lessThan": "25ded535ee261161bcf19dafd525c542e606559d",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            },
            {
              "lessThan": "30f9494c6f2b53a78822cfb653ffbb1d092d44c8",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            },
            {
              "lessThan": "09496158f6ebba8830593f8972035c02f97124c1",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            },
            {
              "lessThan": "95b1ee8442cabbde83b2848e7c6100df90f3a00d",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            },
            {
              "lessThan": "7d61662197ecdc458e33e475b6ada7f6da61d364",
              "status": "affected",
              "version": "8cc72361481f00253f1e468ade5795427386d593",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/pci/ctxfi/ctatc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Add fallback to default RSR for S/PDIF\n\nspdif_passthru_playback_get_resources() uses atc-\u003epll_rate as the RSR\nfor the MSR calculation loop. However, pll_rate is only updated in\natc_pll_init() and not in hw_pll_init(), so it remains 0 after the\ncard init.\n\nWhen spdif_passthru_playback_setup() skips atc_pll_init() for\n32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin\nindefinitely.\n\nAdd fallback to use atc-\u003ersr when atc-\u003epll_rate is 0. This reflects\nthe hardware state, since hw_card_init() already configures the PLL\nto the default RSR."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:38.717Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d0b53842211f73a10ea174100a213f7fa14b9f33"
        },
        {
          "url": "https://git.kernel.org/stable/c/615b7a5e5d8be68d52f262579906f7e015ba4606"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfc00979ff00d9dfdfa1df32144a272ee2728102"
        },
        {
          "url": "https://git.kernel.org/stable/c/25ded535ee261161bcf19dafd525c542e606559d"
        },
        {
          "url": "https://git.kernel.org/stable/c/30f9494c6f2b53a78822cfb653ffbb1d092d44c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/09496158f6ebba8830593f8972035c02f97124c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/95b1ee8442cabbde83b2848e7c6100df90f3a00d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d61662197ecdc458e33e475b6ada7f6da61d364"
        }
      ],
      "title": "ALSA: ctxfi: Add fallback to default RSR for S/PDIF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46049",
    "datePublished": "2026-05-27T12:57:05.761Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:38.717Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46108 (GCVE-0-2026-46108)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipmi:si: Return state to normal if message allocation fails There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.

References

URL

Tags

	https://git.kernel.org/stable/c/c204fab7f76a055eac346e3b1a75c6b4bb99600e
	https://git.kernel.org/stable/c/ab48817aebe4d831f87d4da6f94f50498c130d9e
	https://git.kernel.org/stable/c/9c6ded95ac6281e390d167637ccbde6cea2ba1ae
	https://git.kernel.org/stable/c/ce905b65e649eee378a0f37e8219f1d70efb3007
	https://git.kernel.org/stable/c/88881dc1da86064f479378bc9d0a4956c3d0bb12
	https://git.kernel.org/stable/c/bc13fce9eeec88c4950924754c3347c6dc66ff4c
	https://git.kernel.org/stable/c/ba60140d4133231b49185ac8bf6e54f318d3134e
	https://git.kernel.org/stable/c/09dd798270ff582d7309f285d4aaf5dbebae01cb

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_si_intf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c204fab7f76a055eac346e3b1a75c6b4bb99600e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ab48817aebe4d831f87d4da6f94f50498c130d9e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9c6ded95ac6281e390d167637ccbde6cea2ba1ae",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ce905b65e649eee378a0f37e8219f1d70efb3007",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "88881dc1da86064f479378bc9d0a4956c3d0bb12",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bc13fce9eeec88c4950924754c3347c6dc66ff4c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ba60140d4133231b49185ac8bf6e54f318d3134e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "09dd798270ff582d7309f285d4aaf5dbebae01cb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_si_intf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:si: Return state to normal if message allocation fails\n\nThere were places where nothing would get started if a message\nallocation failed, so the driver needs to return to normal state."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:01.962Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c204fab7f76a055eac346e3b1a75c6b4bb99600e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab48817aebe4d831f87d4da6f94f50498c130d9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c6ded95ac6281e390d167637ccbde6cea2ba1ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce905b65e649eee378a0f37e8219f1d70efb3007"
        },
        {
          "url": "https://git.kernel.org/stable/c/88881dc1da86064f479378bc9d0a4956c3d0bb12"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc13fce9eeec88c4950924754c3347c6dc66ff4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba60140d4133231b49185ac8bf6e54f318d3134e"
        },
        {
          "url": "https://git.kernel.org/stable/c/09dd798270ff582d7309f285d4aaf5dbebae01cb"
        }
      ],
      "title": "ipmi:si: Return state to normal if message allocation fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46108",
    "datePublished": "2026-05-28T09:35:14.978Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:01.962Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46026 (GCVE-0-2026-46026)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum number of lookups Current code does no bound checking on the number of lookups a client can perform. Though the code restricts the lookups to local clients, there is still a possibility of a malicious local client sending a flood of NEW_LOOKUP messages over the same socket. Fix this issue by limiting the maximum number of lookups to 64 globally. Since the nameserver allows only atmost one local observer, this global lookup count will ensure that the lookups stay within the limit. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased.

References

URL

Tags

	https://git.kernel.org/stable/c/0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3
	https://git.kernel.org/stable/c/76adf8f69b0bb3ab20be7c58f5d555027332d113
	https://git.kernel.org/stable/c/20855cef7e659ef84ac73251256fa530819b2346
	https://git.kernel.org/stable/c/2b930bc77e00cb27e1d6e1d497b3b596283465ef
	https://git.kernel.org/stable/c/5640227d9a21c6a8be249a10677b832e7f40dc55

Impacted products

Vendor

Product

Version

Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd

Version: 5.7

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "76adf8f69b0bb3ab20be7c58f5d555027332d113",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "20855cef7e659ef84ac73251256fa530819b2346",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "2b930bc77e00cb27e1d6e1d497b3b596283465ef",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "5640227d9a21c6a8be249a10677b832e7f40dc55",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Limit the maximum number of lookups\n\nCurrent code does no bound checking on the number of lookups a client can\nperform. Though the code restricts the lookups to local clients, there is\nstill a possibility of a malicious local client sending a flood of\nNEW_LOOKUP messages over the same socket.\n\nFix this issue by limiting the maximum number of lookups to 64 globally.\nSince the nameserver allows only atmost one local observer, this global\nlookup count will ensure that the lookups stay within the limit.\n\nNote that, limit of 64 is chosen based on the current platform\nrequirements. If requirement changes in the future, this limit can be\nincreased."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:53.618Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3"
        },
        {
          "url": "https://git.kernel.org/stable/c/76adf8f69b0bb3ab20be7c58f5d555027332d113"
        },
        {
          "url": "https://git.kernel.org/stable/c/20855cef7e659ef84ac73251256fa530819b2346"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b930bc77e00cb27e1d6e1d497b3b596283465ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/5640227d9a21c6a8be249a10677b832e7f40dc55"
        }
      ],
      "title": "net: qrtr: ns: Limit the maximum number of lookups",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46026",
    "datePublished": "2026-05-27T12:56:32.596Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-06-14T17:48:53.618Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46115 (GCVE-0-2026-46115)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.

References

URL

Tags

	https://git.kernel.org/stable/c/3d2ecbd444b01d6500671d1a582b7393943cf539
	https://git.kernel.org/stable/c/a7f3aa8c9df3905fe820ae36b67ba56b81587574
	https://git.kernel.org/stable/c/f17d521075325b8afc42d1baa1c28a5e9aca111f
	https://git.kernel.org/stable/c/f632dab4b841554cd6416058c61886d7db176581
	https://git.kernel.org/stable/c/13920e4b7b784b40cf4519ff1f0f3e513476a499

Impacted products

Vendor

Product

Version

Version: 49580e690755d0e51ed7aa2c33225dd884fa738a
Version: 49580e690755d0e51ed7aa2c33225dd884fa738a
Version: 49580e690755d0e51ed7aa2c33225dd884fa738a
Version: 49580e690755d0e51ed7aa2c33225dd884fa738a
Version: 49580e690755d0e51ed7aa2c33225dd884fa738a

Version: 6.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d2ecbd444b01d6500671d1a582b7393943cf539",
              "status": "affected",
              "version": "49580e690755d0e51ed7aa2c33225dd884fa738a",
              "versionType": "git"
            },
            {
              "lessThan": "a7f3aa8c9df3905fe820ae36b67ba56b81587574",
              "status": "affected",
              "version": "49580e690755d0e51ed7aa2c33225dd884fa738a",
              "versionType": "git"
            },
            {
              "lessThan": "f17d521075325b8afc42d1baa1c28a5e9aca111f",
              "status": "affected",
              "version": "49580e690755d0e51ed7aa2c33225dd884fa738a",
              "versionType": "git"
            },
            {
              "lessThan": "f632dab4b841554cd6416058c61886d7db176581",
              "status": "affected",
              "version": "49580e690755d0e51ed7aa2c33225dd884fa738a",
              "versionType": "git"
            },
            {
              "lessThan": "13920e4b7b784b40cf4519ff1f0f3e513476a499",
              "status": "affected",
              "version": "49580e690755d0e51ed7aa2c33225dd884fa738a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: add pgmap check to biovec_phys_mergeable\n\nbiovec_phys_mergeable() is used by the request merge, DMA mapping,\nand integrity merge paths to decide if two physically contiguous\nbvec segments can be coalesced into one. It currently has no check\nfor whether the segments belong to different dev_pagemaps.\n\nWhen zone device memory is registered in multiple chunks, each chunk\ngets its own dev_pagemap. A single bio can legitimately contain\nbvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at\npgmap boundaries but the outer loop in bio_iov_iter_get_pages()\ncontinues filling the same bio. If such bvecs are physically\ncontiguous, biovec_phys_mergeable() will coalesce them, making it\nimpossible to recover the correct pgmap for the merged segment\nvia page_pgmap().\n\nAdd a zone_device_pages_have_same_pgmap() check to prevent merging\nbvec segments that span different pgmaps."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:32.974Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3d2ecbd444b01d6500671d1a582b7393943cf539"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7f3aa8c9df3905fe820ae36b67ba56b81587574"
        },
        {
          "url": "https://git.kernel.org/stable/c/f17d521075325b8afc42d1baa1c28a5e9aca111f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f632dab4b841554cd6416058c61886d7db176581"
        },
        {
          "url": "https://git.kernel.org/stable/c/13920e4b7b784b40cf4519ff1f0f3e513476a499"
        }
      ],
      "title": "block: add pgmap check to biovec_phys_mergeable",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46115",
    "datePublished": "2026-05-28T09:35:26.735Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:32.974Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46149 (GCVE-0-2026-46149)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:58

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.

References

URL

Tags

	https://git.kernel.org/stable/c/d3cc9d490c207d57a289054397349f6f8c90354e
	https://git.kernel.org/stable/c/db0a4759d62cad4ff891e2d81ae4be73bb57f4a4
	https://git.kernel.org/stable/c/12f2201a56957ba020392223a7393a5eba080c1b
	https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c
	https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e
	https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d
	https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7
	https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552

Impacted products

Vendor

Product

Version

Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5

Version: 2.6.38

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45471

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/target_core_configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d3cc9d490c207d57a289054397349f6f8c90354e",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            },
            {
              "lessThan": "db0a4759d62cad4ff891e2d81ae4be73bb57f4a4",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            },
            {
              "lessThan": "12f2201a56957ba020392223a7393a5eba080c1b",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            },
            {
              "lessThan": "1f678d13e939f91840cb1ebe9b88544923539d3c",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            },
            {
              "lessThan": "72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            },
            {
              "lessThan": "00d91bfdce5033f5d9b4915638ae9b0553848b5d",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            },
            {
              "lessThan": "e501154f9d82c95d2719bcbbaf679d8fd3226ef7",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            },
            {
              "lessThan": "772a896a56e0e3ef9424a025cec9176f9d8f4552",
              "status": "affected",
              "version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/target_core_configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer.  snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes.  The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:58:10.899Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d3cc9d490c207d57a289054397349f6f8c90354e"
        },
        {
          "url": "https://git.kernel.org/stable/c/db0a4759d62cad4ff891e2d81ae4be73bb57f4a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/12f2201a56957ba020392223a7393a5eba080c1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e"
        },
        {
          "url": "https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7"
        },
        {
          "url": "https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552"
        }
      ],
      "title": "scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46149",
    "datePublished": "2026-05-28T09:36:05.706Z",
    "dateReserved": "2026-05-13T15:03:33.101Z",
    "dateUpdated": "2026-06-14T17:58:10.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45471 (GCVE-0-2026-45471)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-822 - Untrusted Pointer Dereference

Summary

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384
Microsoft	Microsoft Word 2016	Version: 16.0.1 < 16.0.5556.1000

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45471",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:21.698686Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:32:44.387Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Word 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1000",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.5556.1000",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-822",
              "description": "CWE-822: Untrusted Pointer Dereference",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:06.766Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Word Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45471"
        }
      ],
      "title": "Microsoft Word Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45471",
    "datePublished": "2026-06-09T17:04:22.724Z",
    "dateReserved": "2026-05-12T16:06:43.099Z",
    "dateUpdated": "2026-06-16T18:17:06.766Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46131 (GCVE-0-2026-46131)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: check for nEPT/nNPT in slow flush hypercalls Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.

References

URL

Tags

	https://git.kernel.org/stable/c/971f17f5d91045404e3914029ea57c3da90179a4
	https://git.kernel.org/stable/c/45fc766bc756ff1d66f8ca026a9c4f7f764adfae
	https://git.kernel.org/stable/c/d6f4e217d663ede5becc2fd6cb612c749677387b
	https://git.kernel.org/stable/c/4c7f8436b19a2a3acc0cb6b6e3becd6796ae5c57
	https://git.kernel.org/stable/c/464af6fc2b1dcc74005b7f58ee3812b17777efee

Impacted products

Vendor

Product

Version

Version: aee738236dca0d0870789138ec494e15d6303566
Version: aee738236dca0d0870789138ec494e15d6303566
Version: aee738236dca0d0870789138ec494e15d6303566
Version: aee738236dca0d0870789138ec494e15d6303566
Version: aee738236dca0d0870789138ec494e15d6303566

Version: 6.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "971f17f5d91045404e3914029ea57c3da90179a4",
              "status": "affected",
              "version": "aee738236dca0d0870789138ec494e15d6303566",
              "versionType": "git"
            },
            {
              "lessThan": "45fc766bc756ff1d66f8ca026a9c4f7f764adfae",
              "status": "affected",
              "version": "aee738236dca0d0870789138ec494e15d6303566",
              "versionType": "git"
            },
            {
              "lessThan": "d6f4e217d663ede5becc2fd6cb612c749677387b",
              "status": "affected",
              "version": "aee738236dca0d0870789138ec494e15d6303566",
              "versionType": "git"
            },
            {
              "lessThan": "4c7f8436b19a2a3acc0cb6b6e3becd6796ae5c57",
              "status": "affected",
              "version": "aee738236dca0d0870789138ec494e15d6303566",
              "versionType": "git"
            },
            {
              "lessThan": "464af6fc2b1dcc74005b7f58ee3812b17777efee",
              "status": "affected",
              "version": "aee738236dca0d0870789138ec494e15d6303566",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: check for nEPT/nNPT in slow flush hypercalls\n\nChecking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa()\nis only valid if an L2 guest is running *with nested EPT/NPT enabled*.\nInstead use the same condition as translate_nested_gpa() itself."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:46.141Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/971f17f5d91045404e3914029ea57c3da90179a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/45fc766bc756ff1d66f8ca026a9c4f7f764adfae"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6f4e217d663ede5becc2fd6cb612c749677387b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c7f8436b19a2a3acc0cb6b6e3becd6796ae5c57"
        },
        {
          "url": "https://git.kernel.org/stable/c/464af6fc2b1dcc74005b7f58ee3812b17777efee"
        }
      ],
      "title": "KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46131",
    "datePublished": "2026-05-28T09:35:46.220Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-06-14T17:56:46.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46047 (GCVE-0-2026-46047)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Fix use-after-free in driver remove() In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback.

References

URL

Tags

	https://git.kernel.org/stable/c/65168712c216584ff482a7d1a67589f2079b2634
	https://git.kernel.org/stable/c/dff081c3602f2fd810f69ef47945a226980dd05d
	https://git.kernel.org/stable/c/4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167
	https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4
	https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8
	https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f
	https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae
	https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb

Impacted products

Vendor

Product

Version

Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd

Version: 5.7

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "65168712c216584ff482a7d1a67589f2079b2634",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "dff081c3602f2fd810f69ef47945a226980dd05d",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "0f313eb6a8f6dffa491373cf3afab979fa1c02f4",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "db3c60ec772de30acae92d560dfcc5258e58dbe8",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "2e127ceb1c415e246076d8e09e23e443a7a2038f",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "f96779e916576e81430ebb326baff6e433fef8ae",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "7809fea20c9404bfcfa6112ec08d1fe1d3520beb",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Fix use-after-free in driver remove()\n\nIn the remove callback, if a packet arrives after destroy_workqueue() is\ncalled, but before sock_release(), the qrtr_ns_data_ready() callback will\ntry to queue the work, causing use-after-free issue.\n\nFix this issue by saving the default \u0027sk_data_ready\u0027 callback during\nqrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at\nthe start of remove(). This ensures that even if a packet arrives after\ndestroy_workqueue(), the work struct will not be dereferenced.\n\nNote that it is also required to ensure that the RX threads are completed\nbefore destroying the workqueue, because the threads could be using the\nqrtr_ns_data_ready() callback."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:30.115Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/65168712c216584ff482a7d1a67589f2079b2634"
        },
        {
          "url": "https://git.kernel.org/stable/c/dff081c3602f2fd810f69ef47945a226980dd05d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb"
        }
      ],
      "title": "net: qrtr: ns: Fix use-after-free in driver remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46047",
    "datePublished": "2026-05-27T12:57:03.471Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:30.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46156 (GCVE-0-2026-46156)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the "device" is from "base+PCI_DEVICE_ID", "base" is from "pdev->devfn+1". This is wrong when my platform inserts a discrete GPU: lspci -tv -[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller ... +-06.0 Loongson Technology LLC LG100 GPU +-06.2 Loongson Technology LLC Device 7a37 ... Add a default switch case to fix the panic as below: Kernel ade access[#1]: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4 pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0 a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002 a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001 t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000 t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0 t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8 s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000 s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000 ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210 ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000000 (-FPE -SXE -ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1) BADV: 7fffffffffffff00 PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV) Modules linked in: Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____)) Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007 0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff 900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08 0000000000000000 0000000000000000 0000000000000006 90000001002fb778 90000001000530b8 90000000027af000 0000000000000000 9000000100054000 9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001 90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000 0000000000000006 90000000027af000 0000000000000030 90000000027af000 900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560 7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030 ... Call Trace: [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210 [<9000000000eebc08>] pci_fixup_device+0x108/0x280 [<9000000000ebb70c>] pci_setup_device+0x24c/0x690 [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140 [<9000000000ebc684>] pci_scan_slot+0xc4/0x280 [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0 [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420 [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440 [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0 [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280 [<900000000189c028>] acpi_scan_init+0x194/0x310 [<900000000189bc6c>] acpi_init+0xcc/0x140 [<9000000000220cdc>] do_one_initcall+0x4c/0x310 [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4 [<900000000184326c>] kernel_init+0x28/0x13c [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4

References

URL

Tags

	https://git.kernel.org/stable/c/bfde8accc3e3260c0ecbb8cc34361739e1e16f31
	https://git.kernel.org/stable/c/07d190e4ec689d6478f7f5e36099fb9bf457e7c5
	https://git.kernel.org/stable/c/2cb19b06c09983727573bbe7d7430cbad480a714
	https://git.kernel.org/stable/c/9e1aed63a5552958ef2a9bfd699a3f990e52a77f
	https://git.kernel.org/stable/c/81fef1c278436e6bd68ee4ca05a0acb96e256561
	https://git.kernel.org/stable/c/8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e

Impacted products

Vendor

Product

Version

Version: a31da4d5d1fc29d92d2410c60e1ca298b02a6528
Version: f458dceaa6a35f89180ebd14484983d8e79ecd10
Version: 151ba1721ac50765e16d293256389ef14553b46e
Version: 70fb63c5d36cc02eaf336b87ac6a82e657f832a4
Version: 95db0c9f526d583634cddb2e5914718570fbac87
Version: 95db0c9f526d583634cddb2e5914718570fbac87
Version: 3446dd359ba9a6ce5a1ca389c0d48c434d3cc915
Version: 6.1.168   ≤
Version: 6.6.131   ≤
Version: 6.12.80   ≤
Version: 6.18.21   ≤
Version: 6.19.11   ≤

Version: 7.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/pci/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bfde8accc3e3260c0ecbb8cc34361739e1e16f31",
              "status": "affected",
              "version": "a31da4d5d1fc29d92d2410c60e1ca298b02a6528",
              "versionType": "git"
            },
            {
              "lessThan": "07d190e4ec689d6478f7f5e36099fb9bf457e7c5",
              "status": "affected",
              "version": "f458dceaa6a35f89180ebd14484983d8e79ecd10",
              "versionType": "git"
            },
            {
              "lessThan": "2cb19b06c09983727573bbe7d7430cbad480a714",
              "status": "affected",
              "version": "151ba1721ac50765e16d293256389ef14553b46e",
              "versionType": "git"
            },
            {
              "lessThan": "9e1aed63a5552958ef2a9bfd699a3f990e52a77f",
              "status": "affected",
              "version": "70fb63c5d36cc02eaf336b87ac6a82e657f832a4",
              "versionType": "git"
            },
            {
              "lessThan": "81fef1c278436e6bd68ee4ca05a0acb96e256561",
              "status": "affected",
              "version": "95db0c9f526d583634cddb2e5914718570fbac87",
              "versionType": "git"
            },
            {
              "lessThan": "8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e",
              "status": "affected",
              "version": "95db0c9f526d583634cddb2e5914718570fbac87",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3446dd359ba9a6ce5a1ca389c0d48c434d3cc915",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.131",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.88",
              "status": "affected",
              "version": "6.12.80",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.30",
              "status": "affected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThan": "6.20",
              "status": "affected",
              "version": "6.19.11",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/loongarch/pci/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "7.0"
            },
            {
              "lessThan": "7.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.168",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.131",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.12.80",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.18.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.19.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()\n\nThe switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and\nreadl(crtc_reg) will access with random address, because the \"device\" is\nfrom \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev-\u003edevfn+1\". This is wrong\nwhen my platform inserts a discrete GPU:\n\nlspci -tv\n-[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller\n...\n           +-06.0  Loongson Technology LLC LG100 GPU\n           +-06.2  Loongson Technology LLC Device 7a37\n...\n\nAdd a default switch case to fix the panic as below:\n\n Kernel ade access[#1]:\n CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4\n pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0\n a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002\n a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001\n t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000\n t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0\n t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8\n s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000\n s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000\n    ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210\n   ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210\n  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n  PRMD: 00000004 (PPLV0 +PIE -PWE)\n  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n  ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)\n  BADV: 7fffffffffffff00\n  PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)\n Modules linked in:\n Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))\n Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007\n         0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff\n         900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08\n         0000000000000000 0000000000000000 0000000000000006 90000001002fb778\n         90000001000530b8 90000000027af000 0000000000000000 9000000100054000\n         9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001\n         90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000\n         0000000000000006 90000000027af000 0000000000000030 90000000027af000\n         900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560\n         7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030\n         ...\n Call Trace:\n [\u003c90000000017e5534\u003e] loongson_gpu_fixup_dma_hang+0xb4/0x210\n [\u003c9000000000eebc08\u003e] pci_fixup_device+0x108/0x280\n [\u003c9000000000ebb70c\u003e] pci_setup_device+0x24c/0x690\n [\u003c9000000000ebc560\u003e] pci_scan_single_device+0xe0/0x140\n [\u003c9000000000ebc684\u003e] pci_scan_slot+0xc4/0x280\n [\u003c9000000000ebdd00\u003e] pci_scan_child_bus_extend+0x60/0x3f0\n [\u003c9000000000f5bc94\u003e] acpi_pci_root_create+0x2b4/0x420\n [\u003c90000000017e5e74\u003e] pci_acpi_scan_root+0x2d4/0x440\n [\u003c9000000000f5b02c\u003e] acpi_pci_root_add+0x21c/0x3a0\n [\u003c9000000000f4ee54\u003e] acpi_bus_attach+0x1a4/0x3c0\n [\u003c90000000010e200c\u003e] device_for_each_child+0x6c/0xe0\n [\u003c9000000000f4bbf4\u003e] acpi_dev_for_each_child+0x44/0x70\n [\u003c9000000000f4ef40\u003e] acpi_bus_attach+0x290/0x3c0\n [\u003c90000000010e200c\u003e] device_for_each_child+0x6c/0xe0\n [\u003c9000000000f4bbf4\u003e] acpi_dev_for_each_child+0x44/0x70\n [\u003c9000000000f4ef40\u003e] acpi_bus_attach+0x290/0x3c0\n [\u003c9000000000f5211c\u003e] acpi_bus_scan+0x6c/0x280\n [\u003c900000000189c028\u003e] acpi_scan_init+0x194/0x310\n [\u003c900000000189bc6c\u003e] acpi_init+0xcc/0x140\n [\u003c9000000000220cdc\u003e] do_one_initcall+0x4c/0x310\n [\u003c90000000018618fc\u003e] kernel_init_freeable+0x258/0x2d4\n [\u003c900000000184326c\u003e] kernel_init+0x28/0x13c\n [\u003c9000000000222008\u003e] ret_from_kernel_thread+0xc/0xa4"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:58:44.149Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bfde8accc3e3260c0ecbb8cc34361739e1e16f31"
        },
        {
          "url": "https://git.kernel.org/stable/c/07d190e4ec689d6478f7f5e36099fb9bf457e7c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cb19b06c09983727573bbe7d7430cbad480a714"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e1aed63a5552958ef2a9bfd699a3f990e52a77f"
        },
        {
          "url": "https://git.kernel.org/stable/c/81fef1c278436e6bd68ee4ca05a0acb96e256561"
        },
        {
          "url": "https://git.kernel.org/stable/c/8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e"
        }
      ],
      "title": "LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46156",
    "datePublished": "2026-05-28T09:36:12.075Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:58:44.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46133 (GCVE-0-2026-46133)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.

References

URL

Tags

	https://git.kernel.org/stable/c/318787fa7193bd79691f2ebce4e80cb6abd0faef
	https://git.kernel.org/stable/c/6a79b1ea0fcb2c998fda6a793050f66146e9cc42
	https://git.kernel.org/stable/c/599cfdf44c1701c581cd4a21f1e1e03f8dc3840b
	https://git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189
	https://git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983
	https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733
	https://git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7
	https://git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a

Impacted products

Vendor

Product

Version

Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76

Version: 4.8

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47298

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_recv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "318787fa7193bd79691f2ebce4e80cb6abd0faef",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "6a79b1ea0fcb2c998fda6a793050f66146e9cc42",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "599cfdf44c1701c581cd4a21f1e1e03f8dc3840b",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "e3dc3a2fb05f4ed49c7f20594c4c52350d032189",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "f8ee926431a7bbec2b10c1290664af2cb290b983",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "006a3a5f75345c6a0dbf13fd3ee01406e93b6733",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "6fa18025e5782afff91415fd5217b39c1e4837d7",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "4c6f86d85d03cdb33addce86aa69aa795ca6c47a",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_recv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Reject unknown opcodes before ICRC processing\n\nEven after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC\nbefore payload_size() in rxe_rcv\"), a single unauthenticated UDP packet\ncan still trigger panic.  That patch handled payload_size() underflow only\nfor valid opcodes with short packets, not for packets carrying an unknown\nopcode.  The unknown-opcode OOB read described below predates that commit\nand reaches back to the initial Soft RoCE driver.\n\nThe check added there reads\n\n    pkt-\u003epaylen \u003c header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE\n\nwhere header_size(pkt) expands to rxe_opcode[pkt-\u003eopcode].length.  The\nrxe_opcode[] array has 256 entries but is only populated for defined IB\nopcodes; any other entry (for example opcode 0xff) is zero-initialized, so\nlength == 0 and the check degenerates to\n\n    pkt-\u003epaylen \u003c 0 + bth_pad(pkt) + RXE_ICRC_SIZE\n\nwhich does not constrain pkt-\u003epaylen enough.  rxe_icrc_hdr() then computes\n\n    rxe_opcode[pkt-\u003eopcode].length - RXE_BTH_BYTES\n\nwhich underflows when length == 0 and passes a huge value to rxe_crc32(),\ncausing an out-of-bounds read of the skb payload.\n\nReproduced on v7.0-rc7 with that fix applied, QEMU/KVM with\nCONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after\n\n    rdma link add rxe0 type rxe netdev eth0\n\nA single 48-byte UDP packet to port 4791 with BTH opcode=0xff and\nQPN=IB_MULTICAST_QPN triggers:\n\n    BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170\n    Read of size 1 at addr ...\n    The buggy address is located 0 bytes to the right of\n     allocated 704-byte region\n    Call Trace:\n     crc32_le+0x115/0x170\n     rxe_icrc_hdr.isra.0+0x226/0x300\n     rxe_icrc_check+0x13f/0x3a0\n     rxe_rcv+0x6e1/0x16e0\n     rxe_udp_encap_recv+0x20a/0x320\n     udp_queue_rcv_one_skb+0x7ed/0x12c0\n\nSubsequent packets with the same shape fault on unmapped memory and panic\nthe kernel.  The trigger requires only module load and \"rdma link add\"; no\nQP, no connection, and no authentication.\n\nFix this by rejecting packets whose opcode has no rxe_opcode[] entry,\ndetected via the zero mask or zero length, before any length arithmetic\nruns."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:55.486Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/318787fa7193bd79691f2ebce4e80cb6abd0faef"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a79b1ea0fcb2c998fda6a793050f66146e9cc42"
        },
        {
          "url": "https://git.kernel.org/stable/c/599cfdf44c1701c581cd4a21f1e1e03f8dc3840b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983"
        },
        {
          "url": "https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a"
        }
      ],
      "title": "RDMA/rxe: Reject unknown opcodes before ICRC processing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46133",
    "datePublished": "2026-05-28T09:35:47.819Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-06-14T17:56:55.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47298 (GCVE-0-2026-47298)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-285 - Improper Authorization

Summary

Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47298",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-05T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T03:56:56.225Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:41.149Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47298"
        }
      ],
      "title": "Microsoft SharePoint Server Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47298",
    "datePublished": "2026-06-09T17:05:02.713Z",
    "dateReserved": "2026-05-18T23:53:33.897Z",
    "dateUpdated": "2026-06-16T18:17:41.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46106 (GCVE-0-2026-46106)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.

