Search criteria
12311 vulnerabilities
CVE-2026-46241 (GCVE-0-2026-46241)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:41 – Updated: 2026-05-28 09:41
VLAI
Title
spi: mpc52xx: fix use-after-free on registration failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: mpc52xx: fix use-after-free on registration failure
Make sure to disable and free the interrupts in case controller
registration fails to avoid a potential use-after-free and resource
leak.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
42bbb70980f3720b0ae6da6af862af0e95a04351 , < 8b49b6aadd0c622ca7d68b4a53ae10362e221cf3
(git)
Affected: 42bbb70980f3720b0ae6da6af862af0e95a04351 , < 336d9ad7560b3baba17af06727a888040ee93390 (git) Affected: 42bbb70980f3720b0ae6da6af862af0e95a04351 , < 5c77f11b9b5f1ad5a704dad875260c44016ede10 (git) Affected: 42bbb70980f3720b0ae6da6af862af0e95a04351 , < f62c060272b9d7423b1650b844e8e4e7b8f9f925 (git) |
|
| Linux | Linux |
Affected:
2.6.33
Unaffected: 0 , < 2.6.33 (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-mpc52xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b49b6aadd0c622ca7d68b4a53ae10362e221cf3",
"status": "affected",
"version": "42bbb70980f3720b0ae6da6af862af0e95a04351",
"versionType": "git"
},
{
"lessThan": "336d9ad7560b3baba17af06727a888040ee93390",
"status": "affected",
"version": "42bbb70980f3720b0ae6da6af862af0e95a04351",
"versionType": "git"
},
{
"lessThan": "5c77f11b9b5f1ad5a704dad875260c44016ede10",
"status": "affected",
"version": "42bbb70980f3720b0ae6da6af862af0e95a04351",
"versionType": "git"
},
{
"lessThan": "f62c060272b9d7423b1650b844e8e4e7b8f9f925",
"status": "affected",
"version": "42bbb70980f3720b0ae6da6af862af0e95a04351",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-mpc52xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mpc52xx: fix use-after-free on registration failure\n\nMake sure to disable and free the interrupts in case controller\nregistration fails to avoid a potential use-after-free and resource\nleak.\n\nThis issue was flagged by Sashiko when reviewing a controller\nderegistration fix."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:41:09.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b49b6aadd0c622ca7d68b4a53ae10362e221cf3"
},
{
"url": "https://git.kernel.org/stable/c/336d9ad7560b3baba17af06727a888040ee93390"
},
{
"url": "https://git.kernel.org/stable/c/5c77f11b9b5f1ad5a704dad875260c44016ede10"
},
{
"url": "https://git.kernel.org/stable/c/f62c060272b9d7423b1650b844e8e4e7b8f9f925"
}
],
"title": "spi: mpc52xx: fix use-after-free on registration failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46241",
"datePublished": "2026-05-28T09:41:09.145Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-05-28T09:41:09.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46240 (GCVE-0-2026-46240)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:41 – Updated: 2026-05-28 09:41
VLAI
Title
media: iris: Fix use-after-free in iris_release_internal_buffers()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: iris: Fix use-after-free in iris_release_internal_buffers()
The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy
internal buffers after FW releases") introduced a regression where
session_release_buf() may free the buffer. The caller,
iris_release_internal_buffers(), continued to access `buffer` after the
call, leading to a potential use-after-free.
Fix this by setting BUF_ATTR_PENDING_RELEASE before calling
session_release_buf(), and reverting the flag if the call fails. This
ensures no dereference occurs after potential freeing.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7cde76db8883ec8a3d1456068079ecadbfb15ca5 , < dd24998a4a4016fb9921916024399bd80f0d45c6
(git)
Affected: 1dabf00ee206eceb0f08a1fe5d1ce635f9064338 , < 18c64439f249859b6140f7bf8bcf95c8ed841f28 (git) Affected: 1dabf00ee206eceb0f08a1fe5d1ce635f9064338 , < f27cfdcfc916bb59297825805f4c3499f89f9e76 (git) Affected: d4457f23ac0130240053a34be663f0fade3bb371 (git) Affected: 6.18.16 , < 6.18.32 (semver) Affected: 6.19.6 , < 6.20 (semver) |
|
| Linux | Linux |
Affected:
7.0
Unaffected: 0 , < 7.0 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/iris/iris_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd24998a4a4016fb9921916024399bd80f0d45c6",
"status": "affected",
"version": "7cde76db8883ec8a3d1456068079ecadbfb15ca5",
"versionType": "git"
},
{
"lessThan": "18c64439f249859b6140f7bf8bcf95c8ed841f28",
"status": "affected",
"version": "1dabf00ee206eceb0f08a1fe5d1ce635f9064338",
"versionType": "git"
},
{
"lessThan": "f27cfdcfc916bb59297825805f4c3499f89f9e76",
"status": "affected",
"version": "1dabf00ee206eceb0f08a1fe5d1ce635f9064338",
"versionType": "git"
},
{
"status": "affected",
"version": "d4457f23ac0130240053a34be663f0fade3bb371",
"versionType": "git"
},
{
"lessThan": "6.18.32",
"status": "affected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThan": "6.20",
"status": "affected",
"version": "6.19.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/iris/iris_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.18.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Fix use-after-free in iris_release_internal_buffers()\n\nThe recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy\ninternal buffers after FW releases\") introduced a regression where\nsession_release_buf() may free the buffer. The caller,\niris_release_internal_buffers(), continued to access `buffer` after the\ncall, leading to a potential use-after-free.\n\nFix this by setting BUF_ATTR_PENDING_RELEASE before calling\nsession_release_buf(), and reverting the flag if the call fails. This\nensures no dereference occurs after potential freeing."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:41:08.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd24998a4a4016fb9921916024399bd80f0d45c6"
},
{
"url": "https://git.kernel.org/stable/c/18c64439f249859b6140f7bf8bcf95c8ed841f28"
},
{
"url": "https://git.kernel.org/stable/c/f27cfdcfc916bb59297825805f4c3499f89f9e76"
}
],
"title": "media: iris: Fix use-after-free in iris_release_internal_buffers()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46240",
"datePublished": "2026-05-28T09:41:08.376Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-05-28T09:41:08.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46239 (GCVE-0-2026-46239)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:41 – Updated: 2026-05-28 09:41
VLAI
Title
media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl
Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly
return without calling pm_runtime_put(), causing runtime PM reference
count leaks.