References

URL

Tags

	https://git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02
	https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba
	https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b
	https://git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e
	https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed

Impacted products

Vendor

Product

Version

Version: 7ec535ed8724d18ae4e714d2277a5b89450659d2
Version: 340f0c7067a95281ad13734f8225f49c6cf52067
Version: 340f0c7067a95281ad13734f8225f49c6cf52067
Version: 340f0c7067a95281ad13734f8225f49c6cf52067
Version: 340f0c7067a95281ad13734f8225f49c6cf52067
Version: 99b86d85f7c73d676c50e8c35748f94dd41389da
Version: 6.6.35 ≤
Version: 6.9.6 ≤

Version: 6.10

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45485

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/tracefs/event_inode.c",
            "fs/tracefs/inode.c",
            "fs/tracefs/internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae9cd0b46b1890040006a2fc5e905c5d6053fd02",
              "status": "affected",
              "version": "7ec535ed8724d18ae4e714d2277a5b89450659d2",
              "versionType": "git"
            },
            {
              "lessThan": "44e64d8a432837308f4dda3ffe819f1ec092a0ba",
              "status": "affected",
              "version": "340f0c7067a95281ad13734f8225f49c6cf52067",
              "versionType": "git"
            },
            {
              "lessThan": "52b109f1b875b912d4ab2c5fdd8c322d47119d9b",
              "status": "affected",
              "version": "340f0c7067a95281ad13734f8225f49c6cf52067",
              "versionType": "git"
            },
            {
              "lessThan": "ed2ad73bcb0a7a6cc934097d4853b6d5124c317e",
              "status": "affected",
              "version": "340f0c7067a95281ad13734f8225f49c6cf52067",
              "versionType": "git"
            },
            {
              "lessThan": "07004a8c4b572171934390148ee48c4175c77eed",
              "status": "affected",
              "version": "340f0c7067a95281ad13734f8225f49c6cf52067",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "99b86d85f7c73d676c50e8c35748f94dd41389da",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.35",
              "versionType": "semver"
            },
            {
              "lessThan": "6.10",
              "status": "affected",
              "version": "6.9.6",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/tracefs/event_inode.c",
            "fs/tracefs/inode.c",
            "fs/tracefs/internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventfs: Hold eventfs_mutex and SRCU when remount walks events\n\nCommit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the\nevents descriptor\") had eventfs_set_attrs() recurse through ei-\u003echildren\non remount.  The walk only holds the rcu_read_lock() taken by\ntracefs_apply_options() over tracefs_inodes, which is wrong:\n\n  - list_for_each_entry over ei-\u003echildren races with the list_del_rcu()\n    in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as\n    d2603279c7d6.\n  - eventfs_inodes are freed via call_srcu(\u0026eventfs_srcu, ...).\n    rcu_read_lock() does not extend an SRCU grace period, so ti-\u003eprivate\n    can be reclaimed under the walk.\n  - The writes to ei-\u003eattr race with eventfs_set_attr(), which holds\n    eventfs_mutex.\n\nReproducer:\n\n  while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done \u0026\n  while :; do\n      echo \"p:kp submit_bio\" \u003e /sys/kernel/tracing/kprobe_events\n      echo \u003e /sys/kernel/tracing/kprobe_events\n  done\n\nWrap the events portion of tracefs_apply_options() in\neventfs_remount_lock()/_unlock() that take eventfs_mutex and\nsrcu_read_lock(\u0026eventfs_srcu).  eventfs_set_attrs() doesn\u0027t sleep so the\nnested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.\n\nComment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:54:53.367Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02"
        },
        {
          "url": "https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e"
        },
        {
          "url": "https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed"
        }
      ],
      "title": "eventfs: Hold eventfs_mutex and SRCU when remount walks events",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46106",
    "datePublished": "2026-05-28T09:35:11.034Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:54:53.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45485 (GCVE-0-2026-45485)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-125 - Out-of-bounds Read

Summary

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45485",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T20:05:44.587552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T20:05:55.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:09.125Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Office Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45485"
        }
      ],
      "title": "Microsoft Office Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45485",
    "datePublished": "2026-06-09T17:04:25.336Z",
    "dateReserved": "2026-05-12T16:07:22.617Z",
    "dateUpdated": "2026-06-16T18:17:09.125Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46137 (GCVE-0-2026-46137)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:57

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.

References

URL

Tags

	https://git.kernel.org/stable/c/013dcdc1961543b9a3433466bc8c79a2f4ca75b5
	https://git.kernel.org/stable/c/6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3
	https://git.kernel.org/stable/c/2ad56e434199ca24a812bb353667aa1c3860f513
	https://git.kernel.org/stable/c/cc3c0399361efaaf7ae64262eb3f70829b1189c6
	https://git.kernel.org/stable/c/5cd6e0ad79d2615264f63929f8b457ad97ae550d

Impacted products

Vendor

Product

Version

Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8
Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8
Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8
Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8
Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8

Version: 5.10

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44824

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "013dcdc1961543b9a3433466bc8c79a2f4ca75b5",
              "status": "affected",
              "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
              "versionType": "git"
            },
            {
              "lessThan": "6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3",
              "status": "affected",
              "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
              "versionType": "git"
            },
            {
              "lessThan": "2ad56e434199ca24a812bb353667aa1c3860f513",
              "status": "affected",
              "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
              "versionType": "git"
            },
            {
              "lessThan": "cc3c0399361efaaf7ae64262eb3f70829b1189c6",
              "status": "affected",
              "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
              "versionType": "git"
            },
            {
              "lessThan": "5cd6e0ad79d2615264f63929f8b457ad97ae550d",
              "status": "affected",
              "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: ADD_ADDR rtx: fix potential data-race\n\nThis mptcp_pm_add_timer() helper is executed as a timer callback in\nsoftirq context. To avoid any data races, the socket lock needs to be\nheld with bh_lock_sock().\n\nIf the socket is in use, retry again soon after, similar to what is done\nwith the keepalive timer."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:57:13.527Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/013dcdc1961543b9a3433466bc8c79a2f4ca75b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ad56e434199ca24a812bb353667aa1c3860f513"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc3c0399361efaaf7ae64262eb3f70829b1189c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5cd6e0ad79d2615264f63929f8b457ad97ae550d"
        }
      ],
      "title": "mptcp: pm: ADD_ADDR rtx: fix potential data-race",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46137",
    "datePublished": "2026-05-28T09:35:53.628Z",
    "dateReserved": "2026-05-13T15:03:33.100Z",
    "dateUpdated": "2026-06-14T17:57:13.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44824 (GCVE-0-2026-44824)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44824",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:19.447941Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:30:09.454Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:19.036Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Office Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44824"
        }
      ],
      "title": "Microsoft Office Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-44824",
    "datePublished": "2026-06-09T17:04:35.374Z",
    "dateReserved": "2026-05-07T20:07:18.272Z",
    "dateUpdated": "2026-06-16T18:17:19.036Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46099 (GCVE-0-2026-46099)

Vulnerability from cvelistv5

Published

2026-05-27 12:59

Modified

2026-06-14 17:54

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.

References

URL

Tags

	https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c
	https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71
	https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d
	https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0
	https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103
	https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0
	https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e

Impacted products

Vendor

Product

Version

Version: af4a2209b1344939eaac11f269c261d347cbc3ee
Version: af4a2209b1344939eaac11f269c261d347cbc3ee
Version: af4a2209b1344939eaac11f269c261d347cbc3ee
Version: af4a2209b1344939eaac11f269c261d347cbc3ee
Version: af4a2209b1344939eaac11f269c261d347cbc3ee
Version: af4a2209b1344939eaac11f269c261d347cbc3ee
Version: af4a2209b1344939eaac11f269c261d347cbc3ee

Version: 4.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c",
            "net/ipv6/seg6_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "51fef5a7c4d160839199e941929456ba21ddf73c",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "b258b849a580285a1692e782ebc902b44c884a71",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "6bd17925bd6866027a6555db17905b9fc073d38d",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "52f9db67f8f35f436366cf4980b4f0a2583d0ef0",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "b778b6d095421619c331fd2d7751143cd5387103",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "9dd5481f960e337b81d7dfe429529495c1c481c0",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            },
            {
              "lessThan": "f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e",
              "status": "affected",
              "version": "af4a2209b1344939eaac11f269c261d347cbc3ee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c",
            "net/ipv6/seg6_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n  ksoftirqd/X                       higher-prio task (same CPU X)\n  -----------                       --------------------------------\n  seg6_input_core(,skb)/rpl_input(skb)\n    dst_cache_get()\n      -\u003e miss\n    ip6_route_input(skb)\n      -\u003e ip6_pol_route(,skb,flags)\n         [RT6_LOOKUP_F_DST_NOREF in flags]\n        -\u003e FIB lookup resolves fib6_nh\n           [nhid=N route]\n        -\u003e rt6_make_pcpu_route()\n           [creates pcpu_rt, refcount=1]\n             pcpu_rt-\u003esernum = fib6_sernum\n             [fib6_sernum=W]\n           -\u003e cmpxchg(fib6_nh.rt6i_pcpu,\n                      NULL, pcpu_rt)\n              [slot was empty, store succeeds]\n      -\u003e skb_dst_set_noref(skb, dst)\n         [dst is pcpu_rt, refcount still 1]\n\n                                    rt_genid_bump_ipv6()\n                                      -\u003e bumps fib6_sernum\n                                         [fib6_sernum from W to Z]\n                                    ip6_route_output()\n                                      -\u003e ip6_pol_route()\n                                        -\u003e FIB lookup resolves fib6_nh\n                                           [nhid=N]\n                                        -\u003e rt6_get_pcpu_route()\n                                             pcpu_rt-\u003esernum != fib6_sernum\n                                             [W \u003c\u003e Z, stale]\n                                          -\u003e prev = xchg(rt6i_pcpu, NULL)\n                                          -\u003e dst_release(prev)\n                                             [prev is pcpu_rt,\n                                              refcount 1-\u003e0, dead]\n\n    dst = skb_dst(skb)\n    [dst is the dead pcpu_rt]\n    dst_cache_set_ip6(dst)\n      -\u003e dst_hold() on dead dst\n      -\u003e WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:54:21.059Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"
        },
        {
          "url": "https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"
        }
      ],
      "title": "net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46099",
    "datePublished": "2026-05-27T12:59:04.628Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:54:21.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46136 (GCVE-0-2026-46136)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix a potential clc buffer length underflow The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC. This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.

References

URL

Tags

	https://git.kernel.org/stable/c/2a79b1a492bcfa725383b6580cd93a6862308c85
	https://git.kernel.org/stable/c/e451c325b000b9a0081fd93bc6d103d6943d4b55
	https://git.kernel.org/stable/c/90cc573fd2f46ddbc2c329e7814b5ba3deb7b939
	https://git.kernel.org/stable/c/0aa63d33742b805d1a218d18d12b983cce4b2f7b
	https://git.kernel.org/stable/c/a0111847f0b4f6023f6dd320114697514e024ba3
	https://git.kernel.org/stable/c/5373f8b19e568b5c217832b9bbef165bd2b2df14

Impacted products

Vendor

Product

Version

Version: 0c9318d49e501a5d50b02bd91a4813bde2353488
Version: 15173a1697236793e9e900b82fece6f99d41b2a7
Version: fa6ad88e023ddfa6c5dcdb466d159e89f451e305
Version: fa6ad88e023ddfa6c5dcdb466d159e89f451e305
Version: fa6ad88e023ddfa6c5dcdb466d159e89f451e305
Version: fa6ad88e023ddfa6c5dcdb466d159e89f451e305
Version: 5c8cac512844ad593d31258e215908014381bee2
Version: 6.1.75   ≤
Version: 6.6.14   ≤
Version: 6.7.2   ≤

Version: 6.8

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7921/mcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a79b1a492bcfa725383b6580cd93a6862308c85",
              "status": "affected",
              "version": "0c9318d49e501a5d50b02bd91a4813bde2353488",
              "versionType": "git"
            },
            {
              "lessThan": "e451c325b000b9a0081fd93bc6d103d6943d4b55",
              "status": "affected",
              "version": "15173a1697236793e9e900b82fece6f99d41b2a7",
              "versionType": "git"
            },
            {
              "lessThan": "90cc573fd2f46ddbc2c329e7814b5ba3deb7b939",
              "status": "affected",
              "version": "fa6ad88e023ddfa6c5dcdb466d159e89f451e305",
              "versionType": "git"
            },
            {
              "lessThan": "0aa63d33742b805d1a218d18d12b983cce4b2f7b",
              "status": "affected",
              "version": "fa6ad88e023ddfa6c5dcdb466d159e89f451e305",
              "versionType": "git"
            },
            {
              "lessThan": "a0111847f0b4f6023f6dd320114697514e024ba3",
              "status": "affected",
              "version": "fa6ad88e023ddfa6c5dcdb466d159e89f451e305",
              "versionType": "git"
            },
            {
              "lessThan": "5373f8b19e568b5c217832b9bbef165bd2b2df14",
              "status": "affected",
              "version": "fa6ad88e023ddfa6c5dcdb466d159e89f451e305",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5c8cac512844ad593d31258e215908014381bee2",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.75",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.14",
              "versionType": "semver"
            },
            {
              "lessThan": "6.8",
              "status": "affected",
              "version": "6.7.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7921/mcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix a potential clc buffer length underflow\n\nThe buf_len is used to limit the iterations for retrieving the country\npower setting and may underflow under certain conditions due to changes\nin the power table in CLC.\n\nThis underflow leads to an almost infinite loop or an invalid power\nsetting resulting in driver initialization failure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:57:08.679Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a79b1a492bcfa725383b6580cd93a6862308c85"
        },
        {
          "url": "https://git.kernel.org/stable/c/e451c325b000b9a0081fd93bc6d103d6943d4b55"
        },
        {
          "url": "https://git.kernel.org/stable/c/90cc573fd2f46ddbc2c329e7814b5ba3deb7b939"
        },
        {
          "url": "https://git.kernel.org/stable/c/0aa63d33742b805d1a218d18d12b983cce4b2f7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0111847f0b4f6023f6dd320114697514e024ba3"
        },
        {
          "url": "https://git.kernel.org/stable/c/5373f8b19e568b5c217832b9bbef165bd2b2df14"
        }
      ],
      "title": "wifi: mt76: mt7921: fix a potential clc buffer length underflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46136",
    "datePublished": "2026-05-28T09:35:52.004Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-06-14T17:57:08.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46127 (GCVE-0-2026-46127)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.

References

URL

Tags

	https://git.kernel.org/stable/c/b610f33c5523fe26f6dd897667fff9c7a1de5905
	https://git.kernel.org/stable/c/443c991fbc954cc9363e963c09f404b9f281f3a2
	https://git.kernel.org/stable/c/27b6eb1f27fda9bdd5cae028e396758cdf525845
	https://git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcd
	https://git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8
	https://git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726e
	https://git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51
	https://git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5ba

Impacted products

Vendor

Product

Version

Version: fe2caefcdf5869f308c102e3d64d40683bfad711
Version: fe2caefcdf5869f308c102e3d64d40683bfad711
Version: fe2caefcdf5869f308c102e3d64d40683bfad711
Version: fe2caefcdf5869f308c102e3d64d40683bfad711
Version: fe2caefcdf5869f308c102e3d64d40683bfad711
Version: fe2caefcdf5869f308c102e3d64d40683bfad711
Version: fe2caefcdf5869f308c102e3d64d40683bfad711
Version: fe2caefcdf5869f308c102e3d64d40683bfad711

Version: 3.5

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/ocrdma/ocrdma_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b610f33c5523fe26f6dd897667fff9c7a1de5905",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            },
            {
              "lessThan": "443c991fbc954cc9363e963c09f404b9f281f3a2",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            },
            {
              "lessThan": "27b6eb1f27fda9bdd5cae028e396758cdf525845",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            },
            {
              "lessThan": "e01a957561f663d3b68d2fd233a4502e3367efcd",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            },
            {
              "lessThan": "75fc130664ae324e7b2f9ad3630e0f175e9ca6c8",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            },
            {
              "lessThan": "8832626a483439e207734e027afff322ccdf726e",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            },
            {
              "lessThan": "ec44c00a4fe1327efa35083f98b39c01cb535a51",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            },
            {
              "lessThan": "34fbf48cf3b410d2a6e8c586fa952a36331ca5ba",
              "status": "affected",
              "version": "fe2caefcdf5869f308c102e3d64d40683bfad711",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/ocrdma/ocrdma_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ocrdma: Don\u0027t NULL deref uctx on errors in ocrdma_copy_pd_uresp()\n\nSashiko points out that pd-\u003euctx isn\u0027t initialized until late in the\nfunction so all these error flow references are NULL and will crash. Use\nthe uctx that isn\u0027t NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:56:27.705Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b610f33c5523fe26f6dd897667fff9c7a1de5905"
        },
        {
          "url": "https://git.kernel.org/stable/c/443c991fbc954cc9363e963c09f404b9f281f3a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/27b6eb1f27fda9bdd5cae028e396758cdf525845"
        },
        {
          "url": "https://git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcd"
        },
        {
          "url": "https://git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5ba"
        }
      ],
      "title": "RDMA/ocrdma: Don\u0027t NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46127",
    "datePublished": "2026-05-28T09:35:42.368Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-06-14T17:56:27.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45994 (GCVE-0-2026-45994)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.

References

URL

Tags

	https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3
	https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838
	https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1
	https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff
	https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c
	https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad
	https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf
	https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/ibmasmfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "44ee19422aa82a6847594866de7e5a31e4ef98b3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7b8a574da5d7ea99b943f7a3458a17a1d95e8838",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d50e2019c9d7c433f56d9dff65703eb904aa1fb1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a672682d39dd34e2b5ba4feb436723bed65125ff",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "aefc1a97da17d8309974690c8a03e439a91ebb1c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ee5737891464030a189837467df3b81a273718ad",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d0fb4d1dc43f8d5179917a2daaa82680993d4cdf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0eb09f737428e482a32a2e31e5e223f2b35a71d3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/ibmasmfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmasm: fix OOB reads in command_file_write due to missing size checks\n\nThe command_file_write() handler allocates a kernel buffer of exactly\ncount bytes and copies user data into it, but does not validate the\nbuffer against the dot command protocol before passing it to\nget_dot_command_size() and get_dot_command_timeout().\n\nSince both the allocation size (count) and the header fields (command_size,\ndata_size) are independently user-controlled, an attacker can cause\nget_dot_command_size() to return a value exceeding the allocation,\ntriggering OOB reads in get_dot_command_timeout() and an out-of-bounds\nmemcpy_toio() that leaks kernel heap memory to the service processor.\n\nFix with two guards: reject writes smaller than sizeof(struct\ndot_command_header) before allocation, then after copying user data\nreject commands where the buffer is smaller than the total size declared\nby the header (sizeof(header) + command_size + data_size). This ensures\nall subsequent header and payload field accesses stay within the buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:55.731Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838"
        },
        {
          "url": "https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3"
        }
      ],
      "title": "ibmasm: fix OOB reads in command_file_write due to missing size checks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45994",
    "datePublished": "2026-05-27T12:55:47.612Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:46:55.731Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46218 (GCVE-0-2026-46218)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:03

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add bounds checking to ib_{get,set}_value The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values. Also make the idx a uint32_t to prevent overflows causing the condition to fail.

References

URL

Tags

	https://git.kernel.org/stable/c/5da6c6430be0acb25b4242bce0323fc514d4e3cf
	https://git.kernel.org/stable/c/0fb5cb556b249b2b64c0f818136c4c3e838ef53f
	https://git.kernel.org/stable/c/a853178d23e774adfe3a35073c375b04b3b20f7d
	https://git.kernel.org/stable/c/fec8b11b55e53ff51a741e56894fe331a516f5c6
	https://git.kernel.org/stable/c/ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7
	https://git.kernel.org/stable/c/66085e206431ef88ce36f53c1f53d570790ccc9e

Impacted products

Vendor

Product

Version

Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21

Version: 4.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5da6c6430be0acb25b4242bce0323fc514d4e3cf",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "0fb5cb556b249b2b64c0f818136c4c3e838ef53f",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "a853178d23e774adfe3a35073c375b04b3b20f7d",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "fec8b11b55e53ff51a741e56894fe331a516f5c6",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "66085e206431ef88ce36f53c1f53d570790ccc9e",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Add bounds checking to ib_{get,set}_value\n\nThe uvd/vce/vcn code accesses the IB at predefined offsets without\nchecking that the IB is large enough. Check the bounds here. The caller\nis responsible for making sure it can handle arbitrary return values.\n\nAlso make the idx a uint32_t to prevent overflows causing the condition\nto fail."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:03:27.730Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5da6c6430be0acb25b4242bce0323fc514d4e3cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fb5cb556b249b2b64c0f818136c4c3e838ef53f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a853178d23e774adfe3a35073c375b04b3b20f7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/fec8b11b55e53ff51a741e56894fe331a516f5c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7"
        },
        {
          "url": "https://git.kernel.org/stable/c/66085e206431ef88ce36f53c1f53d570790ccc9e"
        }
      ],
      "title": "drm/amdgpu: Add bounds checking to ib_{get,set}_value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46218",
    "datePublished": "2026-05-28T09:40:34.367Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-14T18:03:27.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46226 (GCVE-0-2026-46226)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: fsl: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.

References

URL

Tags

	https://git.kernel.org/stable/c/562d954a144950ec2aa6a874ae657cb3fa31fe53
	https://git.kernel.org/stable/c/e888308222375ac28bae69134dae288178718a96
	https://git.kernel.org/stable/c/ca3195c7b88362d7c81efe685948663a9f9db0e6
	https://git.kernel.org/stable/c/5750743a39c9d46ac9fcf57ffe000956da4942cf
	https://git.kernel.org/stable/c/9b7abfed4c3754062d1f3ffd452e65a38667f586

Impacted products

Vendor

Product

Version

Version: 4178b6b1b595003cd6e04711b449797a582e44f5
Version: 4178b6b1b595003cd6e04711b449797a582e44f5
Version: 4178b6b1b595003cd6e04711b449797a582e44f5
Version: 4178b6b1b595003cd6e04711b449797a582e44f5
Version: 4178b6b1b595003cd6e04711b449797a582e44f5

Version: 4.3

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42902

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-fsl-spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "562d954a144950ec2aa6a874ae657cb3fa31fe53",
              "status": "affected",
              "version": "4178b6b1b595003cd6e04711b449797a582e44f5",
              "versionType": "git"
            },
            {
              "lessThan": "e888308222375ac28bae69134dae288178718a96",
              "status": "affected",
              "version": "4178b6b1b595003cd6e04711b449797a582e44f5",
              "versionType": "git"
            },
            {
              "lessThan": "ca3195c7b88362d7c81efe685948663a9f9db0e6",
              "status": "affected",
              "version": "4178b6b1b595003cd6e04711b449797a582e44f5",
              "versionType": "git"
            },
            {
              "lessThan": "5750743a39c9d46ac9fcf57ffe000956da4942cf",
              "status": "affected",
              "version": "4178b6b1b595003cd6e04711b449797a582e44f5",
              "versionType": "git"
            },
            {
              "lessThan": "9b7abfed4c3754062d1f3ffd452e65a38667f586",
              "status": "affected",
              "version": "4178b6b1b595003cd6e04711b449797a582e44f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-fsl-spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl: fix controller deregistration\n\nMake sure to deregister the controller before releasing underlying\nresources like DMA during driver unbind."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:04.259Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/562d954a144950ec2aa6a874ae657cb3fa31fe53"
        },
        {
          "url": "https://git.kernel.org/stable/c/e888308222375ac28bae69134dae288178718a96"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca3195c7b88362d7c81efe685948663a9f9db0e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5750743a39c9d46ac9fcf57ffe000956da4942cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b7abfed4c3754062d1f3ffd452e65a38667f586"
        }
      ],
      "title": "spi: fsl: fix controller deregistration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46226",
    "datePublished": "2026-05-28T09:40:46.027Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:04.259Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42902 (GCVE-0-2026-42902)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-285 - Improper Authorization

Summary

Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft PowerToys	Version: 0.1 < v0.99.1

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42902",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:44.660372Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:31:20.364Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft PowerToys",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "v0.99.1",
              "status": "affected",
              "version": "0.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:power_toys:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "v0.99.1",
                  "versionStartIncluding": "0.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:14.965Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft PowerToys Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42902"
        }
      ],
      "title": "Microsoft PowerToys Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-42902",
    "datePublished": "2026-06-09T17:04:30.968Z",
    "dateReserved": "2026-04-30T22:35:54.967Z",
    "dateUpdated": "2026-06-16T18:17:14.965Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46206 (GCVE-0-2026-46206)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:02

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject new tp_meter sessions during teardown Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.

References

URL

Tags

	https://git.kernel.org/stable/c/0a7a840074c9ca5ebffc9c52358c8ea55828ec71
	https://git.kernel.org/stable/c/dcff44644bb518598b1a6be722706d6174b2f6a1
	https://git.kernel.org/stable/c/52e6ec3e972cf27792cc1559874dbee19f286869
	https://git.kernel.org/stable/c/e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6
	https://git.kernel.org/stable/c/ff93f86ecbb50a4709c403fc279a396e308edde5
	https://git.kernel.org/stable/c/e1e2194cc725ec1d41f9412496212f0fa0519c36
	https://git.kernel.org/stable/c/ca39545cf07c142b39d474a1439a046bf28def3d
	https://git.kernel.org/stable/c/3243543592425beec83d453793e9d27caa0d8e66

Impacted products

Vendor

Product

Version

Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Version: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e

Version: 4.8

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/tp_meter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0a7a840074c9ca5ebffc9c52358c8ea55828ec71",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "dcff44644bb518598b1a6be722706d6174b2f6a1",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "52e6ec3e972cf27792cc1559874dbee19f286869",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "ff93f86ecbb50a4709c403fc279a396e308edde5",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "e1e2194cc725ec1d41f9412496212f0fa0519c36",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "ca39545cf07c142b39d474a1439a046bf28def3d",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            },
            {
              "lessThan": "3243543592425beec83d453793e9d27caa0d8e66",
              "status": "affected",
              "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/tp_meter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject new tp_meter sessions during teardown\n\nPrevent tp_meter from starting new sender or receiver sessions after\nmesh_state has left BATADV_MESH_ACTIVE."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:02:39.871Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0a7a840074c9ca5ebffc9c52358c8ea55828ec71"
        },
        {
          "url": "https://git.kernel.org/stable/c/dcff44644bb518598b1a6be722706d6174b2f6a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/52e6ec3e972cf27792cc1559874dbee19f286869"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff93f86ecbb50a4709c403fc279a396e308edde5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1e2194cc725ec1d41f9412496212f0fa0519c36"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca39545cf07c142b39d474a1439a046bf28def3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3243543592425beec83d453793e9d27caa0d8e66"
        }
      ],
      "title": "batman-adv: reject new tp_meter sessions during teardown",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46206",
    "datePublished": "2026-05-28T09:40:23.993Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-14T18:02:39.871Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45996 (GCVE-0-2026-45996)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration (unless the allocation is device managed). Take another reference before deregistering the controller so that the driver data is not freed until the driver is done with it.

References

URL

Tags

	https://git.kernel.org/stable/c/f99165ef067723221472ce1aff632bc74f562643
	https://git.kernel.org/stable/c/385a330083f8dd47c15b02e9a83aef9234a37003
	https://git.kernel.org/stable/c/132e47030b0b5e398e0da6c59df5a5dae9b52cff
	https://git.kernel.org/stable/c/aa9025a498036b6012769f7af36d421385386c17
	https://git.kernel.org/stable/c/1c78c2002380a1fe31bfb01a3d5f29809e55a096

Impacted products

Vendor

Product

Version

Version: 307c897db762d1e0feee9477276b08f6deca4a5b
Version: 307c897db762d1e0feee9477276b08f6deca4a5b
Version: 307c897db762d1e0feee9477276b08f6deca4a5b
Version: 307c897db762d1e0feee9477276b08f6deca4a5b
Version: 307c897db762d1e0feee9477276b08f6deca4a5b

Version: 5.19

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45501

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f99165ef067723221472ce1aff632bc74f562643",
              "status": "affected",
              "version": "307c897db762d1e0feee9477276b08f6deca4a5b",
              "versionType": "git"
            },
            {
              "lessThan": "385a330083f8dd47c15b02e9a83aef9234a37003",
              "status": "affected",
              "version": "307c897db762d1e0feee9477276b08f6deca4a5b",
              "versionType": "git"
            },
            {
              "lessThan": "132e47030b0b5e398e0da6c59df5a5dae9b52cff",
              "status": "affected",
              "version": "307c897db762d1e0feee9477276b08f6deca4a5b",
              "versionType": "git"
            },
            {
              "lessThan": "aa9025a498036b6012769f7af36d421385386c17",
              "status": "affected",
              "version": "307c897db762d1e0feee9477276b08f6deca4a5b",
              "versionType": "git"
            },
            {
              "lessThan": "1c78c2002380a1fe31bfb01a3d5f29809e55a096",
              "status": "affected",
              "version": "307c897db762d1e0feee9477276b08f6deca4a5b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: imx: fix use-after-free on unbind\n\nThe SPI subsystem frees the controller and any subsystem allocated\ndriver data as part of deregistration (unless the allocation is device\nmanaged).\n\nTake another reference before deregistering the controller so that the\ndriver data is not freed until the driver is done with it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:00.884Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f99165ef067723221472ce1aff632bc74f562643"
        },
        {
          "url": "https://git.kernel.org/stable/c/385a330083f8dd47c15b02e9a83aef9234a37003"
        },
        {
          "url": "https://git.kernel.org/stable/c/132e47030b0b5e398e0da6c59df5a5dae9b52cff"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa9025a498036b6012769f7af36d421385386c17"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c78c2002380a1fe31bfb01a3d5f29809e55a096"
        }
      ],
      "title": "spi: imx: fix use-after-free on unbind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45996",
    "datePublished": "2026-05-27T12:55:50.195Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:00.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45501 (GCVE-0-2026-45501)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft Exchange Server 2016 Cumulative Update 23

Version: 15.01.0.0 < 15.01.2507.069

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 14	Version: 15.02.0.0 < 15.02.1544.041
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 15	Version: 15.02.0.0 < 15.02.1748.046
Microsoft	Microsoft Exchange Server Subscription Edition RTM	Version: 15.02.0.0 < 15.02.2562.043

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45501",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T19:52:25.296776Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T19:52:49.788Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.069",
              "status": "affected",
              "version": "15.01.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1544.041",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 15",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1748.046",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server Subscription Edition RTM",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.2562.043",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.2562.043",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.069",
                  "versionStartIncluding": "15.01.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1748.046",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1544.041",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:25.278Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45501"
        }
      ],
      "title": "Microsoft Exchange Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45501",
    "datePublished": "2026-06-09T17:04:45.533Z",
    "dateReserved": "2026-05-12T16:07:22.619Z",
    "dateUpdated": "2026-06-16T18:17:25.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46002 (GCVE-0-2026-46002)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is zero or i_dtime is set, treating them as deleted. However, the case of i_nlink == 0 with a non-zero mode and zero dtime slips through. Since ext2 has no orphan list, such a combination can only result from filesystem corruption - a legitimate inode deletion always sets either i_dtime or clears i_mode before freeing the inode. A crafted image can exploit this gap to present such an inode to the VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via ext2_unlink(), ext2_rename() and ext2_rmdir(): WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295 vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477 do_unlinkat+0x53e/0x730 fs/namei.c:4541 __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rename+0x35e/0x850 fs/ext2/namei.c:374 vfs_rename+0xf2f/0x2060 fs/namei.c:5021 do_renameat2+0xbe2/0xd50 fs/namei.c:5178 __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311 vfs_rmdir+0x204/0x690 fs/namei.c:4348 do_rmdir+0x372/0x3e0 fs/namei.c:4407 __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Extend the existing i_nlink == 0 check to also catch this case, reporting the corruption via ext2_error() and returning -EFSCORRUPTED. This rejects the inode at load time and prevents it from reaching any of the namei.c paths. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

References

URL

Tags

	https://git.kernel.org/stable/c/1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5
	https://git.kernel.org/stable/c/9e2d67fb2b73eeff8b601e26b332128eae8147bb
	https://git.kernel.org/stable/c/a69a0c5156b6f0092b9fcf44517f5831a962de2d
	https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae
	https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239
	https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b
	https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d
	https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext2/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9e2d67fb2b73eeff8b601e26b332128eae8147bb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a69a0c5156b6f0092b9fcf44517f5831a962de2d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "32e0b925572686399243834ec99e2a9d85c62eae",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d3af04a43db86379df7438bf8bade71685b8a239",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2dde6377ab2e46bb80cf066c659ef016f3ad7a9b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "470264bbec499e276a89a6431144ae58f411ea4d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "25947cc5b2374cd5bf627fe3141496444260d04f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext2/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next2: reject inodes with zero i_nlink and valid mode in ext2_iget()\n\next2_iget() already rejects inodes with i_nlink == 0 when i_mode is\nzero or i_dtime is set, treating them as deleted. However, the case of\ni_nlink == 0 with a non-zero mode and zero dtime slips through. Since\next2 has no orphan list, such a combination can only result from\nfilesystem corruption - a legitimate inode deletion always sets either\ni_dtime or clears i_mode before freeing the inode.\n\nA crafted image can exploit this gap to present such an inode to the\nVFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via\next2_unlink(), ext2_rename() and ext2_rmdir():\n\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n \u003cTASK\u003e\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295\n vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\n do_unlinkat+0x53e/0x730 fs/namei.c:4541\n __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nWARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1\nCall Trace:\n \u003cTASK\u003e\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rename+0x35e/0x850 fs/ext2/namei.c:374\n vfs_rename+0xf2f/0x2060 fs/namei.c:5021\n do_renameat2+0xbe2/0xd50 fs/namei.c:5178\n __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nWARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n \u003cTASK\u003e\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311\n vfs_rmdir+0x204/0x690 fs/namei.c:4348\n do_rmdir+0x372/0x3e0 fs/namei.c:4407\n __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nExtend the existing i_nlink == 0 check to also catch this case,\nreporting the corruption via ext2_error() and returning -EFSCORRUPTED.\nThis rejects the inode at load time and prevents it from reaching any\nof the namei.c paths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:19.832Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e2d67fb2b73eeff8b601e26b332128eae8147bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a69a0c5156b6f0092b9fcf44517f5831a962de2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f"
        }
      ],
      "title": "ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46002",
    "datePublished": "2026-05-27T12:55:57.898Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:19.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45841 (GCVE-0-2026-45841)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel. Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen". Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)

References

URL

Tags

	https://git.kernel.org/stable/c/cb833bbc1b3c51e08652d3c86298307c07d3f2db
	https://git.kernel.org/stable/c/26900306a5a2c3e4f75c643a064525526bb6e5f3
	https://git.kernel.org/stable/c/0694618cf3e9b120666e31f5f383a6e466d95a0d
	https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082
	https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625
	https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f
	https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366
	https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932

Impacted products

Vendor

Product

Version

Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384
Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384
Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384
Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384
Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384
Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384
Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384
Version: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384

Version: 2.6.31

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nfnetlink_osf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb833bbc1b3c51e08652d3c86298307c07d3f2db",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            },
            {
              "lessThan": "26900306a5a2c3e4f75c643a064525526bb6e5f3",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            },
            {
              "lessThan": "0694618cf3e9b120666e31f5f383a6e466d95a0d",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            },
            {
              "lessThan": "8def8fbd23f40e945febe913d04b731012ce0082",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            },
            {
              "lessThan": "c55940895245d8ef658ab381248a28755218d625",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            },
            {
              "lessThan": "fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            },
            {
              "lessThan": "9a05e195618a6d474f2bcd5b6376d0ffc2f00366",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            },
            {
              "lessThan": "2195574dc6d9017d32ac346987e12659f931d932",
              "status": "affected",
              "version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nfnetlink_osf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO\n\nnf_osf_match_one() computes ctx-\u003ewindow % f-\u003ewss.val in the\nOSF_WSS_MODULO branch with no guard for f-\u003ewss.val == 0. A\nCAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a\nsubsequent matching TCP SYN divides by zero and panics the kernel.\n\nReject the bogus fingerprint in nfnl_osf_add_callback() above the\nper-option for-loop. f-\u003ewss is per-fingerprint, not per-option, so\nthe check must run regardless of f-\u003eopt_num (including 0). Also\nreject wss.wc \u003e= OSF_WSS_MAX; nf_osf_match_one() already treats that\nas \"should not happen\".\n\nCrash:\n Oops: divide error: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n \u003cIRQ\u003e\n  nf_osf_match (net/netfilter/nfnetlink_osf.c:220)\n  xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n  ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\n  nf_hook_slow (net/netfilter/core.c:622)\n  ip_local_deliver (net/ipv4/ip_input.c:265)\n  ip_rcv (include/linux/skbuff.h:1162)\n  __netif_receive_skb_one_core (net/core/dev.c:6181)\n  process_backlog (net/core/dev.c:6642)\n  __napi_poll (net/core/dev.c:7710)\n  net_rx_action (net/core/dev.c:7945)\n  handle_softirqs (kernel/softirq.c:622)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:14.099Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb833bbc1b3c51e08652d3c86298307c07d3f2db"
        },
        {
          "url": "https://git.kernel.org/stable/c/26900306a5a2c3e4f75c643a064525526bb6e5f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0694618cf3e9b120666e31f5f383a6e466d95a0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082"
        },
        {
          "url": "https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366"
        },
        {
          "url": "https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932"
        }
      ],
      "title": "netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45841",
    "datePublished": "2026-05-27T09:24:40.805Z",
    "dateReserved": "2026-05-13T15:03:33.078Z",
    "dateUpdated": "2026-06-14T17:46:14.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46077 (GCVE-0-2026-46077)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:52

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-tdes - fix DMA sync direction Before DMA output is consumed by the CPU, ->dma_addr_out must be synced with dma_sync_single_for_cpu() instead of dma_sync_single_for_device(). Using the wrong direction can return stale cache data on non-coherent platforms.

References

URL

Tags

	https://git.kernel.org/stable/c/ce3224678acb8c0b3473daa7d7dbffc998c6951a
	https://git.kernel.org/stable/c/b9b28f3881dd514e74f98ae04e79a635022a4804
	https://git.kernel.org/stable/c/c0f3002c02a3a83250e25582ffbe8df7eb78a8bd
	https://git.kernel.org/stable/c/5281e6e2302362f6b75b70cbfe4098d2a25dafd9
	https://git.kernel.org/stable/c/12a0adfe498cd5d87e6365d7ca5f6b3eed79e523
	https://git.kernel.org/stable/c/863d11b3927703ad95077c81a8a6489c5c7872f7
	https://git.kernel.org/stable/c/b5f5df801d161ba244f391519cbff2f4e5c6edc2
	https://git.kernel.org/stable/c/c8a9a647532f5c2a04180352693215e24e9dba03

Impacted products

Vendor

Product

Version

Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db
Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db
Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db
Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db
Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db
Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db
Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db
Version: 13802005d8f2db244ec1f5d7f6923de8f7a463db

Version: 3.6

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/atmel-tdes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ce3224678acb8c0b3473daa7d7dbffc998c6951a",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            },
            {
              "lessThan": "b9b28f3881dd514e74f98ae04e79a635022a4804",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            },
            {
              "lessThan": "c0f3002c02a3a83250e25582ffbe8df7eb78a8bd",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            },
            {
              "lessThan": "5281e6e2302362f6b75b70cbfe4098d2a25dafd9",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            },
            {
              "lessThan": "12a0adfe498cd5d87e6365d7ca5f6b3eed79e523",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            },
            {
              "lessThan": "863d11b3927703ad95077c81a8a6489c5c7872f7",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            },
            {
              "lessThan": "b5f5df801d161ba244f391519cbff2f4e5c6edc2",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            },
            {
              "lessThan": "c8a9a647532f5c2a04180352693215e24e9dba03",
              "status": "affected",
              "version": "13802005d8f2db244ec1f5d7f6923de8f7a463db",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/atmel-tdes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "lessThan": "3.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-tdes - fix DMA sync direction\n\nBefore DMA output is consumed by the CPU, -\u003edma_addr_out must be synced\nwith dma_sync_single_for_cpu() instead of dma_sync_single_for_device().\nUsing the wrong direction can return stale cache data on non-coherent\nplatforms."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:37.968Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ce3224678acb8c0b3473daa7d7dbffc998c6951a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9b28f3881dd514e74f98ae04e79a635022a4804"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0f3002c02a3a83250e25582ffbe8df7eb78a8bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5281e6e2302362f6b75b70cbfe4098d2a25dafd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/12a0adfe498cd5d87e6365d7ca5f6b3eed79e523"
        },
        {
          "url": "https://git.kernel.org/stable/c/863d11b3927703ad95077c81a8a6489c5c7872f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5f5df801d161ba244f391519cbff2f4e5c6edc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8a9a647532f5c2a04180352693215e24e9dba03"
        }
      ],
      "title": "crypto: atmel-tdes - fix DMA sync direction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46077",
    "datePublished": "2026-05-27T12:58:10.542Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:52:37.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46144 (GCVE-0-2026-46144)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.

References

URL

Tags

	https://git.kernel.org/stable/c/190e570cc0fc7f57eacf80d2b854ba54b4dfad6b
	https://git.kernel.org/stable/c/726af85ea4af750b2f75095e24e3cd99797344cb
	https://git.kernel.org/stable/c/ab64c63b460bbd0521480bf90d5695783f5e66bc
	https://git.kernel.org/stable/c/30e8a2f33815d8f51b8f8b829c07af16c671cc27
	https://git.kernel.org/stable/c/6aaa978c6b6218cfac15fe1dab17c76fe229ce3f

Impacted products

Vendor

Product

Version

Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06
Version: 0266a177631d4c6b963b5b12dd986a8c5abdbf06

Version: 6.2

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mana/qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "190e570cc0fc7f57eacf80d2b854ba54b4dfad6b",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "726af85ea4af750b2f75095e24e3cd99797344cb",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "ab64c63b460bbd0521480bf90d5695783f5e66bc",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "30e8a2f33815d8f51b8f8b829c07af16c671cc27",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            },
            {
              "lessThan": "6aaa978c6b6218cfac15fe1dab17c76fe229ce3f",
              "status": "affected",
              "version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mana/qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana: Fix error unwind in mana_ib_create_qp_rss()\n\nSashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal\ndestroy path cleans it up."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:57:49.375Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/190e570cc0fc7f57eacf80d2b854ba54b4dfad6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/726af85ea4af750b2f75095e24e3cd99797344cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab64c63b460bbd0521480bf90d5695783f5e66bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/30e8a2f33815d8f51b8f8b829c07af16c671cc27"
        },
        {
          "url": "https://git.kernel.org/stable/c/6aaa978c6b6218cfac15fe1dab17c76fe229ce3f"
        }
      ],
      "title": "RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46144",
    "datePublished": "2026-05-28T09:36:00.412Z",
    "dateReserved": "2026-05-13T15:03:33.100Z",
    "dateUpdated": "2026-06-14T17:57:49.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45846 (GCVE-0-2026-45846)

Vulnerability from cvelistv5

Published

2026-05-27 09:24

Modified

2026-06-14 17:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk. BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160) Call Trace: <TASK> bareudp_fill_metadata_dst (drivers/net/bareudp.c:532) do_execute_actions (net/openvswitch/actions.c:901) ovs_execute_actions (net/openvswitch/actions.c:1589) ovs_packet_cmd_execute (net/openvswitch/datapath.c:700) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.

References

URL

Tags

	https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574
	https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28
	https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750
	https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636
	https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2
	https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d
	https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df
	https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19

Impacted products

Vendor

Product

Version

Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065
Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065
Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065
Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065
Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065
Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065
Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065
Version: 571912c69f0ed731bd1e071ade9dc7ca4aa52065

Version: 5.7

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40376

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bareudp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "31e010a106ff6cd8ccac4bfee547fd3fa1015574",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            },
            {
              "lessThan": "55193df8d6d33318435f19572bf5ea47a22eee28",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            },
            {
              "lessThan": "51eef9c072aa3405a6823a96ae666d38a3b48750",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            },
            {
              "lessThan": "a0f4e4e8e0f5e24ddd83e3d1221732621cf34636",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            },
            {
              "lessThan": "35a115a204be08f97450b0389413e218268ef4a2",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            },
            {
              "lessThan": "74a02921c48fcd35a7881956c9e5c52b86595f5d",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            },
            {
              "lessThan": "638905520fc4fae6a80991563f264131545ba3df",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            },
            {
              "lessThan": "aa6c6d9ee064aabfede4402fd1283424e649ca19",
              "status": "affected",
              "version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bareudp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()\n\nbareudp_fill_metadata_dst() passes bareudp-\u003esock to\nudp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.\nThe socket is only created in bareudp_open() and NULLed in\nbareudp_stop(), so calling this function while the device is down\ntriggers a NULL dereference via sock-\u003esk.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)\n Call Trace:\n  \u003cTASK\u003e\n  bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)\n  do_execute_actions (net/openvswitch/actions.c:901)\n  ovs_execute_actions (net/openvswitch/actions.c:1589)\n  ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)\n  genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)\n  genl_rcv_msg (net/netlink/genetlink.c:1209)\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n  \u003c/TASK\u003e\n\nAdd a NULL check returning -ESHUTDOWN, consistent with the xmit paths\nin the same driver."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:46:30.495Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574"
        },
        {
          "url": "https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28"
        },
        {
          "url": "https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636"
        },
        {
          "url": "https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19"
        }
      ],
      "title": "bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45846",
    "datePublished": "2026-05-27T09:24:52.122Z",
    "dateReserved": "2026-05-13T15:03:33.078Z",
    "dateUpdated": "2026-06-14T17:46:30.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40376 (GCVE-0-2026-40376)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-20 - Improper Input Validation

Summary

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Visual Studio Code	Version: 1.0.0 < 1.123.2

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40376",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:52.300828Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:21:06.156Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:59.555Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40376"
        }
      ],
      "title": "Visual Studio Code Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-40376",
    "datePublished": "2026-06-09T17:05:21.405Z",
    "dateReserved": "2026-04-11T23:06:15.615Z",
    "dateUpdated": "2026-06-16T18:17:59.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46102 (GCVE-0-2026-46102)

Vulnerability from cvelistv5

Published

2026-05-27 12:59

Modified

2026-06-14 17:54

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: strparser: fix skb_head leak in strp_abort_strp() When the stream parser is aborted, for example after a message assembly timeout, it can still hold a reference to a partially assembled message in strp->skb_head. That skb is not released in strp_abort_strp(), which leaks the partially assembled message and can be triggered repeatedly to exhaust memory. Fix this by freeing strp->skb_head and resetting the parser state in the abort path. Leave strp_stop() unchanged so final cleanup still happens in strp_done() after the work and timer have been synchronized.

References

URL

Tags

	https://git.kernel.org/stable/c/d6668ce0e78d23eabecef9a6bc4f0f739cb28ad3
	https://git.kernel.org/stable/c/a470ed71c906cc8cbad0d74c9942216698911f8b
	https://git.kernel.org/stable/c/c2e57695ec9ff9d42f23de70f3805199153d007b
	https://git.kernel.org/stable/c/e9ae00490d474757c0f9c65073de83e6bb1e5a00
	https://git.kernel.org/stable/c/5327dad2ffe9c1b49881dd6d51ff3c6893847568
	https://git.kernel.org/stable/c/19ca9475f18f991735f98a22e735c43e95e6298d
	https://git.kernel.org/stable/c/56082f442023db9be1a5a29d4ee361de4017c0b7
	https://git.kernel.org/stable/c/fe72340daaf1af588be88056faf98965f39e6032

Impacted products

Vendor

Product

Version

Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a
Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a
Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a
Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a
Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a
Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a
Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a
Version: 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a

Version: 4.9

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/strparser/strparser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d6668ce0e78d23eabecef9a6bc4f0f739cb28ad3",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            },
            {
              "lessThan": "a470ed71c906cc8cbad0d74c9942216698911f8b",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            },
            {
              "lessThan": "c2e57695ec9ff9d42f23de70f3805199153d007b",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            },
            {
              "lessThan": "e9ae00490d474757c0f9c65073de83e6bb1e5a00",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            },
            {
              "lessThan": "5327dad2ffe9c1b49881dd6d51ff3c6893847568",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            },
            {
              "lessThan": "19ca9475f18f991735f98a22e735c43e95e6298d",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            },
            {
              "lessThan": "56082f442023db9be1a5a29d4ee361de4017c0b7",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            },
            {
              "lessThan": "fe72340daaf1af588be88056faf98965f39e6032",
              "status": "affected",
              "version": "43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/strparser/strparser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: strparser: fix skb_head leak in strp_abort_strp()\n\nWhen the stream parser is aborted, for example after a message assembly timeout,\nit can still hold a reference to a partially assembled message in\nstrp-\u003eskb_head.\n\nThat skb is not released in strp_abort_strp(), which leaks the partially\nassembled message and can be triggered repeatedly to exhaust memory.\n\nFix this by freeing strp-\u003eskb_head and resetting the parser state in the\nabort path. Leave strp_stop() unchanged so final cleanup still happens in\nstrp_done() after the work and timer have been synchronized."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:54:34.668Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d6668ce0e78d23eabecef9a6bc4f0f739cb28ad3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a470ed71c906cc8cbad0d74c9942216698911f8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2e57695ec9ff9d42f23de70f3805199153d007b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9ae00490d474757c0f9c65073de83e6bb1e5a00"
        },
        {
          "url": "https://git.kernel.org/stable/c/5327dad2ffe9c1b49881dd6d51ff3c6893847568"
        },
        {
          "url": "https://git.kernel.org/stable/c/19ca9475f18f991735f98a22e735c43e95e6298d"
        },
        {
          "url": "https://git.kernel.org/stable/c/56082f442023db9be1a5a29d4ee361de4017c0b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe72340daaf1af588be88056faf98965f39e6032"
        }
      ],
      "title": "net: strparser: fix skb_head leak in strp_abort_strp()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46102",
    "datePublished": "2026-05-27T12:59:09.526Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-06-14T17:54:34.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46058 (GCVE-0-2026-46058)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:51

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: media: amphion: Fix race between m2m job_abort and device_run Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context. Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538 Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20 The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations. Fix the race by preventing m2m framework job scheduling entirely: - Add job_ready callback returning 0 (no jobs ready for m2m framework) - Remove job_abort callback to avoid the race condition

References

URL

Tags

	https://git.kernel.org/stable/c/516467052fdfc6a13eadc70d43420ae57436bf3c
	https://git.kernel.org/stable/c/42dc622776f3ce1a6c31b13bdc686f7295e3b323
	https://git.kernel.org/stable/c/da4f46c5cf1d26e6b09418ad453e152f2e75a02c
	https://git.kernel.org/stable/c/fdc150dac1adb9a98be9d6956cff0348838b024a
	https://git.kernel.org/stable/c/6be2cb75bc1300080cfc8051579f22efae9401f7
	https://git.kernel.org/stable/c/8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e

Impacted products

Vendor

Product

Version

Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922

Version: 5.18

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/amphion/vpu_v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "516467052fdfc6a13eadc70d43420ae57436bf3c",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "42dc622776f3ce1a6c31b13bdc686f7295e3b323",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "da4f46c5cf1d26e6b09418ad453e152f2e75a02c",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "fdc150dac1adb9a98be9d6956cff0348838b024a",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "6be2cb75bc1300080cfc8051579f22efae9401f7",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/amphion/vpu_v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: amphion: Fix race between m2m job_abort and device_run\n\nFix kernel panic caused by race condition where v4l2_m2m_ctx_release()\nfrees m2m_ctx while v4l2_m2m_try_run() is about to call device_run\nwith the same context.\n\nRace sequence:\n  v4l2_m2m_try_run():           v4l2_m2m_ctx_release():\n    lock/unlock                   v4l2_m2m_cancel_job()\n                                    job_abort()\n                                      v4l2_m2m_job_finish()\n                                  kfree(m2m_ctx)  \u003c- frees ctx\n    device_run()  \u003c- use-after-free crash at 0x538\n\nCrash trace:\n  Unable to handle kernel read from unreadable memory at virtual address\n  0000000000000538\n  v4l2_m2m_try_run+0x78/0x138\n  v4l2_m2m_device_run_work+0x14/0x20\n\nThe amphion vpu driver does not rely on the m2m framework\u0027s device_run\ncallback to perform encode/decode operations.\n\nFix the race by preventing m2m framework job scheduling entirely:\n- Add job_ready callback returning 0 (no jobs ready for m2m framework)\n- Remove job_abort callback to avoid the race condition"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:51:15.138Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/516467052fdfc6a13eadc70d43420ae57436bf3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/42dc622776f3ce1a6c31b13bdc686f7295e3b323"
        },
        {
          "url": "https://git.kernel.org/stable/c/da4f46c5cf1d26e6b09418ad453e152f2e75a02c"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdc150dac1adb9a98be9d6956cff0348838b024a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6be2cb75bc1300080cfc8051579f22efae9401f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e"
        }
      ],
      "title": "media: amphion: Fix race between m2m job_abort and device_run",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46058",
    "datePublished": "2026-05-27T12:57:17.853Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:51:15.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46138 (GCVE-0-2026-46138)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:57

Severity ?

8.1 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.

References

URL

Tags

	https://git.kernel.org/stable/c/6cb7f67bc28da787499291a562d49a084d9c90cd
	https://git.kernel.org/stable/c/22559ad7654f61727fc270ee4893da9f4b70cf17
	https://git.kernel.org/stable/c/77981a507aa0fc001dc37f0dd6631dd2042fed17
	https://git.kernel.org/stable/c/665da0baaf0396f9ed3c86ccb3955dcd0b73e774
	https://git.kernel.org/stable/c/5ddb8014261137cadaf83ab5617a588d80a22586

Impacted products

Vendor

Product

Version

Version: a0bfde167b506423111ddb8cd71930497a40fc54
Version: a0bfde167b506423111ddb8cd71930497a40fc54
Version: a0bfde167b506423111ddb8cd71930497a40fc54
Version: a0bfde167b506423111ddb8cd71930497a40fc54
Version: a0bfde167b506423111ddb8cd71930497a40fc54
Version: b475c1109251e30ec21fb574d72a1c71a4ab0039
Version: 2ccde10127447c1a5caad8469fede945bdb62fdf
Version: 6.4.16 ≤
Version: 6.5.3 ≤

Version: 6.6

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47284

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6cb7f67bc28da787499291a562d49a084d9c90cd",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "22559ad7654f61727fc270ee4893da9f4b70cf17",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "77981a507aa0fc001dc37f0dd6631dd2042fed17",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "665da0baaf0396f9ed3c86ccb3955dcd0b73e774",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "5ddb8014261137cadaf83ab5617a588d80a22586",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b475c1109251e30ec21fb574d72a1c71a4ab0039",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2ccde10127447c1a5caad8469fede945bdb62fdf",
              "versionType": "git"
            },
            {
              "lessThan": "6.5",
              "status": "affected",
              "version": "6.4.16",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6",
              "status": "affected",
              "version": "6.5.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\n\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\na BIG handle using a while loop, accessing ev-\u003ebis_handle[i++] on each\niteration.  However, there is no check that i stays within ev-\u003enum_bis\nbefore the array access.\n\nWhen a controller sends a LE_Create_BIG_Complete event with fewer\nbis_handle entries than there are BT_BOUND connections for that BIG,\nor with num_bis=0, the loop reads beyond the valid bis_handle[] flex\narray into adjacent heap memory.  Since the out-of-bounds values\ntypically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()\nrejects them and the connection remains in BT_BOUND state.  The same\nconnection is then found again by hci_conn_hash_lookup_big_state(),\ncreating an infinite loop with hci_dev_lock held.\n\nFix this by terminating the BIG if in case not all BIS could be setup\nproperly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:57:18.234Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6cb7f67bc28da787499291a562d49a084d9c90cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/22559ad7654f61727fc270ee4893da9f4b70cf17"
        },
        {
          "url": "https://git.kernel.org/stable/c/77981a507aa0fc001dc37f0dd6631dd2042fed17"
        },
        {
          "url": "https://git.kernel.org/stable/c/665da0baaf0396f9ed3c86ccb3955dcd0b73e774"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ddb8014261137cadaf83ab5617a588d80a22586"
        }
      ],
      "title": "Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46138",
    "datePublished": "2026-05-28T09:35:54.467Z",
    "dateReserved": "2026-05-13T15:03:33.100Z",
    "dateUpdated": "2026-06-14T17:57:18.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47284 (GCVE-0-2026-47284)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Visual Studio Code	Version: 1.0.0 < 1.123.2

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45458

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47284",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:38:01.374004Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:38:17.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:21.905Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47284"
        }
      ],
      "title": "Visual Studio Code Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47284",
    "datePublished": "2026-06-09T17:05:46.525Z",
    "dateReserved": "2026-05-18T23:53:33.896Z",
    "dateUpdated": "2026-06-16T18:18:21.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45458 (GCVE-0-2026-45458)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-416 - Use After Free

Summary

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384
Microsoft	Microsoft Word 2016	Version: 16.0.1 < 16.0.5556.1000

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45458",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-05T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T03:56:17.798Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Word 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1000",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.5556.1000",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Access of resource using incompatible type (\u0027type confusion\u0027) in Microsoft Office allows an unauthorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:20.777Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Outlook and Word Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45458"
        }
      ],
      "title": "Microsoft Outlook and Word Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45458",
    "datePublished": "2026-06-09T17:04:37.163Z",
    "dateReserved": "2026-05-12T16:06:43.097Z",
    "dateUpdated": "2026-06-16T18:17:20.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46024 (GCVE-0-2026-46024)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol.