Change these cases from 'return' to 'ret = ... break' pattern to ensure
pm_runtime_put() is always called before function exit.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4f66f36388d5668c215f107a4e1ce1a707251ff5 , < 6b03ecf75bda5900b8e661eb75656f631b598bc2
(git)
Affected: 4f66f36388d5668c215f107a4e1ce1a707251ff5 , < f11ae9c04f8368a3b5a0280ef595198dace1c983 (git) |
|
| Linux | Linux |
Affected:
7.0
Unaffected: 0 , < 7.0 (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov5647.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b03ecf75bda5900b8e661eb75656f631b598bc2",
"status": "affected",
"version": "4f66f36388d5668c215f107a4e1ce1a707251ff5",
"versionType": "git"
},
{
"lessThan": "f11ae9c04f8368a3b5a0280ef595198dace1c983",
"status": "affected",
"version": "4f66f36388d5668c215f107a4e1ce1a707251ff5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov5647.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl\n\nThree control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly\nreturn without calling pm_runtime_put(), causing runtime PM reference\ncount leaks.\n\nChange these cases from \u0027return\u0027 to \u0027ret = ... break\u0027 pattern to ensure\npm_runtime_put() is always called before function exit."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:41:07.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b03ecf75bda5900b8e661eb75656f631b598bc2"
},
{
"url": "https://git.kernel.org/stable/c/f11ae9c04f8368a3b5a0280ef595198dace1c983"
}
],
"title": "media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46239",
"datePublished": "2026-05-28T09:41:07.609Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-05-28T09:41:07.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46238 (GCVE-0-2026-46238)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:41 – Updated: 2026-05-28 09:41
VLAI
Title
batman-adv: stop caching unowned originator pointers in BAT IV
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: stop caching unowned originator pointers in BAT IV
BAT IV keeps the last-hop neighbor address in each neigh_node, but some
paths also cache an originator pointer derived from a temporary lookup.
That pointer is not owned by the neigh_node and may no longer refer to a
live originator entry after purge handling runs.
Stop storing the auxiliary originator pointer in the BAT IV neighbor
state. When BAT IV needs the neighbor originator data, resolve it from
the stored neighbor address and drop the reference again after use.
[sven: avoid bonding logic for outgoing OGM]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < aafcbaf1159ea224528ca4075d0ba8c10ef374af
(git)
Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 6e20700f8c524ac379ba8274ff5d453023b7c006 (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 09dc0d1a12222ffca6481916eab3cfea477b9620 (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 67bceeb22207f1f5a402973a3a0809e5f2698f38 (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < f03e8583532941b07761c5429de7d50766fa3110 (git) |
|
| Linux | Linux |
Affected:
2.6.38
Unaffected: 0 , < 2.6.38 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_iv_ogm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aafcbaf1159ea224528ca4075d0ba8c10ef374af",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "6e20700f8c524ac379ba8274ff5d453023b7c006",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "09dc0d1a12222ffca6481916eab3cfea477b9620",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "67bceeb22207f1f5a402973a3a0809e5f2698f38",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "f03e8583532941b07761c5429de7d50766fa3110",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_iv_ogm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: stop caching unowned originator pointers in BAT IV\n\nBAT IV keeps the last-hop neighbor address in each neigh_node, but some\npaths also cache an originator pointer derived from a temporary lookup.\nThat pointer is not owned by the neigh_node and may no longer refer to a\nlive originator entry after purge handling runs.\n\nStop storing the auxiliary originator pointer in the BAT IV neighbor\nstate. When BAT IV needs the neighbor originator data, resolve it from\nthe stored neighbor address and drop the reference again after use.\n\n[sven: avoid bonding logic for outgoing OGM]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:41:06.816Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aafcbaf1159ea224528ca4075d0ba8c10ef374af"
},
{
"url": "https://git.kernel.org/stable/c/6e20700f8c524ac379ba8274ff5d453023b7c006"
},
{
"url": "https://git.kernel.org/stable/c/09dc0d1a12222ffca6481916eab3cfea477b9620"
},
{
"url": "https://git.kernel.org/stable/c/67bceeb22207f1f5a402973a3a0809e5f2698f38"
},
{
"url": "https://git.kernel.org/stable/c/f03e8583532941b07761c5429de7d50766fa3110"
}
],
"title": "batman-adv: stop caching unowned originator pointers in BAT IV",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46238",
"datePublished": "2026-05-28T09:41:06.816Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-05-28T09:41:06.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46237 (GCVE-0-2026-46237)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:41 – Updated: 2026-05-28 09:41
VLAI
Title
drm/amdgpu/vcn3: Avoid overflow on msg bound check
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn3: Avoid overflow on msg bound check
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
638d3e0b9eb77aa53fdd60e2b928761d16ba76fa , < 1936310f68c54be961de38ac539cef9b543207cb
(git)
Affected: 870c8738c3774336baedddd0240951d078a703b8 , < e8124121b79ab5d32fa8fbbd101f7208eca9cd7d (git) Affected: 638e48ee39d0f2af9336f917a6f5d6692dd64d93 , < 016b64a0313ea5346cf526e30c8d3e66aca10175 (git) Affected: e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7 , < 2e43b66fceacd6e982b94f2e3f8b34edd7463396 (git) Affected: b193019860d61e92da395eae2011f2f6716b182f , < e6e9faba8100628990cccd13f0f044a648c303cf (git) |
|
| Linux | Linux |
Affected:
7.1-rc1
Unaffected: 0 , < 7.1-rc1 (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1936310f68c54be961de38ac539cef9b543207cb",
"status": "affected",
"version": "638d3e0b9eb77aa53fdd60e2b928761d16ba76fa",
"versionType": "git"
},
{
"lessThan": "e8124121b79ab5d32fa8fbbd101f7208eca9cd7d",
"status": "affected",
"version": "870c8738c3774336baedddd0240951d078a703b8",
"versionType": "git"
},
{
"lessThan": "016b64a0313ea5346cf526e30c8d3e66aca10175",
"status": "affected",
"version": "638e48ee39d0f2af9336f917a6f5d6692dd64d93",
"versionType": "git"
},
{
"lessThan": "2e43b66fceacd6e982b94f2e3f8b34edd7463396",
"status": "affected",
"version": "e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7",
"versionType": "git"
},
{
"lessThan": "e6e9faba8100628990cccd13f0f044a648c303cf",
"status": "affected",
"version": "b193019860d61e92da395eae2011f2f6716b182f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.1-rc1"
},
{
"lessThan": "7.1-rc1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "7.1-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn3: Avoid overflow on msg bound check\n\nAs pointed out by SDL, the previous condition may be vulnerable to\noverflow.\n\n(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:41:06.023Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1936310f68c54be961de38ac539cef9b543207cb"
},
{
"url": "https://git.kernel.org/stable/c/e8124121b79ab5d32fa8fbbd101f7208eca9cd7d"
},
{
"url": "https://git.kernel.org/stable/c/016b64a0313ea5346cf526e30c8d3e66aca10175"
},
{
"url": "https://git.kernel.org/stable/c/2e43b66fceacd6e982b94f2e3f8b34edd7463396"
},
{
"url": "https://git.kernel.org/stable/c/e6e9faba8100628990cccd13f0f044a648c303cf"
}
],
"title": "drm/amdgpu/vcn3: Avoid overflow on msg bound check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46237",
"datePublished": "2026-05-28T09:41:06.023Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:41:06.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46236 (GCVE-0-2026-46236)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:41 – Updated: 2026-05-28 09:41
VLAI
Title
media: rc: xbox_remote: heed DMA restrictions
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rc: xbox_remote: heed DMA restrictions
The buffer for IO must not be part of the device structure
because that violates the DMA coherency rules.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
02d32bdad3123d7376244256936a6b3b6ee434e8 , < 0cc9251833bf02c8c7863404157c94dab5928fcf
(git)
Affected: 02d32bdad3123d7376244256936a6b3b6ee434e8 , < 48a668c22e8f92637bc496e84d1cf06900f74a5c (git) Affected: 02d32bdad3123d7376244256936a6b3b6ee434e8 , < 63a960b39de9c51f29ca19aa5067934f865c0bc7 (git) Affected: 02d32bdad3123d7376244256936a6b3b6ee434e8 , < 0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249 (git) Affected: 02d32bdad3123d7376244256936a6b3b6ee434e8 , < e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff (git) |
|
| Linux | Linux |
Affected:
5.0
Unaffected: 0 , < 5.0 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/xbox_remote.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cc9251833bf02c8c7863404157c94dab5928fcf",
"status": "affected",
"version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
"versionType": "git"
},
{
"lessThan": "48a668c22e8f92637bc496e84d1cf06900f74a5c",
"status": "affected",
"version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
"versionType": "git"
},
{
"lessThan": "63a960b39de9c51f29ca19aa5067934f865c0bc7",
"status": "affected",
"version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
"versionType": "git"
},
{
"lessThan": "0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249",
"status": "affected",
"version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
"versionType": "git"
},
{
"lessThan": "e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff",
"status": "affected",
"version": "02d32bdad3123d7376244256936a6b3b6ee434e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/xbox_remote.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: xbox_remote: heed DMA restrictions\n\nThe buffer for IO must not be part of the device structure\nbecause that violates the DMA coherency rules."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:41:05.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cc9251833bf02c8c7863404157c94dab5928fcf"
},
{
"url": "https://git.kernel.org/stable/c/48a668c22e8f92637bc496e84d1cf06900f74a5c"
},
{
"url": "https://git.kernel.org/stable/c/63a960b39de9c51f29ca19aa5067934f865c0bc7"
},
{
"url": "https://git.kernel.org/stable/c/0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249"
},
{
"url": "https://git.kernel.org/stable/c/e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff"
}
],
"title": "media: rc: xbox_remote: heed DMA restrictions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46236",
"datePublished": "2026-05-28T09:41:05.230Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:41:05.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46235 (GCVE-0-2026-46235)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:41 – Updated: 2026-05-28 09:41
VLAI
Title
media: saa7164: add ioremap return checks and cleanups
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: saa7164: add ioremap return checks and cleanups
Add checks for ioremap return values in saa7164_dev_setup(). If
ioremap for BAR0 or BAR2 fails, release the already allocated PCI
memory regions, remove the device from the global list, decrement
the device count, and return -ENODEV.