References

URL

Tags

	https://git.kernel.org/stable/c/9ded62c302c0342efdb5eda3bf6e75720caad0df
	https://git.kernel.org/stable/c/f101271fcf55d7eacfefd610b51ec65f46ba8118
	https://git.kernel.org/stable/c/4b2738b93edad661178340239de657d876b73d3d
	https://git.kernel.org/stable/c/927e4bd5692f2a4901808822981fb2c8d4456548
	https://git.kernel.org/stable/c/016bc663657366d386993f63eb31072eb45a2b77
	https://git.kernel.org/stable/c/8f2be7285941a33a9f72579a23b96392f83c758e
	https://git.kernel.org/stable/c/5199c125d25aeae8615c4fc31652cc0fe624338e

Impacted products

Vendor

Product

Version

Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc
Version: 4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc

Version: 2.6.34

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/auth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9ded62c302c0342efdb5eda3bf6e75720caad0df",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "f101271fcf55d7eacfefd610b51ec65f46ba8118",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "4b2738b93edad661178340239de657d876b73d3d",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "927e4bd5692f2a4901808822981fb2c8d4456548",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "016bc663657366d386993f63eb31072eb45a2b77",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "8f2be7285941a33a9f72579a23b96392f83c758e",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            },
            {
              "lessThan": "5199c125d25aeae8615c4fc31652cc0fe624338e",
              "status": "affected",
              "version": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/auth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()\n\nIf a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both\nprotocol and result, this is currently not treated as an error. In case\nof ac-\u003enegotiating == true and ac-\u003eprotocol \u003e 0, this leads to setting\nac-\u003eprotocol = 0 and ac-\u003eops = NULL. Thereafter, the check for\nac-\u003eprotocol != protocol returns false, and init_protocol() is not\ncalled. Subsequently, ac-\u003eops-\u003ehandle_reply() is called, which leads to\na null pointer dereference, because ac-\u003eops is still NULL.\n\nThis patch changes the check for ac-\u003eprotocol != protocol to\n!ac-\u003eprotocol, as this also includes the case when the protocol was set\nto zero in the message. This causes the message to be treated as\ncontaining a bad auth protocol."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:45.491Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9ded62c302c0342efdb5eda3bf6e75720caad0df"
        },
        {
          "url": "https://git.kernel.org/stable/c/f101271fcf55d7eacfefd610b51ec65f46ba8118"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b2738b93edad661178340239de657d876b73d3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/927e4bd5692f2a4901808822981fb2c8d4456548"
        },
        {
          "url": "https://git.kernel.org/stable/c/016bc663657366d386993f63eb31072eb45a2b77"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f2be7285941a33a9f72579a23b96392f83c758e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5199c125d25aeae8615c4fc31652cc0fe624338e"
        }
      ],
      "title": "libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46024",
    "datePublished": "2026-05-27T12:56:29.932Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-06-14T17:48:45.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46112 (GCVE-0-2026-46112)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks. The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory. Grab the same locks the other two callers use.

References

URL

Tags

	https://git.kernel.org/stable/c/1f0a3aa8b569d010316b427238222c5d899f9618
	https://git.kernel.org/stable/c/b6296ff2475fc95ee6ea1b528c4b385302808186
	https://git.kernel.org/stable/c/fb4ae739811d467409bd07d0e36cfd4140f3d26a
	https://git.kernel.org/stable/c/fcf6a832c0d5b2bc5398d6996c5570d3ee7993fb
	https://git.kernel.org/stable/c/1912f78798505dc9c637081bbddfbf1c22494c49
	https://git.kernel.org/stable/c/615d9d260c32bb678504ca96f29ae46f9d745155
	https://git.kernel.org/stable/c/0c99acbc8b6c6dd526ae475a48ee1897b61072fb

Impacted products

Vendor

Product

Version

Version: e088a685eae94a0607b8f7b99949a0e14d748813
Version: e088a685eae94a0607b8f7b99949a0e14d748813
Version: e088a685eae94a0607b8f7b99949a0e14d748813
Version: e088a685eae94a0607b8f7b99949a0e14d748813
Version: e088a685eae94a0607b8f7b99949a0e14d748813
Version: e088a685eae94a0607b8f7b99949a0e14d748813
Version: e088a685eae94a0607b8f7b99949a0e14d748813

Version: 4.17

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1f0a3aa8b569d010316b427238222c5d899f9618",
              "status": "affected",
              "version": "e088a685eae94a0607b8f7b99949a0e14d748813",
              "versionType": "git"
            },
            {
              "lessThan": "b6296ff2475fc95ee6ea1b528c4b385302808186",
              "status": "affected",
              "version": "e088a685eae94a0607b8f7b99949a0e14d748813",
              "versionType": "git"
            },
            {
              "lessThan": "fb4ae739811d467409bd07d0e36cfd4140f3d26a",
              "status": "affected",
              "version": "e088a685eae94a0607b8f7b99949a0e14d748813",
              "versionType": "git"
            },
            {
              "lessThan": "fcf6a832c0d5b2bc5398d6996c5570d3ee7993fb",
              "status": "affected",
              "version": "e088a685eae94a0607b8f7b99949a0e14d748813",
              "versionType": "git"
            },
            {
              "lessThan": "1912f78798505dc9c637081bbddfbf1c22494c49",
              "status": "affected",
              "version": "e088a685eae94a0607b8f7b99949a0e14d748813",
              "versionType": "git"
            },
            {
              "lessThan": "615d9d260c32bb678504ca96f29ae46f9d745155",
              "status": "affected",
              "version": "e088a685eae94a0607b8f7b99949a0e14d748813",
              "versionType": "git"
            },
            {
              "lessThan": "0c99acbc8b6c6dd526ae475a48ee1897b61072fb",
              "status": "affected",
              "version": "e088a685eae94a0607b8f7b99949a0e14d748813",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix unlocked call to hns_roce_qp_remove()\n\nSashiko points out that hns_roce_qp_remove() requires the caller to hold\nlocks.  The error flow in hns_roce_create_qp_common() doesn\u0027t hold those\nlocks for the error unwind so it risks corrupting memory.\n\nGrab the same locks the other two callers use."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:20.430Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1f0a3aa8b569d010316b427238222c5d899f9618"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6296ff2475fc95ee6ea1b528c4b385302808186"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb4ae739811d467409bd07d0e36cfd4140f3d26a"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcf6a832c0d5b2bc5398d6996c5570d3ee7993fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/1912f78798505dc9c637081bbddfbf1c22494c49"
        },
        {
          "url": "https://git.kernel.org/stable/c/615d9d260c32bb678504ca96f29ae46f9d745155"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c99acbc8b6c6dd526ae475a48ee1897b61072fb"
        }
      ],
      "title": "RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46112",
    "datePublished": "2026-05-28T09:35:20.879Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:20.430Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46187 (GCVE-0-2026-46187)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: fix kthread lifetime race between self-exit and external-stop RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur. However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again. Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.

References

URL

Tags

	https://git.kernel.org/stable/c/4ac3095da22fc50e51ec10c3b8323c21ab3e441a
	https://git.kernel.org/stable/c/9dfe8a4458a063c6433526bc59112a169eee1aa3
	https://git.kernel.org/stable/c/4f697813162d5f9151726a6d2bee82bffe4b0256
	https://git.kernel.org/stable/c/95fcb436586dc3c2983537d557ac05bbc6a027f3
	https://git.kernel.org/stable/c/16d9f674c619838bdeae42abc0929c9c5477ea1f
	https://git.kernel.org/stable/c/4f9a4ae8d2c198f01611ea376034c326ef43ab56
	https://git.kernel.org/stable/c/4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f
	https://git.kernel.org/stable/c/db57a1aa54ff68669781976e4edb045e09e2b65b

Impacted products

Vendor

Product

Version

Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: 4c62764d0fc21a34ffc44eec1210038c3a2e4473
Version: d8f70ad66032363e3edceee81a7be2aaccb2d7f5
Version: ec759c0015fb7d4f5c7cb5711d2c8905724c7983
Version: c8ed05b1d8520f40395916438da9b38ce937a896
Version: ad78e2e057ab8d914a2b5e3e6acf29c3c8a428a3
Version: de1fd69b6541ff61177114d63af7ea719c426cf0
Version: 3.18.139   ≤
Version: 4.4.179   ≤
Version: 4.9.170   ≤
Version: 4.14.113   ≤
Version: 4.19.36   ≤

Version: 4.20

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45475

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/rsi/rsi_common.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ac3095da22fc50e51ec10c3b8323c21ab3e441a",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "lessThan": "9dfe8a4458a063c6433526bc59112a169eee1aa3",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "lessThan": "4f697813162d5f9151726a6d2bee82bffe4b0256",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "lessThan": "95fcb436586dc3c2983537d557ac05bbc6a027f3",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "lessThan": "16d9f674c619838bdeae42abc0929c9c5477ea1f",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "lessThan": "4f9a4ae8d2c198f01611ea376034c326ef43ab56",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "lessThan": "4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "lessThan": "db57a1aa54ff68669781976e4edb045e09e2b65b",
              "status": "affected",
              "version": "4c62764d0fc21a34ffc44eec1210038c3a2e4473",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d8f70ad66032363e3edceee81a7be2aaccb2d7f5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ec759c0015fb7d4f5c7cb5711d2c8905724c7983",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c8ed05b1d8520f40395916438da9b38ce937a896",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ad78e2e057ab8d914a2b5e3e6acf29c3c8a428a3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "de1fd69b6541ff61177114d63af7ea719c426cf0",
              "versionType": "git"
            },
            {
              "lessThan": "3.19",
              "status": "affected",
              "version": "3.18.139",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.179",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.170",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.113",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.36",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/rsi/rsi_common.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.139",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.170",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: fix kthread lifetime race between self-exit and external-stop\n\nRSI driver use both self-exit(kthread_complete_and_exit) and external-stop\n(kthread_stop) when killing a kthread. Generally, kthread_stop() is called\nfirst, and in this case, no particular issues occur.\n\nHowever, in rare instances where kthread_complete_and_exit() is called\nfirst and then kthread_stop() is called, a UAF occurs because the kthread\nobject, which has already exited and been freed, is accessed again.\n\nTherefore, to prevent this with minimal modification, you must remove\nkthread_stop() and change the code to wait until the self-exit operation\nis completed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:14.431Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ac3095da22fc50e51ec10c3b8323c21ab3e441a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dfe8a4458a063c6433526bc59112a169eee1aa3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f697813162d5f9151726a6d2bee82bffe4b0256"
        },
        {
          "url": "https://git.kernel.org/stable/c/95fcb436586dc3c2983537d557ac05bbc6a027f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/16d9f674c619838bdeae42abc0929c9c5477ea1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f9a4ae8d2c198f01611ea376034c326ef43ab56"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f"
        },
        {
          "url": "https://git.kernel.org/stable/c/db57a1aa54ff68669781976e4edb045e09e2b65b"
        }
      ],
      "title": "wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46187",
    "datePublished": "2026-05-28T09:36:41.427Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:14.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45475 (GCVE-0-2026-45475)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

Microsoft	Microsoft Office 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft Office 2019	Version: 19.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office 365 for Mac	Version: -
Microsoft	Microsoft Office LTSC 2021	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC 2024	Version: 16.0.0 < https://aka.ms/OfficeSecurityReleases
Microsoft	Microsoft Office LTSC for Mac 2021	Version: -
Microsoft	Microsoft Office LTSC for Mac 2024	Version: -
Microsoft	Microsoft SharePoint Enterprise Server 2016	Version: 16.0.0 < 16.0.5556.1005
Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42835

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45475",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:20.606890Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:33:12.529Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office 365 for Mac",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "product": "Microsoft Office LTSC for Mac 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:05.606Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Office Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45475"
        }
      ],
      "title": "Microsoft Office Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45475",
    "datePublished": "2026-06-09T17:04:21.185Z",
    "dateReserved": "2026-05-12T16:06:43.100Z",
    "dateUpdated": "2026-06-16T18:17:05.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42835 (GCVE-0-2026-42835)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Summary

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows an authorized attacker to disclose information over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft Teams for Android	Version: 1.0.0 < 1.0.76.2026111302

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45454

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42835",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:31:07.373821Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:31:24.645Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Teams for Android",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.0.76.2026111302",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:*",
                  "versionEndExcluding": "1.0.76.2026111302",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of special elements in output used by a downstream component (\u0027injection\u0027) in Microsoft Teams for Android allows an authorized attacker to disclose information over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:59.002Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Teams for Android Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42835"
        }
      ],
      "title": "Microsoft Teams for Android Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-42835",
    "datePublished": "2026-06-09T17:05:20.687Z",
    "dateReserved": "2026-04-30T14:51:12.703Z",
    "dateUpdated": "2026-06-16T18:17:59.002Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45454 (GCVE-0-2026-45454)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45454",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:58.087923Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:20:50.176Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper limitation of a pathname to a restricted directory (\u0027path traversal\u0027) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:00.697Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45454"
        }
      ],
      "title": "Microsoft SharePoint Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45454",
    "datePublished": "2026-06-09T17:05:22.619Z",
    "dateReserved": "2026-05-12T16:06:43.096Z",
    "dateUpdated": "2026-06-16T18:18:00.697Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46018 (GCVE-0-2026-46018)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex. Stop the whole parse once the cap is reached and return the number of rates collected so far.

References

URL

Tags

	https://git.kernel.org/stable/c/5436bc1b07d4656f99412dc72871d250d7d55205
	https://git.kernel.org/stable/c/0da05fedf5e1966b7e7d389866cb86fcf09f4b32
	https://git.kernel.org/stable/c/f14bd323eec4b4f0ef662520ec852e593ece1d4c
	https://git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abf
	https://git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716
	https://git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76ef
	https://git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56
	https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd

Impacted products

Vendor

Product

Version

Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 4fa0e81b83503900be277e6273a79651b375e288
Version: 44f059fb742aac78cffdab5e0d8fe0c9910c1ded
Version: c25a53781f61c78bf2a2fa308bbd35b42ba346f6
Version: 3.0.81 ≤
Version: 3.2.47 ≤

Version: 3.3

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/format.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5436bc1b07d4656f99412dc72871d250d7d55205",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "0da05fedf5e1966b7e7d389866cb86fcf09f4b32",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "f14bd323eec4b4f0ef662520ec852e593ece1d4c",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "ab5ba9fd138758ddc50222264ff246b31e397abf",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "ba036305323814ec1f8655313b2fa6a0f7048716",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "4d7893a137eadb6163ea4298bf67d74b811d76ef",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "a0b78639ef09b2e77974a3de3b1c07f6de3c5e56",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "3c318f97dcc50b2e0556a1813bd6958678e881fd",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "44f059fb742aac78cffdab5e0d8fe0c9910c1ded",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c25a53781f61c78bf2a2fa308bbd35b42ba346f6",
              "versionType": "git"
            },
            {
              "lessThan": "3.1",
              "status": "affected",
              "version": "3.0.81",
              "versionType": "semver"
            },
            {
              "lessThan": "3.3",
              "status": "affected",
              "version": "3.2.47",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/format.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.0.81",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.47",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES\n\nparse_uac2_sample_rate_range() caps the number of enumerated\nrates at MAX_NR_RATES, but it only breaks out of the current\nrate loop. A malformed UAC2 RANGE response with additional\ntriplets continues parsing the remaining triplets and repeatedly\nprints \"invalid uac2 rates\" while probe still holds\nregister_mutex.\n\nStop the whole parse once the cap is reached and return the\nnumber of rates collected so far."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:18.248Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5436bc1b07d4656f99412dc72871d250d7d55205"
        },
        {
          "url": "https://git.kernel.org/stable/c/0da05fedf5e1966b7e7d389866cb86fcf09f4b32"
        },
        {
          "url": "https://git.kernel.org/stable/c/f14bd323eec4b4f0ef662520ec852e593ece1d4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd"
        }
      ],
      "title": "ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46018",
    "datePublished": "2026-05-27T12:56:19.588Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:48:18.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46109 (GCVE-0-2026-46109)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix memory leak on ulpi_register() error paths Commit 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails. But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked. Add kfree(ulpi) on both error paths to properly clean up the allocation.

References

URL

Tags

	https://git.kernel.org/stable/c/0c2c0c6820fe96fa4be0a0499f8d3f3321b9af6c
	https://git.kernel.org/stable/c/f1b855c00988a9cb41134cab7cf9faedba775dd9
	https://git.kernel.org/stable/c/7bd61ed0bf9f4f1f2673d489b3bda1555b48d054
	https://git.kernel.org/stable/c/b0c0d44adb55c66663886cb6e30ee92cbb0f5385
	https://git.kernel.org/stable/c/be2c1d825f54277472c87019e82013ac534ddc4c
	https://git.kernel.org/stable/c/2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d
	https://git.kernel.org/stable/c/f30ccfc2985590b33a23a3d8bed7ca16c0af551b
	https://git.kernel.org/stable/c/0b9fcab1b8608d429e5f239afb197de928d4de7d

Impacted products

Vendor

Product

Version

Version: 2f70ba9dae13a190673cc3f9b4aad52179738f60
Version: ee248e6e941e4f2e634df2bd43e5f1ef810ab6df
Version: 272a9b26c336a295e4e209157fed809706c1b1f7
Version: aaeae6533d77e6ed4def85baec01e2815ebbef61
Version: 8763f8317bb389aded32a32b08f6751cfff657d2
Version: 38c28fe25611099230f0965c925499bfcf46a795
Version: 01af542392b5d41fd659d487015a71f627accce3
Version: 01af542392b5d41fd659d487015a71f627accce3
Version: a6e5461f076c2ef63159f18e5cdbd30b50f0bc15
Version: 5.10.253   ≤
Version: 5.15.203   ≤
Version: 6.1.168   ≤
Version: 6.6.134   ≤
Version: 6.12.81   ≤
Version: 6.18.22   ≤
Version: 6.19.12   ≤

Version: 7.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/common/ulpi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c2c0c6820fe96fa4be0a0499f8d3f3321b9af6c",
              "status": "affected",
              "version": "2f70ba9dae13a190673cc3f9b4aad52179738f60",
              "versionType": "git"
            },
            {
              "lessThan": "f1b855c00988a9cb41134cab7cf9faedba775dd9",
              "status": "affected",
              "version": "ee248e6e941e4f2e634df2bd43e5f1ef810ab6df",
              "versionType": "git"
            },
            {
              "lessThan": "7bd61ed0bf9f4f1f2673d489b3bda1555b48d054",
              "status": "affected",
              "version": "272a9b26c336a295e4e209157fed809706c1b1f7",
              "versionType": "git"
            },
            {
              "lessThan": "b0c0d44adb55c66663886cb6e30ee92cbb0f5385",
              "status": "affected",
              "version": "aaeae6533d77e6ed4def85baec01e2815ebbef61",
              "versionType": "git"
            },
            {
              "lessThan": "be2c1d825f54277472c87019e82013ac534ddc4c",
              "status": "affected",
              "version": "8763f8317bb389aded32a32b08f6751cfff657d2",
              "versionType": "git"
            },
            {
              "lessThan": "2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d",
              "status": "affected",
              "version": "38c28fe25611099230f0965c925499bfcf46a795",
              "versionType": "git"
            },
            {
              "lessThan": "f30ccfc2985590b33a23a3d8bed7ca16c0af551b",
              "status": "affected",
              "version": "01af542392b5d41fd659d487015a71f627accce3",
              "versionType": "git"
            },
            {
              "lessThan": "0b9fcab1b8608d429e5f239afb197de928d4de7d",
              "status": "affected",
              "version": "01af542392b5d41fd659d487015a71f627accce3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a6e5461f076c2ef63159f18e5cdbd30b50f0bc15",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.258",
              "status": "affected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.88",
              "status": "affected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.30",
              "status": "affected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThan": "6.20",
              "status": "affected",
              "version": "6.19.12",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/common/ulpi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "7.0"
            },
            {
              "lessThan": "7.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.10.253",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.203",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.168",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.134",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.12.81",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.18.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.19.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix memory leak on ulpi_register() error paths\n\nCommit 01af542392b5 (\"usb: ulpi: fix double free in\nulpi_register_interface() error path\") removed kfree(ulpi) from\nulpi_register_interface() to fix a double-free when device_register()\nfails.\n\nBut when ulpi_of_register() or ulpi_read_id() fail before\ndevice_register() is called, the ulpi allocation is leaked.\n\nAdd kfree(ulpi) on both error paths to properly clean up the allocation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:07.015Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c2c0c6820fe96fa4be0a0499f8d3f3321b9af6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1b855c00988a9cb41134cab7cf9faedba775dd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bd61ed0bf9f4f1f2673d489b3bda1555b48d054"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0c0d44adb55c66663886cb6e30ee92cbb0f5385"
        },
        {
          "url": "https://git.kernel.org/stable/c/be2c1d825f54277472c87019e82013ac534ddc4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f30ccfc2985590b33a23a3d8bed7ca16c0af551b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b9fcab1b8608d429e5f239afb197de928d4de7d"
        }
      ],
      "title": "usb: ulpi: fix memory leak on ulpi_register() error paths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46109",
    "datePublished": "2026-05-28T09:35:16.409Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:07.015Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46165 (GCVE-0-2026-46165)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: openvswitch: vport: fix self-deadlock on release of tunnel ports vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period. So, either in an RCU call or after the synchronize_net(). The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context. Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here. However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone. In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal. Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.

References

URL

Tags

	https://git.kernel.org/stable/c/8ae6c15fc473c9ad03b0173330cce9a092c76154
	https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413
	https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f
	https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0
	https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10
	https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296

Impacted products

Vendor

Product

Version

Version: 9d56aced21fb9c104e8a3f3be9b21fbafe448ffc
Version: 42f0d3d81209654c08ffdde5a34b9b92d2645896
Version: bbe7bd722bfaea36aab3da6cc60fb4a05c644643
Version: 98b726ab5e2a4811e27c28e4d041f75bba147eab
Version: 6931d21f87bc6d657f145798fad0bf077b82486c
Version: 6931d21f87bc6d657f145798fad0bf077b82486c
Version: b8c56a3fc5d879c0928f207a756b0f067f06c6a8
Version: 6.1.168   ≤
Version: 6.6.131   ≤
Version: 6.12.80   ≤
Version: 6.18.21   ≤
Version: 6.19.11   ≤

Version: 7.0

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48569

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/vport-netdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8ae6c15fc473c9ad03b0173330cce9a092c76154",
              "status": "affected",
              "version": "9d56aced21fb9c104e8a3f3be9b21fbafe448ffc",
              "versionType": "git"
            },
            {
              "lessThan": "c741433f6c8dcdecd1d9549d89053761fd1ea413",
              "status": "affected",
              "version": "42f0d3d81209654c08ffdde5a34b9b92d2645896",
              "versionType": "git"
            },
            {
              "lessThan": "6522d59fb7de55ce0f0f285d962243ddffebb01f",
              "status": "affected",
              "version": "bbe7bd722bfaea36aab3da6cc60fb4a05c644643",
              "versionType": "git"
            },
            {
              "lessThan": "3df75fff46b1517eb479d8e6b8e3500763715dd0",
              "status": "affected",
              "version": "98b726ab5e2a4811e27c28e4d041f75bba147eab",
              "versionType": "git"
            },
            {
              "lessThan": "366c482965c673565ecb8bcfb15d5548f13a6a10",
              "status": "affected",
              "version": "6931d21f87bc6d657f145798fad0bf077b82486c",
              "versionType": "git"
            },
            {
              "lessThan": "aa69918bd418e700309fdd08509dba324fb24296",
              "status": "affected",
              "version": "6931d21f87bc6d657f145798fad0bf077b82486c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b8c56a3fc5d879c0928f207a756b0f067f06c6a8",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.131",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.88",
              "status": "affected",
              "version": "6.12.80",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.30",
              "status": "affected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThan": "6.20",
              "status": "affected",
              "version": "6.19.11",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/vport-netdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "7.0"
            },
            {
              "lessThan": "7.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.168",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.131",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.12.80",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.18.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.19.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: vport: fix self-deadlock on release of tunnel ports\n\nvports are used concurrently and protected by RCU, so netdev_put()\nmust happen after the RCU grace period.  So, either in an RCU call or\nafter the synchronize_net().  The rtnl_delete_link() must happen under\nRTNL and so can\u0027t be executed in RCU context.  Calling synchronize_net()\nwhile holding RTNL is not a good idea for performance and system\nstability under load in general, so calling netdev_put() in RCU call\nis the right solution here.\n\nHowever,\nwhen the device is deleted, rtnl_unlock() will call netdev_run_todo()\nand block until all the references are gone.  In the current code this\nmeans that we never reach the call_rcu() and the vport is never freed\nand the reference is never released, causing a self-deadlock on device\nremoval.\n\nFix that by moving the rcu_call() before the rtnl_unlock(), so the\nscheduled RCU callback will be executed when synchronize_net() is\ncalled from the rtnl_unlock()-\u003enetdev_run_todo() while the RTNL itself\nis already released."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:59:29.913Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8ae6c15fc473c9ad03b0173330cce9a092c76154"
        },
        {
          "url": "https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413"
        },
        {
          "url": "https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296"
        }
      ],
      "title": "openvswitch: vport: fix self-deadlock on release of tunnel ports",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46165",
    "datePublished": "2026-05-28T09:36:20.855Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-06-14T17:59:29.913Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48569 (GCVE-0-2026-48569)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-20 - Improper Input Validation
CWE-23 - Relative Path Traversal

Summary

Improper input validation in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Visual Studio Code	Version: 1.0.0 < 1.123.2

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48569",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T17:50:13.759971Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T17:50:22.946Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper input validation in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:28.583Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Security Feature Bypass Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48569"
        }
      ],
      "title": "Visual Studio Code Security Feature Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-48569",
    "datePublished": "2026-06-09T17:05:53.588Z",
    "dateReserved": "2026-05-21T20:00:35.245Z",
    "dateUpdated": "2026-06-16T18:18:28.583Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46152 (GCVE-0-2026-46152)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:58

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result.

References

URL

Tags

	https://git.kernel.org/stable/c/03584528bfffb195e384698af9148b94e42e3f14
	https://git.kernel.org/stable/c/1739fc31b4de06c5c78ce0741182770fb079091e
	https://git.kernel.org/stable/c/e131562d6f2b958148c35c98831b007f47f0e3d3
	https://git.kernel.org/stable/c/3ef44f96ccc3e06e059dec57842e366f0c4b1893
	https://git.kernel.org/stable/c/7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba

Impacted products

Vendor

Product

Version

Version: 3468e1e0c639032a603450f0830ccabfa76f5806
Version: 3468e1e0c639032a603450f0830ccabfa76f5806
Version: 3468e1e0c639032a603450f0830ccabfa76f5806
Version: 3468e1e0c639032a603450f0830ccabfa76f5806
Version: 3468e1e0c639032a603450f0830ccabfa76f5806

Version: 6.4

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47640

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "03584528bfffb195e384698af9148b94e42e3f14",
              "status": "affected",
              "version": "3468e1e0c639032a603450f0830ccabfa76f5806",
              "versionType": "git"
            },
            {
              "lessThan": "1739fc31b4de06c5c78ce0741182770fb079091e",
              "status": "affected",
              "version": "3468e1e0c639032a603450f0830ccabfa76f5806",
              "versionType": "git"
            },
            {
              "lessThan": "e131562d6f2b958148c35c98831b007f47f0e3d3",
              "status": "affected",
              "version": "3468e1e0c639032a603450f0830ccabfa76f5806",
              "versionType": "git"
            },
            {
              "lessThan": "3ef44f96ccc3e06e059dec57842e366f0c4b1893",
              "status": "affected",
              "version": "3468e1e0c639032a603450f0830ccabfa76f5806",
              "versionType": "git"
            },
            {
              "lessThan": "7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba",
              "status": "affected",
              "version": "3468e1e0c639032a603450f0830ccabfa76f5806",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result\n\nieee80211_invoke_fast_rx() is documented as safe for parallel RX, but\nits per-invocation rx_result is declared static. Concurrent callers then\nshare one instance and can overwrite each other\u0027s result between\nieee80211_rx_mesh_data() and the switch on res.\n\nThat can make a packet that was queued or consumed by\nieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make\na packet that should continue return as queued.\n\nMake res an automatic variable so each invocation keeps its own result."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:58:25.196Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/03584528bfffb195e384698af9148b94e42e3f14"
        },
        {
          "url": "https://git.kernel.org/stable/c/1739fc31b4de06c5c78ce0741182770fb079091e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e131562d6f2b958148c35c98831b007f47f0e3d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ef44f96ccc3e06e059dec57842e366f0c4b1893"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba"
        }
      ],
      "title": "wifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46152",
    "datePublished": "2026-05-28T09:36:08.211Z",
    "dateReserved": "2026-05-13T15:03:33.101Z",
    "dateUpdated": "2026-06-14T17:58:25.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47640 (GCVE-0-2026-47640)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47640",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:12:10.469881Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:12:23.184Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:24.104Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47640"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47640",
    "datePublished": "2026-06-09T17:05:48.756Z",
    "dateReserved": "2026-05-19T20:12:27.070Z",
    "dateUpdated": "2026-06-16T18:18:24.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46031 (GCVE-0-2026-46031)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:49

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Reinstate disabling of BHs around IRQ handler If the driver executes ks8851_irq() AND a TX packet has been sent, then the driver enables TX queue via netif_wake_queue() which schedules TX softirq to queue packets for this device. If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to allocate SKBs for the received packets. If netdev_alloc_skb_ip_align() is called with BH enabled, then local_bh_enable() at the end of netdev_alloc_skb_ip_align() will trigger the pending softirq processing, which may ultimately call the .xmit callback ks8851_start_xmit_par(). The ks8851_start_xmit_par() will try to lock struct ks8851_net_par .lock spinlock, which is already locked by ks8851_irq() from which ks8851_start_xmit_par() was called. This leads to a deadlock, which is reported by the kernel, including a trace listed below. If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0 ("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock can also be triggered without received packet in the RX FIFO. The pending softirqs will be processed on return from spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the deadlock as well. Fix the problem by disabling BH around critical sections, including the IRQ handler, thus preventing the net_tx_action() softirq from triggering during these critical sections. The net_tx_action() softirq is triggered once BH are re-enabled and at the end of the IRQ handler, once all the other IRQ handler actions have been completed. __schedule from schedule_rtlock+0x1c/0x34 schedule_rtlock from rtlock_slowlock_locked+0x548/0x904 rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8 ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44 netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188 dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c sch_direct_xmit from __qdisc_run+0x1f8/0x4ec __qdisc_run from qdisc_run+0x1c/0x28 qdisc_run from net_tx_action+0x1f0/0x268 net_tx_action from handle_softirqs+0x1a4/0x270 handle_softirqs from __local_bh_enable_ip+0xcc/0xe0 __local_bh_enable_ip from __alloc_skb+0xd8/0x128 __alloc_skb from __netdev_alloc_skb+0x3c/0x19c __netdev_alloc_skb from ks8851_irq+0x388/0x4d4 ks8851_irq from irq_thread_fn+0x24/0x64 irq_thread_fn from irq_thread+0x178/0x28c irq_thread from kthread+0x12c/0x138 kthread from ret_from_fork+0x14/0x28