This prevents potential null pointer dereferences and ensures proper
cleanup on memory mapping failures.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
443c1228d50518f3c550e1fef490a2c9d9246ce7 , < 3ce8f3057c51bb0a66aa3fab0862be74e9f88684
(git)
Affected: 443c1228d50518f3c550e1fef490a2c9d9246ce7 , < a9b83f46e52cf1239d780920d1a7a3e415f7b5d9 (git) Affected: 443c1228d50518f3c550e1fef490a2c9d9246ce7 , < 6047dc542fa404b5c187cc2c7906aaaaec6d11ed (git) Affected: 443c1228d50518f3c550e1fef490a2c9d9246ce7 , < 6c22a6d8e4c1507bba504aeebe80476144a373eb (git) Affected: 443c1228d50518f3c550e1fef490a2c9d9246ce7 , < d51c60a498e83c9a79884c8e420f97e3885c9583 (git) |
|
| Linux | Linux |
Affected:
2.6.32
Unaffected: 0 , < 2.6.32 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/saa7164/saa7164-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ce8f3057c51bb0a66aa3fab0862be74e9f88684",
"status": "affected",
"version": "443c1228d50518f3c550e1fef490a2c9d9246ce7",
"versionType": "git"
},
{
"lessThan": "a9b83f46e52cf1239d780920d1a7a3e415f7b5d9",
"status": "affected",
"version": "443c1228d50518f3c550e1fef490a2c9d9246ce7",
"versionType": "git"
},
{
"lessThan": "6047dc542fa404b5c187cc2c7906aaaaec6d11ed",
"status": "affected",
"version": "443c1228d50518f3c550e1fef490a2c9d9246ce7",
"versionType": "git"
},
{
"lessThan": "6c22a6d8e4c1507bba504aeebe80476144a373eb",
"status": "affected",
"version": "443c1228d50518f3c550e1fef490a2c9d9246ce7",
"versionType": "git"
},
{
"lessThan": "d51c60a498e83c9a79884c8e420f97e3885c9583",
"status": "affected",
"version": "443c1228d50518f3c550e1fef490a2c9d9246ce7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/saa7164/saa7164-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: saa7164: add ioremap return checks and cleanups\n\nAdd checks for ioremap return values in saa7164_dev_setup(). If\nioremap for BAR0 or BAR2 fails, release the already allocated PCI\nmemory regions, remove the device from the global list, decrement\nthe device count, and return -ENODEV.\n\nThis prevents potential null pointer dereferences and ensures proper\ncleanup on memory mapping failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:41:04.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ce8f3057c51bb0a66aa3fab0862be74e9f88684"
},
{
"url": "https://git.kernel.org/stable/c/a9b83f46e52cf1239d780920d1a7a3e415f7b5d9"
},
{
"url": "https://git.kernel.org/stable/c/6047dc542fa404b5c187cc2c7906aaaaec6d11ed"
},
{
"url": "https://git.kernel.org/stable/c/6c22a6d8e4c1507bba504aeebe80476144a373eb"
},
{
"url": "https://git.kernel.org/stable/c/d51c60a498e83c9a79884c8e420f97e3885c9583"
}
],
"title": "media: saa7164: add ioremap return checks and cleanups",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46235",
"datePublished": "2026-05-28T09:41:04.419Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:41:04.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46234 (GCVE-0-2026-46234)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
vsock: fix buffer size clamping order
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: fix buffer size clamping order
In vsock_update_buffer_size(), the buffer size was being clamped to the
maximum first, and then to the minimum. If a user sets a minimum buffer
size larger than the maximum, the minimum check overrides the maximum
check, inverting the constraint.
This breaks the intended socket memory boundaries by allowing the
vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
Fix this by checking the minimum first, and then the maximum. This
ensures the buffer size never exceeds the buffer_max_size.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97 , < a998a7e250bf976539e05a00ec64a81292afecaa
(git)
Affected: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97 , < 310da27932dd0afe7ce7456dfe1f0814c3301f41 (git) Affected: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97 , < 2602f7bb5818e92315feeaeb71d8ce4d5c9ab160 (git) Affected: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97 , < 0b68881501460c3761f196469e1e503218c5e536 (git) Affected: b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97 , < d114bfdc9b76bf93b881e195b7ec957c14227bab (git) |
|
| Linux | Linux |
Affected:
5.5
Unaffected: 0 , < 5.5 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a998a7e250bf976539e05a00ec64a81292afecaa",
"status": "affected",
"version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
"versionType": "git"
},
{
"lessThan": "310da27932dd0afe7ce7456dfe1f0814c3301f41",
"status": "affected",
"version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
"versionType": "git"
},
{
"lessThan": "2602f7bb5818e92315feeaeb71d8ce4d5c9ab160",
"status": "affected",
"version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
"versionType": "git"
},
{
"lessThan": "0b68881501460c3761f196469e1e503218c5e536",
"status": "affected",
"version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
"versionType": "git"
},
{
"lessThan": "d114bfdc9b76bf93b881e195b7ec957c14227bab",
"status": "affected",
"version": "b9f2b0ffde0c9b666b2b1672eb468b8f805a9b97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix buffer size clamping order\n\nIn vsock_update_buffer_size(), the buffer size was being clamped to the\nmaximum first, and then to the minimum. If a user sets a minimum buffer\nsize larger than the maximum, the minimum check overrides the maximum\ncheck, inverting the constraint.\n\nThis breaks the intended socket memory boundaries by allowing the\nvsk-\u003ebuffer_size to grow beyond the configured vsk-\u003ebuffer_max_size.\n\nFix this by checking the minimum first, and then the maximum. This\nensures the buffer size never exceeds the buffer_max_size."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:58.373Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a998a7e250bf976539e05a00ec64a81292afecaa"
},
{
"url": "https://git.kernel.org/stable/c/310da27932dd0afe7ce7456dfe1f0814c3301f41"
},
{
"url": "https://git.kernel.org/stable/c/2602f7bb5818e92315feeaeb71d8ce4d5c9ab160"
},
{
"url": "https://git.kernel.org/stable/c/0b68881501460c3761f196469e1e503218c5e536"
},
{
"url": "https://git.kernel.org/stable/c/d114bfdc9b76bf93b881e195b7ec957c14227bab"
}
],
"title": "vsock: fix buffer size clamping order",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46234",
"datePublished": "2026-05-28T09:40:58.373Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:58.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46233 (GCVE-0-2026-46233)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
batman-adv: bla: only purge non-released claims
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: only purge non-released claims
When batadv_bla_purge_claims() goes through the list of claims, it is only
traversing the hash list with an rcu_read_lock(). Due to a potential
parallel batadv_claim_put(), it can happen that it encounters a claim which
was actually in the process of being released+freed by
batadv_claim_release(). In this case, backbone_gw is set to NULL before the
delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is
then no longer allowed because it would cause a NULL-ptr derefence.