References

URL

Tags

	https://git.kernel.org/stable/c/1962027a6d223f90df8b372929f9d1a8d321ad6a
	https://git.kernel.org/stable/c/640a7631d31db87d5fa1b34cea44a99b6e78854b
	https://git.kernel.org/stable/c/518040324067d8efaa2da1992297b7e7bf5640f4
	https://git.kernel.org/stable/c/be8aad558b4675f45b43080f81a9ffdeddea73a5
	https://git.kernel.org/stable/c/21f1707a8e978558dcb11b053855521e32ac0eec
	https://git.kernel.org/stable/c/5c9fcac3c872224316714d0d8914d9af16c76a6d

Impacted products

Vendor

Product

Version

Version: 8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545
Version: ae87f661f3c1a3134a7ed86ab69bf9f12af88993
Version: e0863634bf9f7cf36291ebb5bfa2d16632f79c49
Version: e0863634bf9f7cf36291ebb5bfa2d16632f79c49
Version: e0863634bf9f7cf36291ebb5bfa2d16632f79c49
Version: e0863634bf9f7cf36291ebb5bfa2d16632f79c49
Version: 7e2901a2a9195da76111f351584bf77552a038f0
Version: 6.1.91   ≤
Version: 6.6.31   ≤
Version: 6.8.10   ≤

Version: 6.9

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/micrel/ks8851.h",
            "drivers/net/ethernet/micrel/ks8851_common.c",
            "drivers/net/ethernet/micrel/ks8851_par.c",
            "drivers/net/ethernet/micrel/ks8851_spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1962027a6d223f90df8b372929f9d1a8d321ad6a",
              "status": "affected",
              "version": "8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545",
              "versionType": "git"
            },
            {
              "lessThan": "640a7631d31db87d5fa1b34cea44a99b6e78854b",
              "status": "affected",
              "version": "ae87f661f3c1a3134a7ed86ab69bf9f12af88993",
              "versionType": "git"
            },
            {
              "lessThan": "518040324067d8efaa2da1992297b7e7bf5640f4",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "lessThan": "be8aad558b4675f45b43080f81a9ffdeddea73a5",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "lessThan": "21f1707a8e978558dcb11b053855521e32ac0eec",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "lessThan": "5c9fcac3c872224316714d0d8914d9af16c76a6d",
              "status": "affected",
              "version": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7e2901a2a9195da76111f351584bf77552a038f0",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.91",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.31",
              "versionType": "semver"
            },
            {
              "lessThan": "6.9",
              "status": "affected",
              "version": "6.8.10",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/micrel/ks8851.h",
            "drivers/net/ethernet/micrel/ks8851_common.c",
            "drivers/net/ethernet/micrel/ks8851_par.c",
            "drivers/net/ethernet/micrel/ks8851_spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.91",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Reinstate disabling of BHs around IRQ handler\n\nIf the driver executes ks8851_irq() AND a TX packet has been sent, then\nthe driver enables TX queue via netif_wake_queue() which schedules TX\nsoftirq to queue packets for this device.\n\nIf CONFIG_PREEMPT_RT=y is set AND a packet has also been received by\nthe MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to\nallocate SKBs for the received packets. If netdev_alloc_skb_ip_align()\nis called with BH enabled, then local_bh_enable() at the end of\nnetdev_alloc_skb_ip_align() will trigger the pending softirq processing,\nwhich may ultimately call the .xmit callback ks8851_start_xmit_par().\nThe ks8851_start_xmit_par() will try to lock struct ks8851_net_par\n.lock spinlock, which is already locked by ks8851_irq() from which\nks8851_start_xmit_par() was called. This leads to a deadlock, which\nis reported by the kernel, including a trace listed below.\n\nIf CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0\n(\"net: ks8851: Fix deadlock with the SPI chip variant\") the deadlock\ncan also be triggered without received packet in the RX FIFO. The\npending softirqs will be processed on return from\nspin_unlock_bh(\u0026ks-\u003estatelock) in ks8851_irq(), which triggers the\ndeadlock as well.\n\nFix the problem by disabling BH around critical sections, including the\nIRQ handler, thus preventing the net_tx_action() softirq from triggering\nduring these critical sections. The net_tx_action() softirq is triggered\nonce BH are re-enabled and at the end of the IRQ handler, once all the\nother IRQ handler actions have been completed.\n\n __schedule from schedule_rtlock+0x1c/0x34\n schedule_rtlock from rtlock_slowlock_locked+0x548/0x904\n rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c\n rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8\n ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44\n netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188\n dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c\n sch_direct_xmit from __qdisc_run+0x1f8/0x4ec\n __qdisc_run from qdisc_run+0x1c/0x28\n qdisc_run from net_tx_action+0x1f0/0x268\n net_tx_action from handle_softirqs+0x1a4/0x270\n handle_softirqs from __local_bh_enable_ip+0xcc/0xe0\n __local_bh_enable_ip from __alloc_skb+0xd8/0x128\n __alloc_skb from __netdev_alloc_skb+0x3c/0x19c\n __netdev_alloc_skb from ks8851_irq+0x388/0x4d4\n ks8851_irq from irq_thread_fn+0x24/0x64\n irq_thread_fn from irq_thread+0x178/0x28c\n irq_thread from kthread+0x12c/0x138\n kthread from ret_from_fork+0x14/0x28"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:49:15.423Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1962027a6d223f90df8b372929f9d1a8d321ad6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/640a7631d31db87d5fa1b34cea44a99b6e78854b"
        },
        {
          "url": "https://git.kernel.org/stable/c/518040324067d8efaa2da1992297b7e7bf5640f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/be8aad558b4675f45b43080f81a9ffdeddea73a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/21f1707a8e978558dcb11b053855521e32ac0eec"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c9fcac3c872224316714d0d8914d9af16c76a6d"
        }
      ],
      "title": "net: ks8851: Reinstate disabling of BHs around IRQ handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46031",
    "datePublished": "2026-05-27T12:56:40.357Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-06-14T17:49:15.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46005 (GCVE-0-2026-46005)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: xfs: fix a resource leak in xfs_alloc_buftarg() In the error path, call fs_put_dax() to drop the DAX device reference.

References

URL

Tags

	https://git.kernel.org/stable/c/82fb9da6477d08bdab954dc7bc081a41f2f9cae6
	https://git.kernel.org/stable/c/28a6c132b8c6e5eeefa889c4fb43d65b12989d48
	https://git.kernel.org/stable/c/5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9
	https://git.kernel.org/stable/c/5804cb507233ed767a83ac70527b2f6c4566ec75
	https://git.kernel.org/stable/c/29a7b2614357393b176ef06ba5bc3ff5afc8df69

Impacted products

Vendor

Product

Version

Version: 6f643c57d57c56d4677bc05f1fca2ef3f249797c
Version: 6f643c57d57c56d4677bc05f1fca2ef3f249797c
Version: 6f643c57d57c56d4677bc05f1fca2ef3f249797c
Version: 6f643c57d57c56d4677bc05f1fca2ef3f249797c
Version: 6f643c57d57c56d4677bc05f1fca2ef3f249797c

Version: 6.0

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47631

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/xfs_buf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "82fb9da6477d08bdab954dc7bc081a41f2f9cae6",
              "status": "affected",
              "version": "6f643c57d57c56d4677bc05f1fca2ef3f249797c",
              "versionType": "git"
            },
            {
              "lessThan": "28a6c132b8c6e5eeefa889c4fb43d65b12989d48",
              "status": "affected",
              "version": "6f643c57d57c56d4677bc05f1fca2ef3f249797c",
              "versionType": "git"
            },
            {
              "lessThan": "5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9",
              "status": "affected",
              "version": "6f643c57d57c56d4677bc05f1fca2ef3f249797c",
              "versionType": "git"
            },
            {
              "lessThan": "5804cb507233ed767a83ac70527b2f6c4566ec75",
              "status": "affected",
              "version": "6f643c57d57c56d4677bc05f1fca2ef3f249797c",
              "versionType": "git"
            },
            {
              "lessThan": "29a7b2614357393b176ef06ba5bc3ff5afc8df69",
              "status": "affected",
              "version": "6f643c57d57c56d4677bc05f1fca2ef3f249797c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/xfs_buf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix a resource leak in xfs_alloc_buftarg()\n\nIn the error path, call fs_put_dax() to drop the DAX\ndevice reference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:29.977Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/82fb9da6477d08bdab954dc7bc081a41f2f9cae6"
        },
        {
          "url": "https://git.kernel.org/stable/c/28a6c132b8c6e5eeefa889c4fb43d65b12989d48"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/5804cb507233ed767a83ac70527b2f6c4566ec75"
        },
        {
          "url": "https://git.kernel.org/stable/c/29a7b2614357393b176ef06ba5bc3ff5afc8df69"
        }
      ],
      "title": "xfs: fix a resource leak in xfs_alloc_buftarg()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46005",
    "datePublished": "2026-05-27T12:56:03.201Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:29.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47631 (GCVE-0-2026-47631)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft Exchange Server 2016 Cumulative Update 23

Version: 15.01.0.0 < 15.01.2507.069

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 14	Version: 15.02.0.0 < 15.02.1544.041
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 15	Version: 15.02.0.0 < 15.02.1748.046
Microsoft	Microsoft Exchange Server Subscription Edition RTM	Version: 15.02.0.0 < 15.02.2562.043

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47631",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T14:24:22.654307Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T14:32:09.512Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.069",
              "status": "affected",
              "version": "15.01.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1544.041",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 15",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1748.046",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server Subscription Edition RTM",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.2562.043",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.069",
                  "versionStartIncluding": "15.01.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1544.041",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1748.046",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.2562.043",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:41.695Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47631"
        }
      ],
      "title": "Microsoft Exchange Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47631",
    "datePublished": "2026-06-09T17:05:03.380Z",
    "dateReserved": "2026-05-19T20:12:27.069Z",
    "dateUpdated": "2026-06-16T18:17:41.695Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46056 (GCVE-0-2026-46056)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:51

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.

References

URL

Tags

	https://git.kernel.org/stable/c/b6ae482f88654db407c8c17619d4b62959b903ef
	https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2
	https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47
	https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8
	https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7
	https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993

Impacted products

Vendor

Product

Version

Version: 92a25256f142d55e25f9959441cea6ddeabae57e
Version: 92a25256f142d55e25f9959441cea6ddeabae57e
Version: 92a25256f142d55e25f9959441cea6ddeabae57e
Version: 92a25256f142d55e25f9959441cea6ddeabae57e
Version: 92a25256f142d55e25f9959441cea6ddeabae57e
Version: 92a25256f142d55e25f9959441cea6ddeabae57e

Version: 3.7

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b6ae482f88654db407c8c17619d4b62959b903ef",
              "status": "affected",
              "version": "92a25256f142d55e25f9959441cea6ddeabae57e",
              "versionType": "git"
            },
            {
              "lessThan": "204028af77a265e31ceb4ba7f643349a3cca72b2",
              "status": "affected",
              "version": "92a25256f142d55e25f9959441cea6ddeabae57e",
              "versionType": "git"
            },
            {
              "lessThan": "01a6431766c35dfedb86e0cb5d3fc80c6d604a47",
              "status": "affected",
              "version": "92a25256f142d55e25f9959441cea6ddeabae57e",
              "versionType": "git"
            },
            {
              "lessThan": "e08d75753db17aa943d7622f09d9c217b5bfd3b8",
              "status": "affected",
              "version": "92a25256f142d55e25f9959441cea6ddeabae57e",
              "versionType": "git"
            },
            {
              "lessThan": "8c6443bb9257b780986fb67ec08565bf48ecb8d7",
              "status": "affected",
              "version": "92a25256f142d55e25f9959441cea6ddeabae57e",
              "versionType": "git"
            },
            {
              "lessThan": "85fa3512048793076eef658f66489112dcc91993",
              "status": "affected",
              "version": "92a25256f142d55e25f9959441cea6ddeabae57e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in SSP passkey handlers\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise\nthe connection can be freed concurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage in both\nhandlers.\n\nKeep the existing keypress notification behavior unchanged by routing\nthe early exits through a common unlock path."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:51:08.884Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b6ae482f88654db407c8c17619d4b62959b903ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47"
        },
        {
          "url": "https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993"
        }
      ],
      "title": "Bluetooth: hci_event: fix potential UAF in SSP passkey handlers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46056",
    "datePublished": "2026-05-27T12:57:15.150Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:51:08.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46062 (GCVE-0-2026-46062)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:51

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix integer overflow in run_unpack() volume boundary check The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw addition which can wrap around for large lcn and len values, bypassing the validation. Use check_add_overflow() as is already done for the adjacent prev_lcn + dlcn and vcn64 + len checks added by commit 3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()"). Found by fuzzing with a source-patched harness (LibAFL + QEMU).

References

URL

Tags

	https://git.kernel.org/stable/c/424858f9a048057bb8f834bfe03d18f5e477e747
	https://git.kernel.org/stable/c/e73cd5aed6b15e55c1c47577bdb473b5e88d6a69
	https://git.kernel.org/stable/c/a954061b334ec67c79ae9d0cadd83fa521396487
	https://git.kernel.org/stable/c/60dab3e2931f3d792438a77a6cb0cb731c43300b
	https://git.kernel.org/stable/c/f1af27cec07a9fd0847166bdb23c99e86b05bfdc
	https://git.kernel.org/stable/c/6175d09c23bec4b60860ee9a0170308ff4b56e10
	https://git.kernel.org/stable/c/984a415f019536ea2d24de9010744e5302a9a948

Impacted products

Vendor

Product

Version

Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17

Version: 5.15

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/run.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "424858f9a048057bb8f834bfe03d18f5e477e747",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "e73cd5aed6b15e55c1c47577bdb473b5e88d6a69",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "a954061b334ec67c79ae9d0cadd83fa521396487",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "60dab3e2931f3d792438a77a6cb0cb731c43300b",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "f1af27cec07a9fd0847166bdb23c99e86b05bfdc",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "6175d09c23bec4b60860ee9a0170308ff4b56e10",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "984a415f019536ea2d24de9010744e5302a9a948",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/run.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix integer overflow in run_unpack() volume boundary check\n\nThe volume boundary check `lcn + len \u003e sbi-\u003eused.bitmap.nbits` uses raw\naddition which can wrap around for large lcn and len values, bypassing\nthe validation.  Use check_add_overflow() as is already done for the\nadjacent prev_lcn + dlcn and vcn64 + len checks added by commit\n3ac37e100385 (\"ntfs3: Fix integer overflow in run_unpack()\").\n\nFound by fuzzing with a source-patched harness (LibAFL + QEMU)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:51:32.292Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/424858f9a048057bb8f834bfe03d18f5e477e747"
        },
        {
          "url": "https://git.kernel.org/stable/c/e73cd5aed6b15e55c1c47577bdb473b5e88d6a69"
        },
        {
          "url": "https://git.kernel.org/stable/c/a954061b334ec67c79ae9d0cadd83fa521396487"
        },
        {
          "url": "https://git.kernel.org/stable/c/60dab3e2931f3d792438a77a6cb0cb731c43300b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1af27cec07a9fd0847166bdb23c99e86b05bfdc"
        },
        {
          "url": "https://git.kernel.org/stable/c/6175d09c23bec4b60860ee9a0170308ff4b56e10"
        },
        {
          "url": "https://git.kernel.org/stable/c/984a415f019536ea2d24de9010744e5302a9a948"
        }
      ],
      "title": "ntfs3: fix integer overflow in run_unpack() volume boundary check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46062",
    "datePublished": "2026-05-27T12:57:24.416Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:51:32.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46110 (GCVE-0-2026-46110)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:55

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Prevent NULL deref when RX memory exhausted The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there. In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.

References

URL

Tags

	https://git.kernel.org/stable/c/e1c50b273298c7cd9b08b113e7a7598b531a02f5
	https://git.kernel.org/stable/c/5c910f7708e3c507b037ca91ca5b09f8cfe71e65
	https://git.kernel.org/stable/c/4af2e62cbcda575a174acd230c3f3a208135e16d
	https://git.kernel.org/stable/c/950cb436165aad0f8f2cd49da3cd07677465bcde
	https://git.kernel.org/stable/c/0bb05e6adfa99a2ea1fee1125cc0953409f83ed8

Impacted products

Vendor

Product

Version

Version: 779334e59850f863bf34665e0ff0b6faf126873b
Version: b6cb4541853c7ee512111b0e7ddf3cb66c99c137
Version: b6cb4541853c7ee512111b0e7ddf3cb66c99c137
Version: b6cb4541853c7ee512111b0e7ddf3cb66c99c137
Version: b6cb4541853c7ee512111b0e7ddf3cb66c99c137
Version: 7414a28de1b3b028714859078c00a874f9feff52
Version: b435b4573240b5530830a1a60e005c6fcfd928a0
Version: 6.6.3   ≤
Version: 6.1.64   ≤
Version: 6.5.13   ≤

Version: 6.7

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45468

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1c50b273298c7cd9b08b113e7a7598b531a02f5",
              "status": "affected",
              "version": "779334e59850f863bf34665e0ff0b6faf126873b",
              "versionType": "git"
            },
            {
              "lessThan": "5c910f7708e3c507b037ca91ca5b09f8cfe71e65",
              "status": "affected",
              "version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
              "versionType": "git"
            },
            {
              "lessThan": "4af2e62cbcda575a174acd230c3f3a208135e16d",
              "status": "affected",
              "version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
              "versionType": "git"
            },
            {
              "lessThan": "950cb436165aad0f8f2cd49da3cd07677465bcde",
              "status": "affected",
              "version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
              "versionType": "git"
            },
            {
              "lessThan": "0bb05e6adfa99a2ea1fee1125cc0953409f83ed8",
              "status": "affected",
              "version": "b6cb4541853c7ee512111b0e7ddf3cb66c99c137",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7414a28de1b3b028714859078c00a874f9feff52",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b435b4573240b5530830a1a60e005c6fcfd928a0",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.3",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "6.1.64",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6",
              "status": "affected",
              "version": "6.5.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Prevent NULL deref when RX memory exhausted\n\nThe CPU receives frames from the MAC through conventional DMA: the CPU\nallocates buffers for the MAC, then the MAC fills them and returns\nownership to the CPU. For each hardware RX queue, the CPU and MAC\ncoordinate through a shared ring array of DMA descriptors: one\ndescriptor per DMA buffer. Each descriptor includes the buffer\u0027s\nphysical address and a status flag (\"OWN\") indicating which side owns\nthe buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set\nthe flag and the MAC is only allowed to clear it, and both must move\nthrough the ring in sequence: thus the ring is used for both\n\"submissions\" and \"completions.\"\n\nIn the stmmac driver, stmmac_rx() bookmarks its position in the ring\nwith the `cur_rx` index. The main receive loop in that function checks\nfor rx_descs[cur_rx].own=0, gives the corresponding buffer to the\nnetwork stack (NULLing the pointer), and increments `cur_rx` modulo the\nring size. After the loop exits, stmmac_rx_refill(), which bookmarks its\nposition with `dirty_rx`, allocates fresh buffers and rearms the\ndescriptors (setting OWN=1). If it fails any allocation, it simply stops\nearly (leaving OWN=0) and will retry where it left off when next called.\n\nThis means descriptors have a three-stage lifecycle (terms my own):\n- `empty` (OWN=1, buffer valid)\n- `full` (OWN=0, buffer valid and populated)\n- `dirty` (OWN=0, buffer NULL)\n\nBut because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In\nthe past (see \u0027Fixes:\u0027), there was a bug where the loop could cycle\n`cur_rx` all the way back to the first descriptor it dirtied, resulting\nin a NULL dereference when mistaken for `full`. The aforementioned\ncommit resolved that *specific* failure by capping the loop\u0027s iteration\nlimit at `dma_rx_size - 1`, but this is only a partial fix: if the\nprevious stmmac_rx_refill() didn\u0027t complete, then there are leftover\n`dirty` descriptors that the loop might encounter without needing to\ncycle fully around. The current code therefore panics (see \u0027Closes:\u0027)\nwhen stmmac_rx_refill() is memory-starved long enough for `cur_rx` to\ncatch up to `dirty_rx`.\n\nFix this by explicitly checking, before advancing `cur_rx`, if the next\nentry is dirty; exit the loop if so. This prevents processing of the\nfinal, used descriptor until stmmac_rx_refill() succeeds, but\nfully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix\nintended: so remove the clamp as well. Since stmmac_rx_zc() is a\ncopy-paste-and-tweak of stmmac_rx() and the code structure is identical,\nany fix to stmmac_rx() will also need a corresponding fix for\nstmmac_rx_zc(). Therefore, apply the same check there.\n\nIn stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the\nMAC sets OWN=0 on the final descriptor, it will be unable to send any\nfurther DMA-complete IRQs until it\u0027s given more `empty` descriptors.\nCurrently, the driver simply *hopes* that the next stmmac_rx_refill()\nsucceeds, risking an indefinite stall of the receive process if not. But\nthis is not a regression, so it can be addressed in a future change."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:55:12.071Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1c50b273298c7cd9b08b113e7a7598b531a02f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c910f7708e3c507b037ca91ca5b09f8cfe71e65"
        },
        {
          "url": "https://git.kernel.org/stable/c/4af2e62cbcda575a174acd230c3f3a208135e16d"
        },
        {
          "url": "https://git.kernel.org/stable/c/950cb436165aad0f8f2cd49da3cd07677465bcde"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bb05e6adfa99a2ea1fee1125cc0953409f83ed8"
        }
      ],
      "title": "net: stmmac: Prevent NULL deref when RX memory exhausted",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46110",
    "datePublished": "2026-05-28T09:35:18.359Z",
    "dateReserved": "2026-05-13T15:03:33.098Z",
    "dateUpdated": "2026-06-14T17:55:12.071Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45468 (GCVE-0-2026-45468)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45468",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:16:41.942272Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:17:02.155Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:00.879Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45468"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45468",
    "datePublished": "2026-06-09T17:04:19.607Z",
    "dateReserved": "2026-05-12T16:06:43.098Z",
    "dateUpdated": "2026-06-16T18:17:00.879Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42790 (GCVE-0-2026-42790)

Vulnerability from cvelistv5

Published

2026-05-27 15:09

Modified

2026-05-28 04:39

Severity ?

7.6 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-295 - Improper Certificate Validation
CWE-297 - Improper Validation of Certificate with Host Mismatch

Summary

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com): First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.

References

URL

Tags

	https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447	vendor-advisory, related
	https://cna.erlef.org/cves/CVE-2026-42790.html	related
	https://osv.dev/vulnerability/EEF-CVE-2026-42790	related
	https://www.erlang.org/doc/system/versions.html#order-of-versions	x_version-scheme
	https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759	patch
	https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457	patch
	https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a	patch

Impacted products

Vendor

Product

Version

Version: 1.4
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*

Version: 19.3
Version: b0c245e8132bb13171e277b1af59c0cec00c9459
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42790",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T03:55:49.233Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "pubkey_cert",
            "public_key"
          ],
          "packageName": "public_key",
          "packageURL": "pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/pubkey_cert.erl",
            "src/public_key.erl"
          ],
          "programRoutines": [
            {
              "name": "pubkey_cert:validate_names/6"
            },
            {
              "name": "public_key:pkix_verify_hostname/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.15.1.7",
                  "status": "unaffected"
                },
                {
                  "at": "1.17.1.3",
                  "status": "unaffected"
                },
                {
                  "at": "1.20.3.1",
                  "status": "unaffected"
                },
                {
                  "at": "1.21.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "1.4",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "pubkey_cert",
            "public_key"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/public_key/src/pubkey_cert.erl",
            "lib/public_key/src/public_key.erl"
          ],
          "programRoutines": [
            {
              "name": "pubkey_cert:validate_names/6"
            },
            {
              "name": "public_key:pkix_verify_hostname/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "26.2.5.21",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.12",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.1",
                  "status": "unaffected"
                },
                {
                  "at": "29.0.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "19.3",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "0769050c69d73762672b0db1347b6993a5b31759",
                  "status": "unaffected"
                },
                {
                  "at": "fb67c6d1836f51105a96d8b769e71e4215a79457",
                  "status": "unaffected"
                },
                {
                  "at": "21abed64eb2026b5f82f432709e4e932f9be389a",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "b0c245e8132bb13171e277b1af59c0cec00c9459",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.2.5.21",
                  "versionStartIncluding": "19.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.12",
                  "versionStartIncluding": "27.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.1",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.1",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "John Downey"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Dan Gudmundsson"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Certificate Validation vulnerability in Erlang OTP \u003ctt\u003epublic_key\u003c/tt\u003e (\u003ctt\u003epubkey_cert\u003c/tt\u003e and \u003ctt\u003epublic_key\u003c/tt\u003e modules) allows a DNS \u003ctt\u003enameConstraints\u003c/tt\u003e bypass via subject CommonName fallback in TLS hostname verification.\u003cp\u003eTwo flaws combine to allow a subordinate CA whose DNS \u003ctt\u003enameConstraints\u003c/tt\u003e are restricted (e.g. \u003ctt\u003epermitted;DNS:allowed.example.com\u003c/tt\u003e) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. \u003ctt\u003evictim.example.com\u003c/tt\u003e):\u003c/p\u003e\u003cp\u003eFirst, \u003ctt\u003epubkey_cert:validate_names/6\u003c/tt\u003e in \u003ctt\u003elib/public_key/src/pubkey_cert.erl\u003c/tt\u003e only checks SAN DNS entries against \u003ctt\u003enameConstraints\u003c/tt\u003e. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no \u003ctt\u003esubjectAltName\u003c/tt\u003e therefore trivially satisfies any \u003ctt\u003epermitted;DNS:...\u003c/tt\u003e constraint regardless of its subject \u003ctt\u003ecommonName\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eSecond, \u003ctt\u003epublic_key:pkix_verify_hostname/3\u003c/tt\u003e in \u003ctt\u003elib/public_key/src/public_key.erl\u003c/tt\u003e falls back to the subject \u003ctt\u003ecommonName\u003c/tt\u003e when no \u003ctt\u003esubjectAltName\u003c/tt\u003e is present, extracting \u003ctt\u003eid-at-commonName\u003c/tt\u003e attributes as presented IDs and matching them against the reference hostname. The strict \u003ctt\u003epkix_verify_hostname_match_fun(https)\u003c/tt\u003e matcher does not suppress this fallback.\u003c/p\u003e\u003cp\u003eThe result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the \u003ctt\u003enameConstraints\u003c/tt\u003e are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock \u003ctt\u003essl:connect\u003c/tt\u003e with \u003ctt\u003everify_peer\u003c/tt\u003e, a trusted CA, SNI, and the canonical strict \u003ctt\u003ehttps\u003c/tt\u003e hostname matcher.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to \u003ctt\u003epublic_key\u003c/tt\u003e from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.\n\nTwo flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):\n\nFirst, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.\n\nSecond, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.\n\nThe result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.\n\nThis issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-475",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-475 Signature Spoofing by Improper Validation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-297",
              "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T04:39:17.033Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-42790.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42790"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The \u003ctt\u003everify_fun\u003c/tt\u003e option in the \u003ctt\u003essl\u003c/tt\u003e application can be used to ensure that TLS connections fail if the end-entity certificate is missing the \u003ctt\u003esubjectAltName\u003c/tt\u003e extension or has no domain name. Do not use a \u003ctt\u003everify_fun\u003c/tt\u003e that accepts the \u003ctt\u003ename_not_permitted\u003c/tt\u003e error."
            }
          ],
          "value": "The verify_fun option in the ssl application can be used to ensure that TLS connections fail if the end-entity certificate is missing the subjectAltName extension or has no domain name. Do not use a verify_fun that accepts the name_not_permitted error."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-42790",
    "datePublished": "2026-05-27T15:09:01.860Z",
    "dateReserved": "2026-04-29T18:06:33.251Z",
    "dateUpdated": "2026-05-28T04:39:17.033Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46236 (GCVE-0-2026-46236)

Vulnerability from cvelistv5

Published

2026-05-28 09:41

Modified

2026-06-14 18:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: rc: xbox_remote: heed DMA restrictions The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.