To avoid this, only claims with a valid reference counter must be purged.
All others are already taken care of.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
23721387c409087fd3b97e274f34d3ddc0970b74 , < 7b8fbcee3184d848b5aee085ca16d0cf05c9b641
(git)
Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < b65365d2b1e6095c538d49baeb140dd1c166c1b3 (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < cf6b604011591865ae39ac82de8978c1120d17af (git) |
|
| Linux | Linux |
Affected:
3.5
Unaffected: 0 , < 3.5 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b8fbcee3184d848b5aee085ca16d0cf05c9b641",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "b65365d2b1e6095c538d49baeb140dd1c166c1b3",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "cf6b604011591865ae39ac82de8978c1120d17af",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: only purge non-released claims\n\nWhen batadv_bla_purge_claims() goes through the list of claims, it is only\ntraversing the hash list with an rcu_read_lock(). Due to a potential\nparallel batadv_claim_put(), it can happen that it encounters a claim which\nwas actually in the process of being released+freed by\nbatadv_claim_release(). In this case, backbone_gw is set to NULL before the\ndelayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is\nthen no longer allowed because it would cause a NULL-ptr derefence.\n\nTo avoid this, only claims with a valid reference counter must be purged.\nAll others are already taken care of."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:55.019Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641"
},
{
"url": "https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe"
},
{
"url": "https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3"
},
{
"url": "https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d"
},
{
"url": "https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af"
}
],
"title": "batman-adv: bla: only purge non-released claims",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46233",
"datePublished": "2026-05-28T09:40:55.019Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:55.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46232 (GCVE-0-2026-46232)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
HID: playstation: Clamp num_touch_reports
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: playstation: Clamp num_touch_reports
A device would never lie about the number of touch reports would it?
If it does the loop in dualshock4_parse_report will read off the end of
the touch_reports array, up to about 2 KiB for the maximum number of 256
loop iteraions. The data that is read is emitted via evdev if the
DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by
clamping the num_touch_reports value provided by the device to the
maximum size of the touch_reports array.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
752038248808a7ff176bbdb668f19ae7d2a9816b , < 0bc4cf1a6ba00fb8c074531b179bc7b97502fbc4
(git)
Affected: 752038248808a7ff176bbdb668f19ae7d2a9816b , < 9c031b24aed6733b6dcc5d98527875b8654a04e9 (git) Affected: 752038248808a7ff176bbdb668f19ae7d2a9816b , < 7812694752a5f295eaa05a093b90a2c332666051 (git) Affected: 752038248808a7ff176bbdb668f19ae7d2a9816b , < 208f6d5b1dfd6399bc6af9e11f27f1f496243ed0 (git) Affected: 752038248808a7ff176bbdb668f19ae7d2a9816b , < cac61b58a3b6340c52afa06bb15eac033158db2f (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-playstation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bc4cf1a6ba00fb8c074531b179bc7b97502fbc4",
"status": "affected",
"version": "752038248808a7ff176bbdb668f19ae7d2a9816b",
"versionType": "git"
},
{
"lessThan": "9c031b24aed6733b6dcc5d98527875b8654a04e9",
"status": "affected",
"version": "752038248808a7ff176bbdb668f19ae7d2a9816b",
"versionType": "git"
},
{
"lessThan": "7812694752a5f295eaa05a093b90a2c332666051",
"status": "affected",
"version": "752038248808a7ff176bbdb668f19ae7d2a9816b",
"versionType": "git"
},
{
"lessThan": "208f6d5b1dfd6399bc6af9e11f27f1f496243ed0",
"status": "affected",
"version": "752038248808a7ff176bbdb668f19ae7d2a9816b",
"versionType": "git"
},
{
"lessThan": "cac61b58a3b6340c52afa06bb15eac033158db2f",
"status": "affected",
"version": "752038248808a7ff176bbdb668f19ae7d2a9816b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-playstation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: playstation: Clamp num_touch_reports\n\nA device would never lie about the number of touch reports would it?\n\nIf it does the loop in dualshock4_parse_report will read off the end of\nthe touch_reports array, up to about 2 KiB for the maximum number of 256\nloop iteraions. The data that is read is emitted via evdev if the\nDS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by\nclamping the num_touch_reports value provided by the device to the\nmaximum size of the touch_reports array."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:54.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bc4cf1a6ba00fb8c074531b179bc7b97502fbc4"
},
{
"url": "https://git.kernel.org/stable/c/9c031b24aed6733b6dcc5d98527875b8654a04e9"
},
{
"url": "https://git.kernel.org/stable/c/7812694752a5f295eaa05a093b90a2c332666051"
},
{
"url": "https://git.kernel.org/stable/c/208f6d5b1dfd6399bc6af9e11f27f1f496243ed0"
},
{
"url": "https://git.kernel.org/stable/c/cac61b58a3b6340c52afa06bb15eac033158db2f"
}
],
"title": "HID: playstation: Clamp num_touch_reports",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46232",
"datePublished": "2026-05-28T09:40:54.248Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:54.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46231 (GCVE-0-2026-46231)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
batman-adv: bla: put backbone reference on failed claim hash insert
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: put backbone reference on failed claim hash insert
When batadv_bla_add_claim() fails to insert a new claim into the hash, it
leaked a reference to the backbone_gw for which the claim was intended.