References

URL

Tags

	https://git.kernel.org/stable/c/465d27ab83692167f06a6f917bdfd0a0d4fc8ff3
	https://git.kernel.org/stable/c/e0301883ec779c21158a3923b2eb666074fa976e
	https://git.kernel.org/stable/c/0ea67a135335e51be50e83ee4cc99560b8b89c25
	https://git.kernel.org/stable/c/0cc9251833bf02c8c7863404157c94dab5928fcf
	https://git.kernel.org/stable/c/48a668c22e8f92637bc496e84d1cf06900f74a5c
	https://git.kernel.org/stable/c/63a960b39de9c51f29ca19aa5067934f865c0bc7
	https://git.kernel.org/stable/c/0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249
	https://git.kernel.org/stable/c/e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff

Impacted products

Vendor

Product

Version

Version: 02d32bdad3123d7376244256936a6b3b6ee434e8
Version: 02d32bdad3123d7376244256936a6b3b6ee434e8
Version: 02d32bdad3123d7376244256936a6b3b6ee434e8
Version: 02d32bdad3123d7376244256936a6b3b6ee434e8
Version: 02d32bdad3123d7376244256936a6b3b6ee434e8
Version: 02d32bdad3123d7376244256936a6b3b6ee434e8
Version: 02d32bdad3123d7376244256936a6b3b6ee434e8
Version: 02d32bdad3123d7376244256936a6b3b6ee434e8

Version: 5.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/xbox_remote.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "465d27ab83692167f06a6f917bdfd0a0d4fc8ff3",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            },
            {
              "lessThan": "e0301883ec779c21158a3923b2eb666074fa976e",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            },
            {
              "lessThan": "0ea67a135335e51be50e83ee4cc99560b8b89c25",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            },
            {
              "lessThan": "0cc9251833bf02c8c7863404157c94dab5928fcf",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            },
            {
              "lessThan": "48a668c22e8f92637bc496e84d1cf06900f74a5c",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            },
            {
              "lessThan": "63a960b39de9c51f29ca19aa5067934f865c0bc7",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            },
            {
              "lessThan": "0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            },
            {
              "lessThan": "e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff",
              "status": "affected",
              "version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/xbox_remote.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: xbox_remote: heed DMA restrictions\n\nThe buffer for IO must not be part of the device structure\nbecause that violates the DMA coherency rules."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:50.463Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/465d27ab83692167f06a6f917bdfd0a0d4fc8ff3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0301883ec779c21158a3923b2eb666074fa976e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ea67a135335e51be50e83ee4cc99560b8b89c25"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cc9251833bf02c8c7863404157c94dab5928fcf"
        },
        {
          "url": "https://git.kernel.org/stable/c/48a668c22e8f92637bc496e84d1cf06900f74a5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/63a960b39de9c51f29ca19aa5067934f865c0bc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249"
        },
        {
          "url": "https://git.kernel.org/stable/c/e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff"
        }
      ],
      "title": "media: rc: xbox_remote: heed DMA restrictions",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46236",
    "datePublished": "2026-05-28T09:41:05.230Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-14T18:04:50.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46048 (GCVE-0-2026-46048)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usb_dev refcount leak on probe failure create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card's ->private_free destructor. However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak. Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new().

References

URL

Tags

	https://git.kernel.org/stable/c/c874db8a1d2f9f08161470d00cfe8db2f5cca2cc
	https://git.kernel.org/stable/c/6fa8dff64fb6c401ced40a05797b327659317498
	https://git.kernel.org/stable/c/a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a
	https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907
	https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c
	https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8
	https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657
	https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b

Impacted products

Vendor

Product

Version

Version: 493b3a682ededc804555755f5d2193201339612d
Version: dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e
Version: ac7345f68cda6989016d85d63f7b244c064aa8f6
Version: f6634af5de728a46792f674a66d7843570cb68f7
Version: 1d9be95aee6c6246a21752e60c9519902649f482
Version: 6473ed16df1fe88051140611b3eb9a49be7f429e
Version: 59b622a043cffc58b7638cd85ae6c30a0904f8e6
Version: 80bb50e2d459213cccff3111d5ef98ed4238c0d5

Version: 6.6.136   ≤
Version: 6.12.84   ≤
Version: 6.18.25   ≤
Version: 7.0.2   ≤

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/caiaq/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c874db8a1d2f9f08161470d00cfe8db2f5cca2cc",
              "status": "affected",
              "version": "493b3a682ededc804555755f5d2193201339612d",
              "versionType": "git"
            },
            {
              "lessThan": "6fa8dff64fb6c401ced40a05797b327659317498",
              "status": "affected",
              "version": "dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e",
              "versionType": "git"
            },
            {
              "lessThan": "a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a",
              "status": "affected",
              "version": "ac7345f68cda6989016d85d63f7b244c064aa8f6",
              "versionType": "git"
            },
            {
              "lessThan": "50c6a1f05973f56d23280c9d7645a7a5734e0907",
              "status": "affected",
              "version": "f6634af5de728a46792f674a66d7843570cb68f7",
              "versionType": "git"
            },
            {
              "lessThan": "da3b8fd6a202d94fef11a443abc9171c52426a1c",
              "status": "affected",
              "version": "1d9be95aee6c6246a21752e60c9519902649f482",
              "versionType": "git"
            },
            {
              "lessThan": "6153878c5255bb69b7d0868105ca078ef13cbcf8",
              "status": "affected",
              "version": "6473ed16df1fe88051140611b3eb9a49be7f429e",
              "versionType": "git"
            },
            {
              "lessThan": "21ca595aafa40d3ac70eab1f4cb62cc00ca21657",
              "status": "affected",
              "version": "59b622a043cffc58b7638cd85ae6c30a0904f8e6",
              "versionType": "git"
            },
            {
              "lessThan": "7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b",
              "status": "affected",
              "version": "80bb50e2d459213cccff3111d5ef98ed4238c0d5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/caiaq/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.136",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.86",
              "status": "affected",
              "version": "6.12.84",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.27",
              "status": "affected",
              "version": "6.18.25",
              "versionType": "semver"
            },
            {
              "lessThan": "7.0.4",
              "status": "affected",
              "version": "7.0.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.136",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.12.84",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.18.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "7.0.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix usb_dev refcount leak on probe failure\n\ncreate_card() takes a reference on the USB device with usb_get_dev()\nand stores the matching usb_put_dev() in card_free(), which is\ninstalled as the snd_card\u0027s -\u003eprivate_free destructor.\n\nHowever, -\u003eprivate_free is only assigned near the end of init_card(),\nafter several failure points (usb_set_interface(), EP type checks,\nusb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its\ntimeout). When any of those fail, init_card() returns an error to\nsnd_probe(), which calls snd_card_free(card). Because -\u003eprivate_free\nis still NULL, card_free() never runs, the usb_get_dev() reference\nis not dropped, and the struct usb_device leaks along with its\ndescriptor allocations and device_private.\n\nsyzbot reproduces this with a malformed UAC3 device whose only valid\naltsetting is 0; init_card()\u0027s usb_set_interface(usb_dev, 0, 1) call\nfails with -EIO and triggers the leak.\n\nMove the -\u003eprivate_free assignment into create_card(), immediately\nafter usb_get_dev(), so that every error path reaching snd_card_free()\nbalances the reference. card_free()\u0027s callees (snd_usb_caiaq_input_free,\nfree_urbs, kfree) already tolerate the partially-initialized state\nbecause the chip private area is zero-initialized by snd_card_new()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:34.000Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c874db8a1d2f9f08161470d00cfe8db2f5cca2cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fa8dff64fb6c401ced40a05797b327659317498"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a"
        },
        {
          "url": "https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907"
        },
        {
          "url": "https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b"
        }
      ],
      "title": "ALSA: caiaq: fix usb_dev refcount leak on probe failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46048",
    "datePublished": "2026-05-27T12:57:04.477Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:34.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46075 (GCVE-0-2026-46075)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:52

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Unregister the hwrng to prevent new ->read() calls and flush the Atmel I2C workqueue before teardown to prevent a potential UAF if a queued callback runs while the device is being removed. Drop the early return to ensure sysfs entries are removed and ->hwrng.priv is freed, preventing a memory leak.

References

URL

Tags

	https://git.kernel.org/stable/c/6dbeb0f788582e1ab5dfc3f41994eac0ec88c2b5
	https://git.kernel.org/stable/c/c5a45d14234bf26e28a89e3a5dcc08336595cf11
	https://git.kernel.org/stable/c/775c00d87c385b758da9504cf053acea00e2ed40
	https://git.kernel.org/stable/c/1193c12126d39bf986a5a9214827b73707b193ab
	https://git.kernel.org/stable/c/31901371ccd16b42d2f167b1018ba9ae8bd5a6c7
	https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1

Impacted products

Vendor

Product

Version

Version: da001fb651b00e1deeaf24767dd691ae8152a4f5
Version: da001fb651b00e1deeaf24767dd691ae8152a4f5
Version: da001fb651b00e1deeaf24767dd691ae8152a4f5
Version: da001fb651b00e1deeaf24767dd691ae8152a4f5
Version: da001fb651b00e1deeaf24767dd691ae8152a4f5
Version: da001fb651b00e1deeaf24767dd691ae8152a4f5

Version: 5.3

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40371

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/atmel-sha204a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6dbeb0f788582e1ab5dfc3f41994eac0ec88c2b5",
              "status": "affected",
              "version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
              "versionType": "git"
            },
            {
              "lessThan": "c5a45d14234bf26e28a89e3a5dcc08336595cf11",
              "status": "affected",
              "version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
              "versionType": "git"
            },
            {
              "lessThan": "775c00d87c385b758da9504cf053acea00e2ed40",
              "status": "affected",
              "version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
              "versionType": "git"
            },
            {
              "lessThan": "1193c12126d39bf986a5a9214827b73707b193ab",
              "status": "affected",
              "version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
              "versionType": "git"
            },
            {
              "lessThan": "31901371ccd16b42d2f167b1018ba9ae8bd5a6c7",
              "status": "affected",
              "version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
              "versionType": "git"
            },
            {
              "lessThan": "bab1adf3b87e4bfac92c4f5963c63db434d561c1",
              "status": "affected",
              "version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/atmel-sha204a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-sha204a - Fix potential UAF and memory leak in remove path\n\nUnregister the hwrng to prevent new -\u003eread() calls and flush the Atmel\nI2C workqueue before teardown to prevent a potential UAF if a queued\ncallback runs while the device is being removed.\n\nDrop the early return to ensure sysfs entries are removed and\n-\u003ehwrng.priv is freed, preventing a memory leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:29.232Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6dbeb0f788582e1ab5dfc3f41994eac0ec88c2b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5a45d14234bf26e28a89e3a5dcc08336595cf11"
        },
        {
          "url": "https://git.kernel.org/stable/c/775c00d87c385b758da9504cf053acea00e2ed40"
        },
        {
          "url": "https://git.kernel.org/stable/c/1193c12126d39bf986a5a9214827b73707b193ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/31901371ccd16b42d2f167b1018ba9ae8bd5a6c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1"
        }
      ],
      "title": "crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46075",
    "datePublished": "2026-05-27T12:58:07.080Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:52:29.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40371 (GCVE-0-2026-40371)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:17

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-280 - Improper Handling of Insufficient Permissions or Privileges

Summary

Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft Dynamics 365 (on-premises) version 9.1	Version: 9.0 < 9.1.0045.0011

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40371",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:01.123628Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:21:52.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Dynamics 365 (on-premises) version 9.1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.1.0045.0011",
              "status": "affected",
              "version": "9.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*",
                  "versionEndExcluding": "9.1.0045.0011",
                  "versionStartIncluding": "9.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-280",
              "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:57.208Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40371"
        }
      ],
      "title": "Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-40371",
    "datePublished": "2026-06-09T17:05:19.070Z",
    "dateReserved": "2026-04-11T23:06:15.615Z",
    "dateUpdated": "2026-06-16T18:17:57.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46053 (GCVE-0-2026-46053)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.

References

URL

Tags

	https://git.kernel.org/stable/c/91a44b406bc1f9e1c5da0cb7d0d5991b43b79147
	https://git.kernel.org/stable/c/106dc689206610cfa2098f593fdd1e020c997835
	https://git.kernel.org/stable/c/ec55a86f7fba7d9111df94b9c11a4755ed492995
	https://git.kernel.org/stable/c/8fdbb6262a4a3ed44a0830a7793903b54bb27bdc
	https://git.kernel.org/stable/c/d95cea9298be1ba8876e3f156be96d3a492085ca
	https://git.kernel.org/stable/c/033370ffb3c9c0264d19f8ba9ef769523266589a
	https://git.kernel.org/stable/c/b3cb8cae530b2727d8245684148bb49425f6765c
	https://git.kernel.org/stable/c/8141a2dc70080eda1aedc0389ed2db2b292af5bd

Impacted products

Vendor

Product

Version

Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8
Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8
Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8
Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8
Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8
Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8
Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8
Version: 0d4597c8c5abdeeaf50774066c16683f30184dc8

Version: 5.6

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45453

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rds/rdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "91a44b406bc1f9e1c5da0cb7d0d5991b43b79147",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            },
            {
              "lessThan": "106dc689206610cfa2098f593fdd1e020c997835",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            },
            {
              "lessThan": "ec55a86f7fba7d9111df94b9c11a4755ed492995",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            },
            {
              "lessThan": "8fdbb6262a4a3ed44a0830a7793903b54bb27bdc",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            },
            {
              "lessThan": "d95cea9298be1ba8876e3f156be96d3a492085ca",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            },
            {
              "lessThan": "033370ffb3c9c0264d19f8ba9ef769523266589a",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            },
            {
              "lessThan": "b3cb8cae530b2727d8245684148bb49425f6765c",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            },
            {
              "lessThan": "8141a2dc70080eda1aedc0389ed2db2b292af5bd",
              "status": "affected",
              "version": "0d4597c8c5abdeeaf50774066c16683f30184dc8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rds/rdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: fix MR cleanup on copy error\n\n__rds_rdma_map() hands sg/pages ownership to the transport after\nget_mr() succeeds. If copying the generated cookie back to user space\nfails after that point, the error path must not free those resources\nagain before dropping the MR reference.\n\nRemove the duplicate unpin/free from the put_user() failure branch so\nthat MR teardown is handled only through the existing final cleanup\npath."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:56.216Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/91a44b406bc1f9e1c5da0cb7d0d5991b43b79147"
        },
        {
          "url": "https://git.kernel.org/stable/c/106dc689206610cfa2098f593fdd1e020c997835"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec55a86f7fba7d9111df94b9c11a4755ed492995"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fdbb6262a4a3ed44a0830a7793903b54bb27bdc"
        },
        {
          "url": "https://git.kernel.org/stable/c/d95cea9298be1ba8876e3f156be96d3a492085ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/033370ffb3c9c0264d19f8ba9ef769523266589a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3cb8cae530b2727d8245684148bb49425f6765c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8141a2dc70080eda1aedc0389ed2db2b292af5bd"
        }
      ],
      "title": "net: rds: fix MR cleanup on copy error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46053",
    "datePublished": "2026-05-27T12:57:11.870Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:56.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45453 (GCVE-0-2026-45453)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45453",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T20:04:00.335997Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T20:04:11.214Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:19.568Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Server Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45453"
        }
      ],
      "title": "Microsoft SharePoint Server Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45453",
    "datePublished": "2026-06-09T17:04:36.045Z",
    "dateReserved": "2026-05-12T16:06:43.096Z",
    "dateUpdated": "2026-06-16T18:17:19.568Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46006 (GCVE-0-2026-46006)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:47

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ]

References

URL

Tags

	https://git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a
	https://git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc
	https://git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6
	https://git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637
	https://git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31
	https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9
	https://git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5

Impacted products

Vendor

Product

Version

Version: a1606a9596e54da90ad6209071b357a4c1b0fa82
Version: a1606a9596e54da90ad6209071b357a4c1b0fa82
Version: a1606a9596e54da90ad6209071b357a4c1b0fa82
Version: a1606a9596e54da90ad6209071b357a4c1b0fa82
Version: a1606a9596e54da90ad6209071b357a4c1b0fa82
Version: a1606a9596e54da90ad6209071b357a4c1b0fa82
Version: a1606a9596e54da90ad6209071b357a4c1b0fa82

Version: 2.6.34

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "573a1104bd36e49c067a9dc62e7c476d5ee7e92a",
              "status": "affected",
              "version": "a1606a9596e54da90ad6209071b357a4c1b0fa82",
              "versionType": "git"
            },
            {
              "lessThan": "45a45184b9c0b0b26ead06e370cda2073616a7cc",
              "status": "affected",
              "version": "a1606a9596e54da90ad6209071b357a4c1b0fa82",
              "versionType": "git"
            },
            {
              "lessThan": "fa297e919d1680c38ab268ff952b1698dac987f6",
              "status": "affected",
              "version": "a1606a9596e54da90ad6209071b357a4c1b0fa82",
              "versionType": "git"
            },
            {
              "lessThan": "d749a9a0ee4014681487e7ae549901aa8c176637",
              "status": "affected",
              "version": "a1606a9596e54da90ad6209071b357a4c1b0fa82",
              "versionType": "git"
            },
            {
              "lessThan": "332884f5eb79dd60a7162b079d09d39208567a31",
              "status": "affected",
              "version": "a1606a9596e54da90ad6209071b357a4c1b0fa82",
              "versionType": "git"
            },
            {
              "lessThan": "e441d5c23ec644c8d27593db3b8928e8933512a9",
              "status": "affected",
              "version": "a1606a9596e54da90ad6209071b357a4c1b0fa82",
              "versionType": "git"
            },
            {
              "lessThan": "2fc87d37be1b730a149b035f9375fdb8cc5333a5",
              "status": "affected",
              "version": "a1606a9596e54da90ad6209071b357a4c1b0fa82",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix u32 overflow in pushbuf reloc bounds check\n\nnouveau_gem_pushbuf_reloc_apply() validates each relocation with\n\n    if (r-\u003ereloc_bo_offset + 4 \u003e nvbo-\u003ebo.base.size)\n\nbut reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer\nliteral 4 promotes to unsigned int, so the addition is performed in 32\nbits and wraps before the comparison against the size_t bo size.\n\nCast to u64 so the addition happens in 64-bit arithmetic.\n\n[ Add Fixes: tag. - Danilo ]"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:33.579Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a"
        },
        {
          "url": "https://git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637"
        },
        {
          "url": "https://git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31"
        },
        {
          "url": "https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5"
        }
      ],
      "title": "drm/nouveau: fix u32 overflow in pushbuf reloc bounds check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46006",
    "datePublished": "2026-05-27T12:56:05.273Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:47:33.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46173 (GCVE-0-2026-46173)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-17 06:15

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)

References

URL

Tags

	https://git.kernel.org/stable/c/3d6fb8a7690c23e3213c4b008f64d89a44b98737
	https://git.kernel.org/stable/c/640b4c00fb0e2920327435f6176cbefc3c546165
	https://git.kernel.org/stable/c/7b2800ba5f5f77a8ee7f4cbadb19cf1264597a34
	https://git.kernel.org/stable/c/6f49f94f3b11fe8bff1bf2a054143789e76aaf17
	https://git.kernel.org/stable/c/9756b3db5db6c2f5eccb32dddbd88eb4c54f575e
	https://git.kernel.org/stable/c/c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891
	https://project-zero.issues.chromium.org/issues/510793286

Impacted products

Vendor

Product

Version

Version: 7f80a2fd7db9a55894fd841915236aca611291b5
Version: 7f80a2fd7db9a55894fd841915236aca611291b5
Version: 7f80a2fd7db9a55894fd841915236aca611291b5
Version: 7f80a2fd7db9a55894fd841915236aca611291b5
Version: 7f80a2fd7db9a55894fd841915236aca611291b5
Version: 7f80a2fd7db9a55894fd841915236aca611291b5

Version: 5.17

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/exit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d6fb8a7690c23e3213c4b008f64d89a44b98737",
              "status": "affected",
              "version": "7f80a2fd7db9a55894fd841915236aca611291b5",
              "versionType": "git"
            },
            {
              "lessThan": "640b4c00fb0e2920327435f6176cbefc3c546165",
              "status": "affected",
              "version": "7f80a2fd7db9a55894fd841915236aca611291b5",
              "versionType": "git"
            },
            {
              "lessThan": "7b2800ba5f5f77a8ee7f4cbadb19cf1264597a34",
              "status": "affected",
              "version": "7f80a2fd7db9a55894fd841915236aca611291b5",
              "versionType": "git"
            },
            {
              "lessThan": "6f49f94f3b11fe8bff1bf2a054143789e76aaf17",
              "status": "affected",
              "version": "7f80a2fd7db9a55894fd841915236aca611291b5",
              "versionType": "git"
            },
            {
              "lessThan": "9756b3db5db6c2f5eccb32dddbd88eb4c54f575e",
              "status": "affected",
              "version": "7f80a2fd7db9a55894fd841915236aca611291b5",
              "versionType": "git"
            },
            {
              "lessThan": "c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891",
              "status": "affected",
              "version": "7f80a2fd7db9a55894fd841915236aca611291b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/exit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexit: prevent preemption of oopsing TASK_DEAD task\n\nWhen an already-exiting task oopses, make_task_dead() currently calls\ndo_task_dead() with preemption enabled.  That is forbidden:\ndo_task_dead() calls __schedule(), which has a comment saying \"WARNING:\nmust be called with preemption disabled!\".\n\nIf an oopsing task is preempted in do_task_dead(), between becoming\nTASK_DEAD and entering the scheduler explicitly, bad things happen:\nfinish_task_switch() assumes that once the scheduler has switched away\nfrom a TASK_DEAD task, the task can never run again and its stack is no\nlonger needed; but that assumption apparently doesn\u0027t hold if the dead\ntask was preempted (the SM_PREEMPT case).\n\nThis means that the scheduler ends up repeatedly dropping references on\nthe dead task\u0027s stack, which can lead to use-after-free or double-free\nof the entire task stack; in other words, two tasks can end up running\non the same stack, resulting in various kinds of memory corruption.\n\n(This does not just affect \"recursively oopsing\" tasks; it is enough to\noops once during task exit, for example in a file_operations::release\nhandler)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T06:15:31.395Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3d6fb8a7690c23e3213c4b008f64d89a44b98737"
        },
        {
          "url": "https://git.kernel.org/stable/c/640b4c00fb0e2920327435f6176cbefc3c546165"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b2800ba5f5f77a8ee7f4cbadb19cf1264597a34"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f49f94f3b11fe8bff1bf2a054143789e76aaf17"
        },
        {
          "url": "https://git.kernel.org/stable/c/9756b3db5db6c2f5eccb32dddbd88eb4c54f575e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891"
        },
        {
          "url": "https://project-zero.issues.chromium.org/issues/510793286"
        }
      ],
      "title": "exit: prevent preemption of oopsing TASK_DEAD task",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46173",
    "datePublished": "2026-05-28T09:36:27.892Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-17T06:15:31.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46193 (GCVE-0-2026-46193)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: ah: account for ESN high bits in async callbacks AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent. With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift: ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36 Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot. Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.

References

URL

Tags

	https://git.kernel.org/stable/c/0555d4f526232b3c9e3afbcd490c0c0793aefec6
	https://git.kernel.org/stable/c/729899a2aa8bda7844be0cdcd3b470f11b912eda
	https://git.kernel.org/stable/c/7db99a09b3bc87268287bc7ab5f2e7f382b5ad87
	https://git.kernel.org/stable/c/2ffaa7a94f9a4d22724364a1821735a0231d9f8d
	https://git.kernel.org/stable/c/ec54093e6a8f87e800bb6aa15eb7fc1e33faa524

Impacted products

Vendor

Product

Version

Version: d4d573d0334d07341beffdcf97e2b85d3955d8ae
Version: d4d573d0334d07341beffdcf97e2b85d3955d8ae
Version: d4d573d0334d07341beffdcf97e2b85d3955d8ae
Version: d4d573d0334d07341beffdcf97e2b85d3955d8ae
Version: d4d573d0334d07341beffdcf97e2b85d3955d8ae

Version: 3.15

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ah4.c",
            "net/ipv6/ah6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0555d4f526232b3c9e3afbcd490c0c0793aefec6",
              "status": "affected",
              "version": "d4d573d0334d07341beffdcf97e2b85d3955d8ae",
              "versionType": "git"
            },
            {
              "lessThan": "729899a2aa8bda7844be0cdcd3b470f11b912eda",
              "status": "affected",
              "version": "d4d573d0334d07341beffdcf97e2b85d3955d8ae",
              "versionType": "git"
            },
            {
              "lessThan": "7db99a09b3bc87268287bc7ab5f2e7f382b5ad87",
              "status": "affected",
              "version": "d4d573d0334d07341beffdcf97e2b85d3955d8ae",
              "versionType": "git"
            },
            {
              "lessThan": "2ffaa7a94f9a4d22724364a1821735a0231d9f8d",
              "status": "affected",
              "version": "d4d573d0334d07341beffdcf97e2b85d3955d8ae",
              "versionType": "git"
            },
            {
              "lessThan": "ec54093e6a8f87e800bb6aa15eb7fc1e33faa524",
              "status": "affected",
              "version": "d4d573d0334d07341beffdcf97e2b85d3955d8ae",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ah4.c",
            "net/ipv6/ah6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: ah: account for ESN high bits in async callbacks\n\nAH allocates its temporary auth/ICV layout differently when ESN is enabled:\nthe async ahash setup appends a 4-byte seqhi slot before the ICV or\nauth_data area, but the async completion callbacks still reconstruct the\ntemporary layout as if seqhi were absent.\n\nWith an async AH implementation selected, that makes AH copy or compare\nthe wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH\nwith ESN and forced async hmac(sha1), ping fails with 100% packet loss,\nand the callback logs show the pre-fix drift:\n\n  ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24\n  ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36\n\nReconstruct the callback-side layout the same way the setup path built it\nby skipping the ESN seqhi slot before locating the saved auth_data or ICV.\nPer RFC 4302, the ESN high-order 32 bits participate in the AH ICV\ncomputation, so the async callbacks must account for the seqhi slot.\n\nPost-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows\nthe corrected offset (ah4 output_done: esn=1 err=0 icv_off=24\nexpected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o\nbuild clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the\nchange has not been tested against a real async hardware AH engine."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:40.026Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0555d4f526232b3c9e3afbcd490c0c0793aefec6"
        },
        {
          "url": "https://git.kernel.org/stable/c/729899a2aa8bda7844be0cdcd3b470f11b912eda"
        },
        {
          "url": "https://git.kernel.org/stable/c/7db99a09b3bc87268287bc7ab5f2e7f382b5ad87"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ffaa7a94f9a4d22724364a1821735a0231d9f8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec54093e6a8f87e800bb6aa15eb7fc1e33faa524"
        }
      ],
      "title": "xfrm: ah: account for ESN high bits in async callbacks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46193",
    "datePublished": "2026-05-28T09:36:46.611Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-06-14T18:01:40.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46004 (GCVE-0-2026-46004)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Handle probe errors properly The probe procedure of setup_card() in caiaq driver doesn't treat the error cases gracefully, e.g. the error from snd_card_register() calls snd_card_free() but continues. This would lead to a UAF for the further calls like snd_usb_caiaq_control_init(), as Berk suggested in another patch in the link below. However, the problem is not only that; in general, this function drops the all error handlings (as it's a void function) although its caller can propagate an error to snd_probe(), which eventually calls snd_card_free() as a proper error path. That said, we should treat each error case in setup_card(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe(). This patch achieves it by changing the setup_card() to return an error code. Also, the superfluous snd_card_free() call is removed, too. Note that card->private_free can be set still safely at returning an error. All called functions in card_free() have checks of the unassigned resources or NULL checks.

References

URL

Tags

	https://git.kernel.org/stable/c/da938aa9fc7826901921dcea225948ab21a97e45
	https://git.kernel.org/stable/c/09616e25f502080ba684fc7fcf959d1376ab756d
	https://git.kernel.org/stable/c/b956e48371f2ff72b76be9a829800ecec963bd45
	https://git.kernel.org/stable/c/f537e3ad69609f6924a4db6b4a7f6561f5288bdd
	https://git.kernel.org/stable/c/6251e3e256337a30160ef59ab1580dde4d1acd28
	https://git.kernel.org/stable/c/e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056
	https://git.kernel.org/stable/c/096dd8519cf2f768e9e14f224b627f7aaee1a9c5
	https://git.kernel.org/stable/c/28abd224db4a49560b452115bca3672a20e45b2f

Impacted products

Vendor

Product

Version

Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Version: 8e3cd08ed8e590952aa9a656758cb24d4ba898f8

Version: 2.6.25

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/caiaq/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "da938aa9fc7826901921dcea225948ab21a97e45",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            },
            {
              "lessThan": "09616e25f502080ba684fc7fcf959d1376ab756d",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            },
            {
              "lessThan": "b956e48371f2ff72b76be9a829800ecec963bd45",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            },
            {
              "lessThan": "f537e3ad69609f6924a4db6b4a7f6561f5288bdd",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            },
            {
              "lessThan": "6251e3e256337a30160ef59ab1580dde4d1acd28",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            },
            {
              "lessThan": "e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            },
            {
              "lessThan": "096dd8519cf2f768e9e14f224b627f7aaee1a9c5",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            },
            {
              "lessThan": "28abd224db4a49560b452115bca3672a20e45b2f",
              "status": "affected",
              "version": "8e3cd08ed8e590952aa9a656758cb24d4ba898f8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/caiaq/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: Handle probe errors properly\n\nThe probe procedure of setup_card() in caiaq driver doesn\u0027t treat the\nerror cases gracefully, e.g. the error from snd_card_register() calls\nsnd_card_free() but continues.  This would lead to a UAF for the\nfurther calls like snd_usb_caiaq_control_init(), as Berk suggested in\nanother patch in the link below.\n\nHowever, the problem is not only that; in general, this function drops\nthe all error handlings (as it\u0027s a void function) although its caller\ncan propagate an error to snd_probe(), which eventually calls\nsnd_card_free() as a proper error path.  That said, we should treat\neach error case in setup_card(), and just return the error code\npromptly, which is then handled later as a fatal error in snd_probe().\n\nThis patch achieves it by changing the setup_card() to return an error\ncode.  Also, the superfluous snd_card_free() call is removed, too.\n\nNote that card-\u003eprivate_free can be set still safely at returning an\nerror.  All called functions in card_free() have checks of the\nunassigned resources or NULL checks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:26.278Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/da938aa9fc7826901921dcea225948ab21a97e45"
        },
        {
          "url": "https://git.kernel.org/stable/c/09616e25f502080ba684fc7fcf959d1376ab756d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b956e48371f2ff72b76be9a829800ecec963bd45"
        },
        {
          "url": "https://git.kernel.org/stable/c/f537e3ad69609f6924a4db6b4a7f6561f5288bdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/6251e3e256337a30160ef59ab1580dde4d1acd28"
        },
        {
          "url": "https://git.kernel.org/stable/c/e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056"
        },
        {
          "url": "https://git.kernel.org/stable/c/096dd8519cf2f768e9e14f224b627f7aaee1a9c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/28abd224db4a49560b452115bca3672a20e45b2f"
        }
      ],
      "title": "ALSA: caiaq: Handle probe errors properly",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46004",
    "datePublished": "2026-05-27T12:56:01.851Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:26.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46205 (GCVE-0-2026-46205)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-15 08:03

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Disallow all private IOCTLs Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.