Call batadv_backbone_gw_put() on the error path to release the reference
and avoid leaking the backbone_gw object.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3db0decf1185357d6ab2256d0dede1ca9efda03d , < 65419eb4259a26a3cd3f56fa0e3b3c113bf8c256
(git)
Affected: 3db0decf1185357d6ab2256d0dede1ca9efda03d , < fd0ca034c1e71ca7613cde9dd892836b2c2831bd (git) Affected: 3db0decf1185357d6ab2256d0dede1ca9efda03d , < 0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0 (git) Affected: 3db0decf1185357d6ab2256d0dede1ca9efda03d , < 7cccf4eb4f96d3c3af91a00b7a9caa652439542e (git) Affected: 3db0decf1185357d6ab2256d0dede1ca9efda03d , < ba9d20ee9076dac32c371116bacbe72480eb356c (git) Affected: 3fdd337ac0b277a1f40aa73b35283520f426e517 (git) Affected: 485eedfabc2aefac8f09f98a82ba1c1e3e202a6d (git) Affected: 3.16.39 , < 3.17 (semver) Affected: 4.4.217 , < 4.5 (semver) |
|
| Linux | Linux |
Affected:
4.7
Unaffected: 0 , < 4.7 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65419eb4259a26a3cd3f56fa0e3b3c113bf8c256",
"status": "affected",
"version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
"versionType": "git"
},
{
"lessThan": "fd0ca034c1e71ca7613cde9dd892836b2c2831bd",
"status": "affected",
"version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
"versionType": "git"
},
{
"lessThan": "0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0",
"status": "affected",
"version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
"versionType": "git"
},
{
"lessThan": "7cccf4eb4f96d3c3af91a00b7a9caa652439542e",
"status": "affected",
"version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
"versionType": "git"
},
{
"lessThan": "ba9d20ee9076dac32c371116bacbe72480eb356c",
"status": "affected",
"version": "3db0decf1185357d6ab2256d0dede1ca9efda03d",
"versionType": "git"
},
{
"status": "affected",
"version": "3fdd337ac0b277a1f40aa73b35283520f426e517",
"versionType": "git"
},
{
"status": "affected",
"version": "485eedfabc2aefac8f09f98a82ba1c1e3e202a6d",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.39",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.217",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.217",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: put backbone reference on failed claim hash insert\n\nWhen batadv_bla_add_claim() fails to insert a new claim into the hash, it\nleaked a reference to the backbone_gw for which the claim was intended.\nCall batadv_backbone_gw_put() on the error path to release the reference\nand avoid leaking the backbone_gw object."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:53.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65419eb4259a26a3cd3f56fa0e3b3c113bf8c256"
},
{
"url": "https://git.kernel.org/stable/c/fd0ca034c1e71ca7613cde9dd892836b2c2831bd"
},
{
"url": "https://git.kernel.org/stable/c/0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0"
},
{
"url": "https://git.kernel.org/stable/c/7cccf4eb4f96d3c3af91a00b7a9caa652439542e"
},
{
"url": "https://git.kernel.org/stable/c/ba9d20ee9076dac32c371116bacbe72480eb356c"
}
],
"title": "batman-adv: bla: put backbone reference on failed claim hash insert",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46231",
"datePublished": "2026-05-28T09:40:53.471Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:53.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46230 (GCVE-0-2026-46230)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
Check bounds against the end of the BO whenever we access the msg.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 638d3e0b9eb77aa53fdd60e2b928761d16ba76fa
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 870c8738c3774336baedddd0240951d078a703b8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 638e48ee39d0f2af9336f917a6f5d6692dd64d93 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b193019860d61e92da395eae2011f2f6716b182f (git) Affected: 0 , < 6.6.140 (semver) Affected: 0 , < 6.12.90 (semver) Affected: 0 , < 6.18.32 (semver) Affected: 0 , < 7.0.9 (semver) |
|
| Linux | Linux |
Unaffected:
6.6.140 , ≤ 6.6.*
(semver)
Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "638d3e0b9eb77aa53fdd60e2b928761d16ba76fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "870c8738c3774336baedddd0240951d078a703b8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "638e48ee39d0f2af9336f917a6f5d6692dd64d93",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b193019860d61e92da395eae2011f2f6716b182f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6.6.140",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.90",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.32",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg\n\nCheck bounds against the end of the BO whenever we access the msg."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:52.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/638d3e0b9eb77aa53fdd60e2b928761d16ba76fa"
},
{
"url": "https://git.kernel.org/stable/c/870c8738c3774336baedddd0240951d078a703b8"
},
{
"url": "https://git.kernel.org/stable/c/638e48ee39d0f2af9336f917a6f5d6692dd64d93"
},
{
"url": "https://git.kernel.org/stable/c/e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7"
},
{
"url": "https://git.kernel.org/stable/c/b193019860d61e92da395eae2011f2f6716b182f"
}
],
"title": "drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46230",
"datePublished": "2026-05-28T09:40:52.696Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:52.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46229 (GCVE-0-2026-46229)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE
but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated
VRAM with stale data from prior use observable by compute kernels.
The GEM ioctl path already sets VRAM_CLEARED for all userspace
allocations via amdgpu_gem_create_ioctl() and
amdgpu_mode_dumb_create(). The KFD path was missing this flag,
allowing stale page table remnants to leak into user buffers.
This causes crashes in RCCL P2P transport where non-zero data in
ptrExchange/head/tail fields corrupts the protocol handshake.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1db431380879fd9d28b763a88a0c0431be5be8df
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 32b153658f017ad2f5bf8aab479e8d16ac95bc3a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 77d0b5d11387071770246fd0185a69fa28e8e109 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 047d44d8d29a6a1a5757256837aa9dd78e3cd0b5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ad52d61d82181dbdb7f05826de38352d5e550cc2 (git) Affected: 0 , < 6.6.140 (semver) Affected: 0 , < 6.12.90 (semver) Affected: 0 , < 6.18.32 (semver) Affected: 0 , < 7.0.9 (semver) |
|
| Linux | Linux |
Unaffected:
6.6.140 , ≤ 6.6.*
(semver)
Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1db431380879fd9d28b763a88a0c0431be5be8df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "32b153658f017ad2f5bf8aab479e8d16ac95bc3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "77d0b5d11387071770246fd0185a69fa28e8e109",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "047d44d8d29a6a1a5757256837aa9dd78e3cd0b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ad52d61d82181dbdb7f05826de38352d5e550cc2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6.6.140",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.90",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.32",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Clear VRAM on allocation to prevent stale data exposure\n\nKFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE\nbut not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated\nVRAM with stale data from prior use observable by compute kernels.\n\nThe GEM ioctl path already sets VRAM_CLEARED for all userspace\nallocations via amdgpu_gem_create_ioctl() and\namdgpu_mode_dumb_create(). The KFD path was missing this flag,\nallowing stale page table remnants to leak into user buffers.\n\nThis causes crashes in RCCL P2P transport where non-zero data in\nptrExchange/head/tail fields corrupts the protocol handshake."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:51.300Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1db431380879fd9d28b763a88a0c0431be5be8df"
},
{
"url": "https://git.kernel.org/stable/c/32b153658f017ad2f5bf8aab479e8d16ac95bc3a"
},
{
"url": "https://git.kernel.org/stable/c/77d0b5d11387071770246fd0185a69fa28e8e109"
},
{
"url": "https://git.kernel.org/stable/c/047d44d8d29a6a1a5757256837aa9dd78e3cd0b5"
},
{
"url": "https://git.kernel.org/stable/c/ad52d61d82181dbdb7f05826de38352d5e550cc2"
}
],
"title": "drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46229",
"datePublished": "2026-05-28T09:40:51.300Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:51.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46228 (GCVE-0-2026-46228)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
spi: ch341: fix devres lifetime
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: ch341: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).
Fix the controller and driver data lifetime so that they are released
on driver unbind.
Note that this also makes sure that the SPI controller is placed
correctly under the USB interface in the device tree.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8846739f52afa07e63395c80227dc544f54bd7b1 , < 4422fc2411cbbdf5104a914e0596bb483faea254
(git)
Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < 108a64b27a52f781c4f3751641e3dd65c7dd2fb5 (git) Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < abe572f630bc1f0e77041012ab075869036ede4f (git) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ch341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4422fc2411cbbdf5104a914e0596bb483faea254",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "108a64b27a52f781c4f3751641e3dd65c7dd2fb5",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
},
{
"lessThan": "abe572f630bc1f0e77041012ab075869036ede4f",
"status": "affected",
"version": "8846739f52afa07e63395c80227dc544f54bd7b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ch341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ch341: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the controller and driver data lifetime so that they are released\non driver unbind.\n\nNote that this also makes sure that the SPI controller is placed\ncorrectly under the USB interface in the device tree."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:48.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254"
},
{
"url": "https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5"
},
{
"url": "https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f"
}
],
"title": "spi: ch341: fix devres lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46228",
"datePublished": "2026-05-28T09:40:48.689Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:48.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46227 (GCVE-0-2026-46227)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().
While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu(). The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.
sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp. After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).
Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.
Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns. @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.
The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
safely") was added for.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4910280503f3af2857d5aa77e35b22d93a8960a8 , < 1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078
(git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 6187a172d6ed57d6b2c327836e4407c6456e639d (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < c9dadb31f36045a8cb65df4bd75e7237ef21a4b5 (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < bf0f40d8107e2ce827521968dc6926f3e13728ae (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < abb5f36771cc4c05899b34000829a787572a8817 (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "6187a172d6ed57d6b2c327836e4407c6456e639d",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "c9dadb31f36045a8cb65df4bd75e7237ef21a4b5",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "bf0f40d8107e2ce827521968dc6926f3e13728ae",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "abb5f36771cc4c05899b34000829a787572a8817",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs. The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu(). The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp. After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns. @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:47.518Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
},
{
"url": "https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d"
},
{
"url": "https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
},
{
"url": "https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae"
},
{
"url": "https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817"
}
],
"title": "sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46227",
"datePublished": "2026-05-28T09:40:47.518Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:47.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46226 (GCVE-0-2026-46226)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
spi: fsl: fix controller deregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: fsl: fix controller deregistration
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4178b6b1b595003cd6e04711b449797a582e44f5 , < 562d954a144950ec2aa6a874ae657cb3fa31fe53
(git)