References

URL

Tags

	https://git.kernel.org/stable/c/51b8dc5163d2ff2bf04019f8bf7e3bd0e75bb654
	https://git.kernel.org/stable/c/64e85679beafe082fc2e70a557ec356c7fd27548
	https://git.kernel.org/stable/c/8774f8cb661f57ae43cc3bc0509d16ef1f406e45
	https://git.kernel.org/stable/c/ceb1b5f910e58986ea544ff8c9c2f23ae9a52414
	https://git.kernel.org/stable/c/8c7a281a99224a5b9af99c4dcd98d68eea75926c
	https://git.kernel.org/stable/c/6f1ce75a75c65061e7a720c3d0ee5f8adab7a2d3
	https://git.kernel.org/stable/c/c7848b67ef10f581114b6a2f52b160fc20eb52c9
	https://git.kernel.org/stable/c/6850a439f8d23d4979624f1d6880d3118d473a28
	https://git.kernel.org/stable/c/2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c

Impacted products

Vendor

Product

Version

Version: a49d25364dfb9f8a64037488a39ab1f56c5fa419
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e
Version: ad85094b293e40e7a2f831b0311a389d952ebd5e

Version: 4.12
Version: 5.8

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/atomisp/pci/atomisp_ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "51b8dc5163d2ff2bf04019f8bf7e3bd0e75bb654",
              "status": "affected",
              "version": "a49d25364dfb9f8a64037488a39ab1f56c5fa419",
              "versionType": "git"
            },
            {
              "lessThan": "64e85679beafe082fc2e70a557ec356c7fd27548",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            },
            {
              "lessThan": "8774f8cb661f57ae43cc3bc0509d16ef1f406e45",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            },
            {
              "lessThan": "ceb1b5f910e58986ea544ff8c9c2f23ae9a52414",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            },
            {
              "lessThan": "8c7a281a99224a5b9af99c4dcd98d68eea75926c",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            },
            {
              "lessThan": "6f1ce75a75c65061e7a720c3d0ee5f8adab7a2d3",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            },
            {
              "lessThan": "c7848b67ef10f581114b6a2f52b160fc20eb52c9",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            },
            {
              "lessThan": "6850a439f8d23d4979624f1d6880d3118d473a28",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            },
            {
              "lessThan": "2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c",
              "status": "affected",
              "version": "ad85094b293e40e7a2f831b0311a389d952ebd5e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/atomisp/pci/atomisp_ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "4.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.18",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: atomisp: Disallow all private IOCTLs\n\nDisallow all private IOCTLs. These aren\u0027t quite as safe as one could\nassume of IOCTL handlers; disable them for now. Instead of removing the\ncode, return in the beginning of the function if cmd is non-zero in order\nto keep static checkers happy."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T08:03:26.847Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/51b8dc5163d2ff2bf04019f8bf7e3bd0e75bb654"
        },
        {
          "url": "https://git.kernel.org/stable/c/64e85679beafe082fc2e70a557ec356c7fd27548"
        },
        {
          "url": "https://git.kernel.org/stable/c/8774f8cb661f57ae43cc3bc0509d16ef1f406e45"
        },
        {
          "url": "https://git.kernel.org/stable/c/ceb1b5f910e58986ea544ff8c9c2f23ae9a52414"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c7a281a99224a5b9af99c4dcd98d68eea75926c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f1ce75a75c65061e7a720c3d0ee5f8adab7a2d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7848b67ef10f581114b6a2f52b160fc20eb52c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6850a439f8d23d4979624f1d6880d3118d473a28"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c"
        }
      ],
      "title": "staging: media: atomisp: Disallow all private IOCTLs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46205",
    "datePublished": "2026-05-28T09:40:23.117Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-15T08:03:26.847Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46027 (GCVE-0-2026-46027)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:48

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid early lgr access in smc_clc_wait_msg A CLC decline can be received while the handshake is still in an early stage, before the connection has been associated with a link group. The decline handling in smc_clc_wait_msg() updates link-group level sync state for first-contact declines, but that state only exists after link group setup has completed. Guard the link-group update accordingly and keep the per-socket peer diagnosis handling unchanged. This preserves the existing sync_err handling for established link-group contexts and avoids touching link-group state before it is available.

References

URL

Tags

	https://git.kernel.org/stable/c/257cdf0c5ced9c0fba8aba501d94b0a5fcef2086
	https://git.kernel.org/stable/c/22546729b96fc873b23065dc49e3d73c45cfb874
	https://git.kernel.org/stable/c/5eedbfd82c2884e0010fdfb3c9446a6ebcadb691
	https://git.kernel.org/stable/c/f0858e1d5624bb120b198f2a8528f97a9b0ae069
	https://git.kernel.org/stable/c/6180a296ca65b08a81914805cbc0f78da5f10a1f
	https://git.kernel.org/stable/c/ea0b5d0fe96356dce38f98375a57c52a04e13712
	https://git.kernel.org/stable/c/83bcf9228b0501694fb2589ed1d142855a2887f2
	https://git.kernel.org/stable/c/5a8db80f721deee8e916c2cfdee78decda02ce4f

Impacted products

Vendor

Product

Version

Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b
Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b
Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b
Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b
Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b
Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b
Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b
Version: 0cfdd8f92cac01afbb12e4500514036a2b78756b

Version: 4.11

Show details on NVD website

https://httpd.apache.org/security/vulnerabilities_24.html

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_clc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "257cdf0c5ced9c0fba8aba501d94b0a5fcef2086",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            },
            {
              "lessThan": "22546729b96fc873b23065dc49e3d73c45cfb874",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            },
            {
              "lessThan": "5eedbfd82c2884e0010fdfb3c9446a6ebcadb691",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            },
            {
              "lessThan": "f0858e1d5624bb120b198f2a8528f97a9b0ae069",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            },
            {
              "lessThan": "6180a296ca65b08a81914805cbc0f78da5f10a1f",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            },
            {
              "lessThan": "ea0b5d0fe96356dce38f98375a57c52a04e13712",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            },
            {
              "lessThan": "83bcf9228b0501694fb2589ed1d142855a2887f2",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            },
            {
              "lessThan": "5a8db80f721deee8e916c2cfdee78decda02ce4f",
              "status": "affected",
              "version": "0cfdd8f92cac01afbb12e4500514036a2b78756b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_clc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid early lgr access in smc_clc_wait_msg\n\nA CLC decline can be received while the handshake is still in an early\nstage, before the connection has been associated with a link group.\n\nThe decline handling in smc_clc_wait_msg() updates link-group level sync\nstate for first-contact declines, but that state only exists after link\ngroup setup has completed. Guard the link-group update accordingly and\nkeep the per-socket peer diagnosis handling unchanged.\n\nThis preserves the existing sync_err handling for established link-group\ncontexts and avoids touching link-group state before it is available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:48:56.975Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/257cdf0c5ced9c0fba8aba501d94b0a5fcef2086"
        },
        {
          "url": "https://git.kernel.org/stable/c/22546729b96fc873b23065dc49e3d73c45cfb874"
        },
        {
          "url": "https://git.kernel.org/stable/c/5eedbfd82c2884e0010fdfb3c9446a6ebcadb691"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0858e1d5624bb120b198f2a8528f97a9b0ae069"
        },
        {
          "url": "https://git.kernel.org/stable/c/6180a296ca65b08a81914805cbc0f78da5f10a1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea0b5d0fe96356dce38f98375a57c52a04e13712"
        },
        {
          "url": "https://git.kernel.org/stable/c/83bcf9228b0501694fb2589ed1d142855a2887f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a8db80f721deee8e916c2cfdee78decda02ce4f"
        }
      ],
      "title": "net/smc: avoid early lgr access in smc_clc_wait_msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46027",
    "datePublished": "2026-05-27T12:56:35.628Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-06-14T17:48:56.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49975 (GCVE-0-2026-49975)

Vulnerability from cvelistv5

Published

2026-06-08 15:26

Modified

2026-06-09 15:25

Severity ?

CWE

CWE-789 - Memory Allocation with Excessive Size Value

Summary

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

References

URL

Tags

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4.17 ≤ 2.4.67

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45503

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-08T22:32:35.729Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/03/3"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/08/16"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-49975",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T15:25:51.036143Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T15:25:56.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.67",
              "status": "affected",
              "version": "2.4.17",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Quang Luong of Calif.IO in collaboration with OpenAI Codex"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMemory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\n\nThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789 Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-08T15:26:04.674Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-26T12:00:00.000Z",
          "value": "reported"
        },
        {
          "lang": "en",
          "time": "2026-05-27T12:00:00.000Z",
          "value": "fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c"
        },
        {
          "lang": "en",
          "time": "2026-06-02T12:00:00.000Z",
          "value": "fixed in 2.4.x by r1934882"
        },
        {
          "lang": "eng",
          "time": "2026-06-08T12:00:00.000Z",
          "value": "2.4.68 released"
        }
      ],
      "title": "Apache HTTP Server: mod_http2 denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-49975",
    "datePublished": "2026-06-08T15:26:04.674Z",
    "dateReserved": "2026-06-02T17:20:37.983Z",
    "dateUpdated": "2026-06-09T15:25:56.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45503 (GCVE-0-2026-45503)

Vulnerability from cvelistv5

Published

2026-06-09 17:04

Modified

2026-06-16 18:17

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

CWE

CWE-285 - Improper Authorization

Summary

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Microsoft Exchange Server 2016 Cumulative Update 23

Version: 15.01.0.0 < 15.01.2507.069

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 14	Version: 15.02.0.0 < 15.02.1544.041
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 15	Version: 15.02.0.0 < 15.02.1748.046
Microsoft	Microsoft Exchange Server Subscription Edition RTM	Version: 15.02.0.0 < 15.02.2562.043

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45503",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:41:09.056090Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:41:16.667Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.069",
              "status": "affected",
              "version": "15.01.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 14",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1544.041",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 15",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1748.046",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server Subscription Edition RTM",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.2562.043",
              "status": "affected",
              "version": "15.02.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.069",
                  "versionStartIncluding": "15.01.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.2562.043",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1748.046",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1544.041",
                  "versionStartIncluding": "15.02.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:17:26.448Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45503"
        }
      ],
      "title": "Microsoft Exchange Server Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45503",
    "datePublished": "2026-06-09T17:04:46.795Z",
    "dateReserved": "2026-05-12T16:07:22.619Z",
    "dateUpdated": "2026-06-16T18:17:26.448Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46185 (GCVE-0-2026-46185)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 18:01

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.

References

URL

Tags

	https://git.kernel.org/stable/c/2be11faf79e49fb8250a181ff0b4d2b2f084af83
	https://git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696c
	https://git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396c
	https://git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212
	https://git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6
	https://git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20

Impacted products

Vendor

Product

Version

Version: 76894f3e2f71177747b8b4763fb180e800279585
Version: 76894f3e2f71177747b8b4763fb180e800279585
Version: 76894f3e2f71177747b8b4763fb180e800279585
Version: 76894f3e2f71177747b8b4763fb180e800279585
Version: 76894f3e2f71177747b8b4763fb180e800279585
Version: 76894f3e2f71177747b8b4763fb180e800279585
Version: 2d046892a493d9760c35fdaefc3017f27f91b621
Version: 6.0.16 ≤

Version: 6.1

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2be11faf79e49fb8250a181ff0b4d2b2f084af83",
              "status": "affected",
              "version": "76894f3e2f71177747b8b4763fb180e800279585",
              "versionType": "git"
            },
            {
              "lessThan": "ef6495d4df6e7af8f3de67e65150881c880f696c",
              "status": "affected",
              "version": "76894f3e2f71177747b8b4763fb180e800279585",
              "versionType": "git"
            },
            {
              "lessThan": "15dc0a4de743a1aaa7b859b3aea79f08c695396c",
              "status": "affected",
              "version": "76894f3e2f71177747b8b4763fb180e800279585",
              "versionType": "git"
            },
            {
              "lessThan": "b8c8a704f0bc133deb171f6aeb6f3a684203e212",
              "status": "affected",
              "version": "76894f3e2f71177747b8b4763fb180e800279585",
              "versionType": "git"
            },
            {
              "lessThan": "b9561402489d41149f63e001a74384863b7b30a6",
              "status": "affected",
              "version": "76894f3e2f71177747b8b4763fb180e800279585",
              "versionType": "git"
            },
            {
              "lessThan": "d62b8d236fab503c6fec1d3e9a38bea71feaca20",
              "status": "affected",
              "version": "76894f3e2f71177747b8b4763fb180e800279585",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2d046892a493d9760c35fdaefc3017f27f91b621",
              "versionType": "git"
            },
            {
              "lessThan": "6.1",
              "status": "affected",
              "version": "6.0.16",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix out-of-bounds read in symlink_data()\n\nSince smb2_check_message() returns success without length validation for\nthe symlink error response, in symlink_data() it is possible for\niov-\u003eiov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer\nonly contains the base SMB2 header (64 bytes), accessing\nerr-\u003eErrorContextCount (at offset 66) or err-\u003eByteCount later in\nsymlink_data() will cause an out-of-bounds read."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:01:04.745Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2be11faf79e49fb8250a181ff0b4d2b2f084af83"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696c"
        },
        {
          "url": "https://git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20"
        }
      ],
      "title": "smb/client: fix out-of-bounds read in symlink_data()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46185",
    "datePublished": "2026-05-28T09:36:39.318Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-06-14T18:01:04.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46003 (GCVE-0-2026-46003)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the total number of nodes Currently, the nameserver doesn't limit the number of nodes it handles. This can be an attack vector if a malicious client starts registering random nodes, leading to memory exhaustion. Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased.

References

URL

Tags

	https://git.kernel.org/stable/c/4c46413661431aa60fb134cd4ecdf8beaa39f824
	https://git.kernel.org/stable/c/4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0
	https://git.kernel.org/stable/c/5cf6d5e5e3b804a44692fbf548a5179442e2e923
	https://git.kernel.org/stable/c/8022876894d09ae485b499058c3357da683bcc5d
	https://git.kernel.org/stable/c/27d5e84e810b0849d08b9aec68e48570461ce313

Impacted products

Vendor

Product

Version

Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd

Version: 5.7

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c46413661431aa60fb134cd4ecdf8beaa39f824",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "5cf6d5e5e3b804a44692fbf548a5179442e2e923",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "8022876894d09ae485b499058c3357da683bcc5d",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "27d5e84e810b0849d08b9aec68e48570461ce313",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Limit the total number of nodes\n\nCurrently, the nameserver doesn\u0027t limit the number of nodes it handles.\nThis can be an attack vector if a malicious client starts registering\nrandom nodes, leading to memory exhaustion.\n\nHence, limit the maximum number of nodes to 64. Note that, limit of 64 is\nchosen based on the current platform requirements. If requirement changes\nin the future, this limit can be increased."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:23.215Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c46413661431aa60fb134cd4ecdf8beaa39f824"
        },
        {
          "url": "https://git.kernel.org/stable/c/4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/5cf6d5e5e3b804a44692fbf548a5179442e2e923"
        },
        {
          "url": "https://git.kernel.org/stable/c/8022876894d09ae485b499058c3357da683bcc5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/27d5e84e810b0849d08b9aec68e48570461ce313"
        }
      ],
      "title": "net: qrtr: ns: Limit the total number of nodes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46003",
    "datePublished": "2026-05-27T12:55:59.509Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:23.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-50031 (GCVE-0-2026-50031)

Vulnerability from cvelistv5

Published

2026-06-03 03:07

Modified

2026-06-03 13:40

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

Summary

ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages.

References

URL

Tags

	https://savannah.gnu.org/bugs/index.php?68363
	https://savannah.gnu.org/bugs/index.php?68364
	https://lists.gnu.org/archive/html/info-gnu/2026-06/msg00000.html

Impacted products

	Vendor	Product	Version
	FreeIPMI	FreeIPMI	Version: 0.7.12 ≤

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50031",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T13:38:19.384737Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T13:40:53.788Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ipmi-oem"
          ],
          "product": "FreeIPMI",
          "programFiles": [
            "ipmi-oem/ipmi-oem-fujitsu.c",
            "ipmi-oem/ipmi-oem/ipmi-oem-dell.c"
          ],
          "repo": "https://savannah.gnu.org/projects/freeipmi/",
          "vendor": "FreeIPMI",
          "versions": [
            {
              "lessThan": "1.6.18",
              "status": "affected",
              "version": "0.7.12",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands \"ipmi-oem dell get-active-directory-config\" and \"ipmi-oem fujitsu get-sel-entry-long-text\" were found to have exploitable buffer overflows on response messages."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T04:17:54.674Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://savannah.gnu.org/bugs/index.php?68363"
        },
        {
          "url": "https://savannah.gnu.org/bugs/index.php?68364"
        },
        {
          "url": "https://lists.gnu.org/archive/html/info-gnu/2026-06/msg00000.html"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-50031",
    "datePublished": "2026-06-03T03:07:25.450Z",
    "dateReserved": "2026-06-03T03:07:24.985Z",
    "dateUpdated": "2026-06-03T13:40:53.788Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45836 (GCVE-0-2026-45836)

Vulnerability from cvelistv5

Published

2026-05-26 16:14

Modified

2026-06-14 17:45

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().

References

URL

Tags

	https://git.kernel.org/stable/c/fd072f833147b0bc10c43a454624cb99d02f3fc7
	https://git.kernel.org/stable/c/6e8d1a2a677a81caa60cf0aabd4217bd585fbba1
	https://git.kernel.org/stable/c/e1863e7480feddb90125d0dd5a1b572972d75908
	https://git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86d
	https://git.kernel.org/stable/c/58dc5e3d8768e121907608e6e196a908512fb083
	https://git.kernel.org/stable/c/32bd343803d4ba47cc516f9d5f037f01b855d767
	https://git.kernel.org/stable/c/a93d66907dd4d29b65c9797a93784bf61906d6d6
	https://git.kernel.org/stable/c/78a88d43dab8d23aeef934ed8ce34d40e6b3d613

Impacted products

Vendor

Product

Version

Version: 8d836d71e2223b8961b21112bb4ce89ef8231682
Version: 8d836d71e2223b8961b21112bb4ce89ef8231682
Version: 8d836d71e2223b8961b21112bb4ce89ef8231682
Version: 8d836d71e2223b8961b21112bb4ce89ef8231682
Version: 8d836d71e2223b8961b21112bb4ce89ef8231682
Version: 8d836d71e2223b8961b21112bb4ce89ef8231682
Version: 8d836d71e2223b8961b21112bb4ce89ef8231682
Version: 8d836d71e2223b8961b21112bb4ce89ef8231682

Version: 3.13

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd072f833147b0bc10c43a454624cb99d02f3fc7",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            },
            {
              "lessThan": "6e8d1a2a677a81caa60cf0aabd4217bd585fbba1",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            },
            {
              "lessThan": "e1863e7480feddb90125d0dd5a1b572972d75908",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            },
            {
              "lessThan": "cf1fd517f892ded88168df878f834b625133f86d",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            },
            {
              "lessThan": "58dc5e3d8768e121907608e6e196a908512fb083",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            },
            {
              "lessThan": "32bd343803d4ba47cc516f9d5f037f01b855d767",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            },
            {
              "lessThan": "a93d66907dd4d29b65c9797a93784bf61906d6d6",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            },
            {
              "lessThan": "78a88d43dab8d23aeef934ed8ce34d40e6b3d613",
              "status": "affected",
              "version": "8d836d71e2223b8961b21112bb4ce89ef8231682",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:45:57.724Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd072f833147b0bc10c43a454624cb99d02f3fc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e8d1a2a677a81caa60cf0aabd4217bd585fbba1"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1863e7480feddb90125d0dd5a1b572972d75908"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86d"
        },
        {
          "url": "https://git.kernel.org/stable/c/58dc5e3d8768e121907608e6e196a908512fb083"
        },
        {
          "url": "https://git.kernel.org/stable/c/32bd343803d4ba47cc516f9d5f037f01b855d767"
        },
        {
          "url": "https://git.kernel.org/stable/c/a93d66907dd4d29b65c9797a93784bf61906d6d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/78a88d43dab8d23aeef934ed8ce34d40e6b3d613"
        }
      ],
      "title": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45836",
    "datePublished": "2026-05-26T16:14:13.568Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-06-14T17:45:57.724Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46052 (GCVE-0-2026-46052)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:50

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ceph: only d_add() negative dentries when they are unhashed Ceph can call d_add(dentry, NULL) on a negative dentry that is already present in the primary dcache hash. In the current VFS that is not safe. d_add() goes through __d_add() to __d_rehash(), which unconditionally reinserts dentry->d_hash into the hlist_bl bucket. If the dentry is already hashed, reinserting the same node can corrupt the bucket, including creating a self-loop. Once that happens, __d_lookup() can spin forever in the hlist_bl walk, typically looping only on the d_name.hash mismatch check and eventually triggering RCU stall reports like this one: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829 rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192) CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023 RIP: 0010:__d_lookup+0x46/0xb0 Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f RSP: 0018:ff745a70c8253898 EFLAGS: 00000282 RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966 RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0 RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89 R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0 R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0 PKRU: 55555554 Call Trace: <TASK> lookup_fast+0x9f/0x100 walk_component+0x1f/0x150 link_path_walk+0x20e/0x3d0 path_lookupat+0x68/0x180 filename_lookup+0xdc/0x1e0 vfs_statx+0x6c/0x140 vfs_fstatat+0x67/0xa0 __do_sys_newfstatat+0x24/0x60 do_syscall_64+0x6a/0x230 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is reachable with reused cached negative dentries. A Ceph lookup or atomic_open can be handed a negative dentry that is already hashed, and fs/ceph/dir.c then hits one of two paths that incorrectly assume "negative" also means "unhashed": - ceph_finish_lookup(): MDS reply is -ENOENT with no trace -> d_add(dentry, NULL) - ceph_lookup(): local ENOENT fast path for a complete directory with shared caps -> d_add(dentry, NULL) Both paths can therefore re-add an already-hashed negative dentry. Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn) is true. Fix both fs/ceph/dir.c sites the same way: only call d_add() for a negative dentry when it is actually unhashed. If the negative dentry is already hashed, leave it in place and reuse it as-is. This preserves the existing behavior for unhashed dentries while avoiding d_hash list corruption for reused hashed negatives.

References

URL

Tags

	https://git.kernel.org/stable/c/83ce43a21bb7df8dd52228afdd918d2d058eefde
	https://git.kernel.org/stable/c/4179cc390dacebc87079419ec92f86f3dc46294d
	https://git.kernel.org/stable/c/b91e535f208c48a5e7464f1aa38338a30e7912df
	https://git.kernel.org/stable/c/2010cb06b9df7d3c816c78358c566bdacbdf38ff
	https://git.kernel.org/stable/c/803447f93d75ab6e40c85e6d12b5630d281d70d6

Impacted products

Vendor

Product

Version

Version: 2817b000b02c5f0c05af67c01fb2684e1381d6ef
Version: 2817b000b02c5f0c05af67c01fb2684e1381d6ef
Version: 2817b000b02c5f0c05af67c01fb2684e1381d6ef
Version: 2817b000b02c5f0c05af67c01fb2684e1381d6ef
Version: 2817b000b02c5f0c05af67c01fb2684e1381d6ef

Version: 2.6.34

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ceph/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "83ce43a21bb7df8dd52228afdd918d2d058eefde",
              "status": "affected",
              "version": "2817b000b02c5f0c05af67c01fb2684e1381d6ef",
              "versionType": "git"
            },
            {
              "lessThan": "4179cc390dacebc87079419ec92f86f3dc46294d",
              "status": "affected",
              "version": "2817b000b02c5f0c05af67c01fb2684e1381d6ef",
              "versionType": "git"
            },
            {
              "lessThan": "b91e535f208c48a5e7464f1aa38338a30e7912df",
              "status": "affected",
              "version": "2817b000b02c5f0c05af67c01fb2684e1381d6ef",
              "versionType": "git"
            },
            {
              "lessThan": "2010cb06b9df7d3c816c78358c566bdacbdf38ff",
              "status": "affected",
              "version": "2817b000b02c5f0c05af67c01fb2684e1381d6ef",
              "versionType": "git"
            },
            {
              "lessThan": "803447f93d75ab6e40c85e6d12b5630d281d70d6",
              "status": "affected",
              "version": "2817b000b02c5f0c05af67c01fb2684e1381d6ef",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ceph/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: only d_add() negative dentries when they are unhashed\n\nCeph can call d_add(dentry, NULL) on a negative dentry that is already\npresent in the primary dcache hash.\n\nIn the current VFS that is not safe.  d_add() goes through __d_add()\nto __d_rehash(), which unconditionally reinserts dentry-\u003ed_hash into\nthe hlist_bl bucket.  If the dentry is already hashed, reinserting the\nsame node can corrupt the bucket, including creating a self-loop.\nOnce that happens, __d_lookup() can spin forever in the hlist_bl walk,\ntypically looping only on the d_name.hash mismatch check and\neventually triggering RCU stall reports like this one:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu:         87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829\n rcu:         (t=2101 jiffies g=79058445 q=698988 ncpus=192)\n CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023\n RIP: 0010:__d_lookup+0x46/0xb0\n Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db \u003c74\u003e 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f\n RSP: 0018:ff745a70c8253898 EFLAGS: 00000282\n RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966\n RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0\n RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89\n R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0\n R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f\n FS:  00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  lookup_fast+0x9f/0x100\n  walk_component+0x1f/0x150\n  link_path_walk+0x20e/0x3d0\n  path_lookupat+0x68/0x180\n  filename_lookup+0xdc/0x1e0\n  vfs_statx+0x6c/0x140\n  vfs_fstatat+0x67/0xa0\n  __do_sys_newfstatat+0x24/0x60\n  do_syscall_64+0x6a/0x230\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is reachable with reused cached negative dentries.  A Ceph lookup\nor atomic_open can be handed a negative dentry that is already hashed,\nand fs/ceph/dir.c then hits one of two paths that incorrectly assume\n\"negative\" also means \"unhashed\":\n\n  - ceph_finish_lookup():\n      MDS reply is -ENOENT with no trace\n      -\u003e d_add(dentry, NULL)\n\n  - ceph_lookup():\n      local ENOENT fast path for a complete directory with shared caps\n      -\u003e d_add(dentry, NULL)\n\nBoth paths can therefore re-add an already-hashed negative dentry.\n\nCeph already uses the correct pattern elsewhere: ceph_fill_trace() only\ncalls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)\nis true.\n\nFix both fs/ceph/dir.c sites the same way: only call d_add() for a\nnegative dentry when it is actually unhashed.  If the negative dentry\nis already hashed, leave it in place and reuse it as-is.\n\nThis preserves the existing behavior for unhashed dentries while\navoiding d_hash list corruption for reused hashed negatives."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:50:51.815Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/83ce43a21bb7df8dd52228afdd918d2d058eefde"
        },
        {
          "url": "https://git.kernel.org/stable/c/4179cc390dacebc87079419ec92f86f3dc46294d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b91e535f208c48a5e7464f1aa38338a30e7912df"
        },
        {
          "url": "https://git.kernel.org/stable/c/2010cb06b9df7d3c816c78358c566bdacbdf38ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/803447f93d75ab6e40c85e6d12b5630d281d70d6"
        }
      ],
      "title": "ceph: only d_add() negative dentries when they are unhashed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46052",
    "datePublished": "2026-05-27T12:57:10.777Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-06-14T17:50:51.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46070 (GCVE-0-2026-46070)

Vulnerability from cvelistv5

Published

2026-05-27 12:57

Modified

2026-06-14 17:52

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.

References

URL

Tags

	https://git.kernel.org/stable/c/c96c6f01d84b5c67db1bf1cc8591c0b7146826fc
	https://git.kernel.org/stable/c/ef4851d8324fd978ca1ff9ec76a275438f887743
	https://git.kernel.org/stable/c/28d3ff7109c66e99dc1b7cddacb5c760849620ef
	https://git.kernel.org/stable/c/33698bd1b2db9764a29df7751533d33967ff5c98
	https://git.kernel.org/stable/c/c3a1cf78bd1bbb51b2cc5189b4743056553c1e0e
	https://git.kernel.org/stable/c/73ce72edd113374801045924d4417199963f73a3
	https://git.kernel.org/stable/c/406aa86394ead347c47428fb51b6359bdaa2257d
	https://git.kernel.org/stable/c/b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9

Impacted products

Vendor

Product

Version

Version: b4c625c67362b3940f619c1a836b4e8329106658
Version: b4c625c67362b3940f619c1a836b4e8329106658
Version: b4c625c67362b3940f619c1a836b4e8329106658
Version: b4c625c67362b3940f619c1a836b4e8329106658
Version: b4c625c67362b3940f619c1a836b4e8329106658
Version: b4c625c67362b3940f619c1a836b4e8329106658
Version: b4c625c67362b3940f619c1a836b4e8329106658
Version: b4c625c67362b3940f619c1a836b4e8329106658

Version: 4.10

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid5-cache.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c96c6f01d84b5c67db1bf1cc8591c0b7146826fc",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            },
            {
              "lessThan": "ef4851d8324fd978ca1ff9ec76a275438f887743",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            },
            {
              "lessThan": "28d3ff7109c66e99dc1b7cddacb5c760849620ef",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            },
            {
              "lessThan": "33698bd1b2db9764a29df7751533d33967ff5c98",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            },
            {
              "lessThan": "c3a1cf78bd1bbb51b2cc5189b4743056553c1e0e",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            },
            {
              "lessThan": "73ce72edd113374801045924d4417199963f73a3",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            },
            {
              "lessThan": "406aa86394ead347c47428fb51b6359bdaa2257d",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            },
            {
              "lessThan": "b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9",
              "status": "affected",
              "version": "b4c625c67362b3940f619c1a836b4e8329106658",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/raid5-cache.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: validate payload size before accessing journal metadata\n\nr5c_recovery_analyze_meta_block() and\nr5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a\njournal metadata block using on-disk payload size fields without\nvalidating them against the remaining space in the metadata block.\n\nA corrupted journal contains payload sizes extending beyond the PAGE_SIZE\nboundary can cause out-of-bounds reads when accessing payload fields or\ncomputing offsets.\n\nAdd bounds validation for each payload type to ensure the full payload\nfits within meta_size before processing."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:52:06.614Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c96c6f01d84b5c67db1bf1cc8591c0b7146826fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef4851d8324fd978ca1ff9ec76a275438f887743"
        },
        {
          "url": "https://git.kernel.org/stable/c/28d3ff7109c66e99dc1b7cddacb5c760849620ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/33698bd1b2db9764a29df7751533d33967ff5c98"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3a1cf78bd1bbb51b2cc5189b4743056553c1e0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/73ce72edd113374801045924d4417199963f73a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/406aa86394ead347c47428fb51b6359bdaa2257d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9"
        }
      ],
      "title": "md/raid5: validate payload size before accessing journal metadata",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46070",
    "datePublished": "2026-05-27T12:57:54.345Z",
    "dateReserved": "2026-05-13T15:03:33.095Z",
    "dateUpdated": "2026-06-14T17:52:06.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46151 (GCVE-0-2026-46151)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix heap leak in IEEE 1284 device ID via short response usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know. usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap. That stale data is then exposed: - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated at the first NUL in the stale heap), and - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device. Fix this up by just zapping the buffer with zeros before each request sent to the device.

References

URL

Tags

	https://git.kernel.org/stable/c/4650cce898fcd0bb8c33e529984687a8caed10c3
	https://git.kernel.org/stable/c/612640abbd9e0947fe8f37aaf0cf324265d7caa4
	https://git.kernel.org/stable/c/4220d4dd062ea3d3eb056a6cbe0b568e740d20b1
	https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698
	https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f
	https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d
	https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529
	https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3

Impacted products

Vendor

Product

Version

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Version: 2.6.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/usblp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4650cce898fcd0bb8c33e529984687a8caed10c3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "612640abbd9e0947fe8f37aaf0cf324265d7caa4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4220d4dd062ea3d3eb056a6cbe0b568e740d20b1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6e29c32a27218f2dcd4a4e9b0b3c5e7728640698",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6d8142141c942c0d8e79343cffda9c44bb1f3f4f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8247f52d822180e94ccbfdab91613af386a4e34d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "522d17e93a85575256894212d10e5a1fa6f36529",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7a400c6fe3617e31e690e3f7ca37bb335e0498f3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/usblp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usblp: fix heap leak in IEEE 1284 device ID via short response\n\nusblp_ctrl_msg() collapses the usb_control_msg() return value to\n0/-errno, discarding the actual number of bytes transferred.  A broken\nprinter can complete the GET_DEVICE_ID control transfer short and the\ndriver has no way to know.\n\nusblp_cache_device_id_string() reads the 2-byte big-endian length prefix\nfrom the response and trusts it (clamped only to the buffer bounds).\nThe buffer is kmalloc(1024) at probe time. A device that sends exactly\ntwo bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves\ndevice_id_string[2..1022] holding stale kmalloc heap.\n\nThat stale data is then exposed:\n  - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated\n    at the first NUL in the stale heap), and\n  - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full\n    claimed length regardless of NULs, up to 1021 bytes of uninitialized\n    heap, with the leak size chosen by the device.\n\nFix this up by just zapping the buffer with zeros before each request\nsent to the device."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:58:20.398Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4650cce898fcd0bb8c33e529984687a8caed10c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/612640abbd9e0947fe8f37aaf0cf324265d7caa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4220d4dd062ea3d3eb056a6cbe0b568e740d20b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d"
        },
        {
          "url": "https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3"
        }
      ],
      "title": "usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46151",
    "datePublished": "2026-05-28T09:36:07.397Z",
    "dateReserved": "2026-05-13T15:03:33.101Z",
    "dateUpdated": "2026-06-14T17:58:20.398Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46012 (GCVE-0-2026-46012)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix memory leaks in rxkad_verify_response() Fix rxkad_verify_response() to free the ticket and the server key under all circumstances by initialising the ticket pointer to NULL and then making all paths through the function after the first allocation has been done go through a single common epilogue that just releases everything - where all the releases skip on a NULL pointer.

References

URL

Tags

	https://git.kernel.org/stable/c/c4b8f32e73eafd4a5076be890c7c8506ec04567c
	https://git.kernel.org/stable/c/852b9d64cea421336579b2de3d1338dfa677e2dd
	https://git.kernel.org/stable/c/861b9a0a1823bf064a7b810d29502a9ef043f40f
	https://git.kernel.org/stable/c/c91f33fb8356dedc82bc56ce210f1a5dbee62a52
	https://git.kernel.org/stable/c/34f61a07e0cdefaecd3ec03bb5fb22215643678f

Impacted products

Vendor

Product

Version

Version: ec832bd06d6fdf08b0455ab7c2a7a9104e029638
Version: ec832bd06d6fdf08b0455ab7c2a7a9104e029638
Version: ec832bd06d6fdf08b0455ab7c2a7a9104e029638
Version: ec832bd06d6fdf08b0455ab7c2a7a9104e029638
Version: ec832bd06d6fdf08b0455ab7c2a7a9104e029638

Version: 5.11

Show details on NVD website

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45484

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rxrpc/rxkad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4b8f32e73eafd4a5076be890c7c8506ec04567c",
              "status": "affected",
              "version": "ec832bd06d6fdf08b0455ab7c2a7a9104e029638",
              "versionType": "git"
            },
            {
              "lessThan": "852b9d64cea421336579b2de3d1338dfa677e2dd",
              "status": "affected",
              "version": "ec832bd06d6fdf08b0455ab7c2a7a9104e029638",
              "versionType": "git"
            },
            {
              "lessThan": "861b9a0a1823bf064a7b810d29502a9ef043f40f",
              "status": "affected",
              "version": "ec832bd06d6fdf08b0455ab7c2a7a9104e029638",
              "versionType": "git"
            },
            {
              "lessThan": "c91f33fb8356dedc82bc56ce210f1a5dbee62a52",
              "status": "affected",
              "version": "ec832bd06d6fdf08b0455ab7c2a7a9104e029638",
              "versionType": "git"
            },
            {
              "lessThan": "34f61a07e0cdefaecd3ec03bb5fb22215643678f",
              "status": "affected",
              "version": "ec832bd06d6fdf08b0455ab7c2a7a9104e029638",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rxrpc/rxkad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix memory leaks in rxkad_verify_response()\n\nFix rxkad_verify_response() to free the ticket and the server key under all\ncircumstances by initialising the ticket pointer to NULL and then making\nall paths through the function after the first allocation has been done go\nthrough a single common epilogue that just releases everything - where all\nthe releases skip on a NULL pointer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:55.135Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4b8f32e73eafd4a5076be890c7c8506ec04567c"
        },
        {
          "url": "https://git.kernel.org/stable/c/852b9d64cea421336579b2de3d1338dfa677e2dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/861b9a0a1823bf064a7b810d29502a9ef043f40f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c91f33fb8356dedc82bc56ce210f1a5dbee62a52"
        },
        {
          "url": "https://git.kernel.org/stable/c/34f61a07e0cdefaecd3ec03bb5fb22215643678f"
        }
      ],
      "title": "rxrpc: Fix memory leaks in rxkad_verify_response()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46012",
    "datePublished": "2026-05-27T12:56:14.131Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-06-14T17:47:55.135Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45484 (GCVE-0-2026-45484)

Vulnerability from cvelistv5

Published

2026-06-09 17:05

Modified

2026-06-16 18:18

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.

References

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

Version: 16.0.0 < 16.0.5556.1005

	Microsoft	Microsoft SharePoint Server 2019	Version: 16.0.0 < 16.0.10417.20153
	Microsoft	Microsoft SharePoint Server Subscription Edition	Version: 16.0.0 < 16.0.19725.20384

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45484",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:59.182927Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:15:46.278Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Enterprise Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5556.1005",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20153",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft SharePoint Server Subscription Edition",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.19725.20384",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "16.0.5556.1005",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20153",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
                  "versionEndExcluding": "16.0.19725.20384",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T18:18:25.674Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft SharePoint Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45484"
        }
      ],
      "title": "Microsoft SharePoint Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45484",
    "datePublished": "2026-06-09T17:05:50.512Z",
    "dateReserved": "2026-05-12T16:07:22.617Z",
    "dateUpdated": "2026-06-16T18:18:25.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46000 (GCVE-0-2026-46000)

Vulnerability from cvelistv5

Published

2026-05-27 12:55

Modified

2026-06-14 17:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned.

References

URL

Tags

	https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5
	https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12
	https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044
	https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00
	https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f

Impacted products

Vendor

Product

Version

Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea
Version: 17926a79320afa9b95df6b977b40cca6d8713cea

Version: 2.6.22

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rxrpc/conn_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c0428a22daf69714dc042b67ea759956b74c74e5",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "98a2046d155f73f6cf5d2c493c5e09b4963e2e12",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "ca71ac2de389b01eecdc48bfafbdf073ec232044",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "d9b93a0f57ca5f6831bfaa34014b6cd705564a00",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            },
            {
              "lessThan": "24481a7f573305706054c59e275371f8d0fe919f",
              "status": "affected",
              "version": "17926a79320afa9b95df6b977b40cca6d8713cea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rxrpc/conn_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix conn-level packet handling to unshare RESPONSE packets\n\nThe security operations that verify the RESPONSE packets decrypt bits of it\nin place - however, the sk_buff may be shared with a packet sniffer, which\nwould lead to the sniffer seeing an apparently corrupt packet (actually\ndecrypted).\n\nFix this by handing a copy of the packet off to the specific security\nhandler if the packet was cloned."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:47:13.061Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00"
        },
        {
          "url": "https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f"
        }
      ],
      "title": "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46000",
    "datePublished": "2026-05-27T12:55:55.288Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-06-14T17:47:13.061Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46219 (GCVE-0-2026-46219)

Vulnerability from cvelistv5

Published

2026-05-28 09:40

Modified

2026-06-14 18:03

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on unbind The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.

References

URL

Tags

	https://git.kernel.org/stable/c/ac8316c896c79f32c1d0a38cb41fd2b14cf8112e
	https://git.kernel.org/stable/c/ed929d40963073f23cfb50219ccbcc6e0c3ea641
	https://git.kernel.org/stable/c/0944b20e9dfa2917bd70eb5b301cbb67fe54a718
	https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188
	https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2
	https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02
	https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46
	https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0

Impacted products

Vendor

Product

Version

Version: e0c6ce8424095c2da32a063d3fc027494c689817
Version: cd5106c77d6d6828aa82449f01f4eb436d602a21
Version: 373d55a47dc662e5e30d12ad5d334312f757c1f1
Version: f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59
Version: 90b72189de2cddacb26250579da0510b29a8b82b
Version: 984836621aad98802d92c4a3047114cf518074c8
Version: 984836621aad98802d92c4a3047114cf518074c8
Version: 984836621aad98802d92c4a3047114cf518074c8
Version: d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1
Version: 5.10.231   ≤
Version: 5.15.174   ≤
Version: 6.1.120   ≤
Version: 6.6.66   ≤
Version: 6.12.5   ≤
Version: 5.4.287   ≤

Version: 6.13

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-mpc52xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac8316c896c79f32c1d0a38cb41fd2b14cf8112e",
              "status": "affected",
              "version": "e0c6ce8424095c2da32a063d3fc027494c689817",
              "versionType": "git"
            },
            {
              "lessThan": "ed929d40963073f23cfb50219ccbcc6e0c3ea641",
              "status": "affected",
              "version": "cd5106c77d6d6828aa82449f01f4eb436d602a21",
              "versionType": "git"
            },
            {
              "lessThan": "0944b20e9dfa2917bd70eb5b301cbb67fe54a718",
              "status": "affected",
              "version": "373d55a47dc662e5e30d12ad5d334312f757c1f1",
              "versionType": "git"
            },
            {
              "lessThan": "bb6b50f709c5a01906ff72a07fdc070bb3357188",
              "status": "affected",
              "version": "f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59",
              "versionType": "git"
            },
            {
              "lessThan": "ee52da0dd83ebcd89ecbbe2660c57b15a25489f2",
              "status": "affected",
              "version": "90b72189de2cddacb26250579da0510b29a8b82b",
              "versionType": "git"
            },
            {
              "lessThan": "6c3e413919a12627d04a31a4a5fccb9fc129bb02",
              "status": "affected",
              "version": "984836621aad98802d92c4a3047114cf518074c8",
              "versionType": "git"
            },
            {
              "lessThan": "bbcd6dd8e9f264440eaf6167382bf404911c1c46",
              "status": "affected",
              "version": "984836621aad98802d92c4a3047114cf518074c8",
              "versionType": "git"
            },
            {
              "lessThan": "706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0",
              "status": "affected",
              "version": "984836621aad98802d92c4a3047114cf518074c8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.258",
              "status": "affected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.209",
              "status": "affected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.175",
              "status": "affected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.90",
              "status": "affected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.287",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-mpc52xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.10.231",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.15.174",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "6.1.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.66",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "6.12.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.287",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mpc52xx: fix use-after-free on unbind\n\nThe state machine work is scheduled by the interrupt handler and\ntherefore needs to be cancelled after disabling interrupts to avoid a\npotential use-after-free."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:03:33.018Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac8316c896c79f32c1d0a38cb41fd2b14cf8112e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed929d40963073f23cfb50219ccbcc6e0c3ea641"
        },
        {
          "url": "https://git.kernel.org/stable/c/0944b20e9dfa2917bd70eb5b301cbb67fe54a718"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46"
        },
        {
          "url": "https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0"
        }
      ],
      "title": "spi: mpc52xx: fix use-after-free on unbind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46219",
    "datePublished": "2026-05-28T09:40:35.297Z",
    "dateReserved": "2026-05-13T15:03:33.105Z",
    "dateUpdated": "2026-06-14T18:03:33.018Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46038 (GCVE-0-2026-46038)

Vulnerability from cvelistv5

Published

2026-05-27 12:56

Modified

2026-06-14 17:49

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Free the node during ctrl_cmd_bye() A node sends the BYE packet when it is about to go down. So the nameserver should advertise the removal of the node to all remote and local observers and free the node finally. But currently, the nameserver doesn't free the node memory even after processing the BYE packet. This causes the node memory to leak. Hence, remove the node from Xarray list and free the node memory during both success and failure case of ctrl_cmd_bye().

References

URL

Tags

	https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11
	https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a
	https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6
	https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0
	https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac

Impacted products

Vendor

Product

Version

Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd
Version: 0c2204a4ad710d95d348ea006f14ba926e842ffd

Version: 5.7

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ff78ed177a66763085e3214d6fbe13ca8f0b3f11",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "65932f5102bb5377db36c8a4f0c28179a1967a9a",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "154fc7fe3f62c46891c3c4302f4b5b5391c932e6",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "076e4b162d6caba12c229e7f262df5b6881162b0",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            },
            {
              "lessThan": "68efba36446a7774ea5b971257ade049272a07ac",
              "status": "affected",
              "version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/qrtr/ns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Free the node during ctrl_cmd_bye()\n\nA node sends the BYE packet when it is about to go down. So the nameserver\nshould advertise the removal of the node to all remote and local observers\nand free the node finally. But currently, the nameserver doesn\u0027t free the\nnode memory even after processing the BYE packet. This causes the node\nmemory to leak.\n\nHence, remove the node from Xarray list and free the node memory during\nboth success and failure case of ctrl_cmd_bye()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:49:48.176Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11"
        },
        {
          "url": "https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac"
        }
      ],
      "title": "net: qrtr: ns: Free the node during ctrl_cmd_bye()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46038",
    "datePublished": "2026-05-27T12:56:50.125Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-06-14T17:49:48.176Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46238 (GCVE-0-2026-46238)

Vulnerability from cvelistv5

Published

2026-05-28 09:41

Modified

2026-06-14 18:04

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM]

References

URL

Tags

	https://git.kernel.org/stable/c/86b2b58d7c228d850c8c78e4144e6123e8ed2718
	https://git.kernel.org/stable/c/384e3050a42be9085d50507b4d5f8266a588d742
	https://git.kernel.org/stable/c/8c16c68fdbb69778f8d04f650340c3f4d1518f8e
	https://git.kernel.org/stable/c/aafcbaf1159ea224528ca4075d0ba8c10ef374af
	https://git.kernel.org/stable/c/6e20700f8c524ac379ba8274ff5d453023b7c006
	https://git.kernel.org/stable/c/09dc0d1a12222ffca6481916eab3cfea477b9620
	https://git.kernel.org/stable/c/67bceeb22207f1f5a402973a3a0809e5f2698f38
	https://git.kernel.org/stable/c/f03e8583532941b07761c5429de7d50766fa3110

Impacted products

Vendor

Product

Version

Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3
Version: c6c8fea29769d998d94fcec9b9f14d4b52b349d3

Version: 2.6.38

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_iv_ogm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86b2b58d7c228d850c8c78e4144e6123e8ed2718",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "384e3050a42be9085d50507b4d5f8266a588d742",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "8c16c68fdbb69778f8d04f650340c3f4d1518f8e",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "aafcbaf1159ea224528ca4075d0ba8c10ef374af",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "6e20700f8c524ac379ba8274ff5d453023b7c006",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "09dc0d1a12222ffca6481916eab3cfea477b9620",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "67bceeb22207f1f5a402973a3a0809e5f2698f38",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            },
            {
              "lessThan": "f03e8583532941b07761c5429de7d50766fa3110",
              "status": "affected",
              "version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_iv_ogm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: stop caching unowned originator pointers in BAT IV\n\nBAT IV keeps the last-hop neighbor address in each neigh_node, but some\npaths also cache an originator pointer derived from a temporary lookup.\nThat pointer is not owned by the neigh_node and may no longer refer to a\nlive originator entry after purge handling runs.\n\nStop storing the auxiliary originator pointer in the BAT IV neighbor\nstate. When BAT IV needs the neighbor originator data, resolve it from\nthe stored neighbor address and drop the reference again after use.\n\n[sven: avoid bonding logic for outgoing OGM]"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:55.937Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86b2b58d7c228d850c8c78e4144e6123e8ed2718"
        },
        {
          "url": "https://git.kernel.org/stable/c/384e3050a42be9085d50507b4d5f8266a588d742"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c16c68fdbb69778f8d04f650340c3f4d1518f8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/aafcbaf1159ea224528ca4075d0ba8c10ef374af"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e20700f8c524ac379ba8274ff5d453023b7c006"
        },
        {
          "url": "https://git.kernel.org/stable/c/09dc0d1a12222ffca6481916eab3cfea477b9620"
        },
        {
          "url": "https://git.kernel.org/stable/c/67bceeb22207f1f5a402973a3a0809e5f2698f38"
        },
        {
          "url": "https://git.kernel.org/stable/c/f03e8583532941b07761c5429de7d50766fa3110"
        }
      ],
      "title": "batman-adv: stop caching unowned originator pointers in BAT IV",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46238",
    "datePublished": "2026-05-28T09:41:06.816Z",
    "dateReserved": "2026-05-13T15:03:33.107Z",
    "dateUpdated": "2026-06-14T18:04:55.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-15649 (GCVE-0-2025-15649)

Vulnerability from cvelistv5

Published

2026-05-27 02:25

Modified

2026-05-29 15:49

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Summary

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

References

URL

Tags

	https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch	patch
	https://github.com/pmqs/IO-Compress/issues/65	issue-tracking
	https://metacpan.org/release/PMQS/IO-Compress-2.215/changes	release-notes

Impacted products

	Vendor	Product	Version
	PMQS	IO::Uncompress::Unzip	Version: 0 < 2.215

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-27T07:24:54.753Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/27/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-15649",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T15:48:49.848833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T15:49:21.186Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "IO-Compress",
          "product": "IO::Uncompress::Unzip",
          "programFiles": [
            "lib/IO/Uncompress/Unzip.pm"
          ],
          "programRoutines": [
            {
              "name": "IO::Uncompress::Unzip::_dosToUnixTime"
            }
          ],
          "repo": "https://github.com/pmqs/IO-Compress",
          "vendor": "PMQS",
          "versions": [
            {
              "lessThan": "2.215",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.\n\n_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.\n\nThe exception propagates out of IO::Uncompress::Unzip-\u003enew($file) where callers expect undef plus $UnzipError."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248 Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T02:25:38.973Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/pmqs/IO-Compress/issues/65"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/PMQS/IO-Compress-2.215/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to IO-Compress 2.215 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-25T00:00:00.000Z",
          "value": "Issue reported."
        },
        {
          "lang": "en",
          "time": "2026-01-30T00:00:00.000Z",
          "value": "Version 2.215 released."
        }
      ],
      "title": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-15649",
    "datePublished": "2026-05-27T02:25:38.973Z",
    "dateReserved": "2026-05-26T18:17:10.655Z",
    "dateUpdated": "2026-05-29T15:49:21.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46150 (GCVE-0-2026-46150)

Vulnerability from cvelistv5

Published

2026-05-28 09:36

Modified

2026-06-14 17:58

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

In the Linux kernel, the following vulnerability has been resolved: fanotify: fix false positive on permission events fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check. Fix by skipping over detached marks that are not in the current group.

References

URL

Tags

	https://git.kernel.org/stable/c/a24765332e129c1916d5a6615418b75599b8fcdc
	https://git.kernel.org/stable/c/4a7611ad653785fcdea5ff5f4441e2b7d05b7f11
	https://git.kernel.org/stable/c/04bb66be92f48ed13c3faf1139d892df228789bc
	https://git.kernel.org/stable/c/895ebbedf88318607c24acc0f591c74b165e1d0a
	https://git.kernel.org/stable/c/f130790f1acc8399f32652846c875a251efd040f
	https://git.kernel.org/stable/c/7baa02b0ae9d17ec5f08836d8ea88ce1927d0678
	https://git.kernel.org/stable/c/b7b24b28c8cd55844cab908f4f39dded638d5538
	https://git.kernel.org/stable/c/7746e3bd4cc19b5092e00d32d676e329bfcb6900

Impacted products

Vendor

Product

Version

Version: abc77577a669f424c5d0c185b9994f2621c52aa4
Version: abc77577a669f424c5d0c185b9994f2621c52aa4
Version: abc77577a669f424c5d0c185b9994f2621c52aa4
Version: abc77577a669f424c5d0c185b9994f2621c52aa4
Version: abc77577a669f424c5d0c185b9994f2621c52aa4
Version: abc77577a669f424c5d0c185b9994f2621c52aa4
Version: abc77577a669f424c5d0c185b9994f2621c52aa4
Version: abc77577a669f424c5d0c185b9994f2621c52aa4

Version: 4.12

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/fsnotify.c",
            "fs/notify/mark.c",
            "include/linux/fsnotify_backend.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a24765332e129c1916d5a6615418b75599b8fcdc",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            },
            {
              "lessThan": "4a7611ad653785fcdea5ff5f4441e2b7d05b7f11",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            },
            {
              "lessThan": "04bb66be92f48ed13c3faf1139d892df228789bc",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            },
            {
              "lessThan": "895ebbedf88318607c24acc0f591c74b165e1d0a",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            },
            {
              "lessThan": "f130790f1acc8399f32652846c875a251efd040f",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            },
            {
              "lessThan": "7baa02b0ae9d17ec5f08836d8ea88ce1927d0678",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            },
            {
              "lessThan": "b7b24b28c8cd55844cab908f4f39dded638d5538",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            },
            {
              "lessThan": "7746e3bd4cc19b5092e00d32d676e329bfcb6900",
              "status": "affected",
              "version": "abc77577a669f424c5d0c185b9994f2621c52aa4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/fsnotify.c",
            "fs/notify/mark.c",
            "include/linux/fsnotify_backend.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfanotify: fix false positive on permission events\n\nfsnotify_get_mark_safe() may return false for a mark on an unrelated group,\nwhich results in bypassing the permission check.\n\nFix by skipping over detached marks that are not in the current group."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:58:15.548Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a24765332e129c1916d5a6615418b75599b8fcdc"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a7611ad653785fcdea5ff5f4441e2b7d05b7f11"
        },
        {
          "url": "https://git.kernel.org/stable/c/04bb66be92f48ed13c3faf1139d892df228789bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/895ebbedf88318607c24acc0f591c74b165e1d0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f130790f1acc8399f32652846c875a251efd040f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7baa02b0ae9d17ec5f08836d8ea88ce1927d0678"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7b24b28c8cd55844cab908f4f39dded638d5538"
        },
        {
          "url": "https://git.kernel.org/stable/c/7746e3bd4cc19b5092e00d32d676e329bfcb6900"
        }
      ],
      "title": "fanotify: fix false positive on permission events",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46150",
    "datePublished": "2026-05-28T09:36:06.494Z",
    "dateReserved": "2026-05-13T15:03:33.101Z",
    "dateUpdated": "2026-06-14T17:58:15.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46085 (GCVE-0-2026-46085)

Vulnerability from cvelistv5

Published

2026-05-27 12:58

Modified

2026-06-14 17:53

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxkad crypto unalignment handling Fix handling of a packet with a misaligned crypto length. Also handle non-ENOMEM errors from decryption by aborting. Further, remove the WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can still be emitted).

References

URL

Tags

	https://git.kernel.org/stable/c/f1c6bd0cc786a8fa74829ce3c4b3673944a308f4
	https://git.kernel.org/stable/c/440d20d95e844b657a93a0b2dcc2aae155efdce6
	https://git.kernel.org/stable/c/f0d3efd03b2a9e0f1ffa6df8fcb264af3d494286
	https://git.kernel.org/stable/c/af9271eb666d07b6f65612dc160a47f7cb5220ed
	https://git.kernel.org/stable/c/def304aae2edf321d2671fd6ca766a93c21f877e

Impacted products

Vendor

Product

Version

Version: 9853917f9edf08efb0b55c26d9eb8340f126d9e9
Version: e9c369d58785044427450350ad32d6a2497fb379
Version: bf4d6e4a6856eedeb7f66eb91224115bfff4e2cb
Version: f93af41b9f5f798823d0d0fb8765c2a936d76270
Version: f93af41b9f5f798823d0d0fb8765c2a936d76270
Version: 5cdf57eda01a1ffaeb61ac39ec4dcc94a690431e
Version: 6.6.135   ≤
Version: 6.12.82   ≤
Version: 6.18.23   ≤
Version: 6.19.13   ≤

Version: 7.0

Show details on NVD website

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/rxkad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1c6bd0cc786a8fa74829ce3c4b3673944a308f4",
              "status": "affected",
              "version": "9853917f9edf08efb0b55c26d9eb8340f126d9e9",
              "versionType": "git"
            },
            {
              "lessThan": "440d20d95e844b657a93a0b2dcc2aae155efdce6",
              "status": "affected",
              "version": "e9c369d58785044427450350ad32d6a2497fb379",
              "versionType": "git"
            },
            {
              "lessThan": "f0d3efd03b2a9e0f1ffa6df8fcb264af3d494286",
              "status": "affected",
              "version": "bf4d6e4a6856eedeb7f66eb91224115bfff4e2cb",
              "versionType": "git"
            },
            {
              "lessThan": "af9271eb666d07b6f65612dc160a47f7cb5220ed",
              "status": "affected",
              "version": "f93af41b9f5f798823d0d0fb8765c2a936d76270",
              "versionType": "git"
            },
            {
              "lessThan": "def304aae2edf321d2671fd6ca766a93c21f877e",
              "status": "affected",
              "version": "f93af41b9f5f798823d0d0fb8765c2a936d76270",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5cdf57eda01a1ffaeb61ac39ec4dcc94a690431e",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.140",
              "status": "affected",
              "version": "6.6.135",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.86",
              "status": "affected",
              "version": "6.12.82",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.27",
              "status": "affected",
              "version": "6.18.23",
              "versionType": "semver"
            },
            {
              "lessThan": "6.20",
              "status": "affected",
              "version": "6.19.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/rxkad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "7.0"
            },
            {
              "lessThan": "7.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.12.82",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.18.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.19.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix rxkad crypto unalignment handling\n\nFix handling of a packet with a misaligned crypto length.  Also handle\nnon-ENOMEM errors from decryption by aborting.  Further, remove the\nWARN_ON_ONCE() so that it can\u0027t be remotely triggered (a trace line can\nstill be emitted)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:53:14.585Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1c6bd0cc786a8fa74829ce3c4b3673944a308f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/440d20d95e844b657a93a0b2dcc2aae155efdce6"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0d3efd03b2a9e0f1ffa6df8fcb264af3d494286"
        },
        {
          "url": "https://git.kernel.org/stable/c/af9271eb666d07b6f65612dc160a47f7cb5220ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/def304aae2edf321d2671fd6ca766a93c21f877e"
        }
      ],
      "title": "rxrpc: Fix rxkad crypto unalignment handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46085",
    "datePublished": "2026-05-27T12:58:27.125Z",
    "dateReserved": "2026-05-13T15:03:33.096Z",
    "dateUpdated": "2026-06-14T17:53:14.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46125 (GCVE-0-2026-46125)

Vulnerability from cvelistv5

Published

2026-05-28 09:35

Modified

2026-06-14 17:56

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes. This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.

References

URL

Tags

	https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2
	https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a
	https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0
	https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1
	https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4

Impacted products

Vendor

Product

Version

Version: 81151ce462e533551f3284bfdb8e0f461c9220e6
Version: 81151ce462e533551f3284bfdb8e0f461c9220e6
Version: 81151ce462e533551f3284bfdb8e0f461c9220e6
Version: 81151ce462e533551f3284bfdb8e0f461c9220e6
Version: 81151ce462e533551f3284bfdb8e0f461c9220e6

Version: 6.0

Show details on NVD website