Affected: 4178b6b1b595003cd6e04711b449797a582e44f5 , < e888308222375ac28bae69134dae288178718a96 (git) Affected: 4178b6b1b595003cd6e04711b449797a582e44f5 , < ca3195c7b88362d7c81efe685948663a9f9db0e6 (git) Affected: 4178b6b1b595003cd6e04711b449797a582e44f5 , < 5750743a39c9d46ac9fcf57ffe000956da4942cf (git) Affected: 4178b6b1b595003cd6e04711b449797a582e44f5 , < 9b7abfed4c3754062d1f3ffd452e65a38667f586 (git) |
|
| Linux | Linux |
Affected:
4.3
Unaffected: 0 , < 4.3 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "562d954a144950ec2aa6a874ae657cb3fa31fe53",
"status": "affected",
"version": "4178b6b1b595003cd6e04711b449797a582e44f5",
"versionType": "git"
},
{
"lessThan": "e888308222375ac28bae69134dae288178718a96",
"status": "affected",
"version": "4178b6b1b595003cd6e04711b449797a582e44f5",
"versionType": "git"
},
{
"lessThan": "ca3195c7b88362d7c81efe685948663a9f9db0e6",
"status": "affected",
"version": "4178b6b1b595003cd6e04711b449797a582e44f5",
"versionType": "git"
},
{
"lessThan": "5750743a39c9d46ac9fcf57ffe000956da4942cf",
"status": "affected",
"version": "4178b6b1b595003cd6e04711b449797a582e44f5",
"versionType": "git"
},
{
"lessThan": "9b7abfed4c3754062d1f3ffd452e65a38667f586",
"status": "affected",
"version": "4178b6b1b595003cd6e04711b449797a582e44f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl: fix controller deregistration\n\nMake sure to deregister the controller before releasing underlying\nresources like DMA during driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:46.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/562d954a144950ec2aa6a874ae657cb3fa31fe53"
},
{
"url": "https://git.kernel.org/stable/c/e888308222375ac28bae69134dae288178718a96"
},
{
"url": "https://git.kernel.org/stable/c/ca3195c7b88362d7c81efe685948663a9f9db0e6"
},
{
"url": "https://git.kernel.org/stable/c/5750743a39c9d46ac9fcf57ffe000956da4942cf"
},
{
"url": "https://git.kernel.org/stable/c/9b7abfed4c3754062d1f3ffd452e65a38667f586"
}
],
"title": "spi: fsl: fix controller deregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46226",
"datePublished": "2026-05-28T09:40:46.027Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:46.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46225 (GCVE-0-2026-46225)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
spi: rspi: fix controller deregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: rspi: fix controller deregistration
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9e03d05eee4ca45ed12749ef6c26bf616262cdd2 , < 77defd64b405b680db73d767313fce770d368368
(git)
Affected: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2 , < c5090db1b31de3ef4db0cda7e822ab49cb572292 (git) Affected: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2 , < aee76c1dd189562c6678313caec12761f78a9ef3 (git) Affected: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2 , < fee6abd9845c3edd217b0e429d09f764f9a5690e (git) Affected: 9e03d05eee4ca45ed12749ef6c26bf616262cdd2 , < 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc (git) |
|
| Linux | Linux |
Affected:
3.14
Unaffected: 0 , < 3.14 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-rspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77defd64b405b680db73d767313fce770d368368",
"status": "affected",
"version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
"versionType": "git"
},
{
"lessThan": "c5090db1b31de3ef4db0cda7e822ab49cb572292",
"status": "affected",
"version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
"versionType": "git"
},
{
"lessThan": "aee76c1dd189562c6678313caec12761f78a9ef3",
"status": "affected",
"version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
"versionType": "git"
},
{
"lessThan": "fee6abd9845c3edd217b0e429d09f764f9a5690e",
"status": "affected",
"version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
"versionType": "git"
},
{
"lessThan": "9944fa6726afb1e6eb7e2212764e7da0c97f2dcc",
"status": "affected",
"version": "9e03d05eee4ca45ed12749ef6c26bf616262cdd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-rspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: rspi: fix controller deregistration\n\nMake sure to deregister the controller before releasing underlying\nresources like DMA during driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:44.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77defd64b405b680db73d767313fce770d368368"
},
{
"url": "https://git.kernel.org/stable/c/c5090db1b31de3ef4db0cda7e822ab49cb572292"
},
{
"url": "https://git.kernel.org/stable/c/aee76c1dd189562c6678313caec12761f78a9ef3"
},
{
"url": "https://git.kernel.org/stable/c/fee6abd9845c3edd217b0e429d09f764f9a5690e"
},
{
"url": "https://git.kernel.org/stable/c/9944fa6726afb1e6eb7e2212764e7da0c97f2dcc"
}
],
"title": "spi: rspi: fix controller deregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46225",
"datePublished": "2026-05-28T09:40:44.066Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:44.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46224 (GCVE-0-2026-46224)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure
When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo
is not freed. Add xe_bo_free(storage) before returning the error.
xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on
error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own
error paths. Otherwise, since xe_gem_prime_import() cannot distinguish
whether the failure originated from xe_dma_buf_init_obj() or from
xe_bo_init_locked(), it cannot safely decide whether the bo should be
freed.
Add comments documenting the ownership semantics: on success, ownership
of storage is transferred to the returned drm_gem_object; on failure,
storage is freed before returning.
v2: Add comments to explain the free logic.
(cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 , < f9ad21b90162baf1d78f8036ff3813c3ec1ac88e
(git)
Affected: eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 , < 8fa8c2a22585fcb31dc605b91a67bbcca223fdd7 (git) Affected: eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 , < 93a528f67ce5095bcab46a69839eca97f43dd352 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_dma_buf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9ad21b90162baf1d78f8036ff3813c3ec1ac88e",
"status": "affected",
"version": "eb289a5f6cc668853f9b2ea6aca04afe58ed11c7",
"versionType": "git"
},
{
"lessThan": "8fa8c2a22585fcb31dc605b91a67bbcca223fdd7",
"status": "affected",
"version": "eb289a5f6cc668853f9b2ea6aca04afe58ed11c7",
"versionType": "git"
},
{
"lessThan": "93a528f67ce5095bcab46a69839eca97f43dd352",
"status": "affected",
"version": "eb289a5f6cc668853f9b2ea6aca04afe58ed11c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_dma_buf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure\n\nWhen drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo\nis not freed. Add xe_bo_free(storage) before returning the error.\n\nxe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on\nerror. Therefore, xe_dma_buf_init_obj() must also free the bo on its own\nerror paths. Otherwise, since xe_gem_prime_import() cannot distinguish\nwhether the failure originated from xe_dma_buf_init_obj() or from\nxe_bo_init_locked(), it cannot safely decide whether the bo should be\nfreed.\n\nAdd comments documenting the ownership semantics: on success, ownership\nof storage is transferred to the returned drm_gem_object; on failure,\nstorage is freed before returning.\n\nv2: Add comments to explain the free logic.\n\n(cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:42.819Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9ad21b90162baf1d78f8036ff3813c3ec1ac88e"
},
{
"url": "https://git.kernel.org/stable/c/8fa8c2a22585fcb31dc605b91a67bbcca223fdd7"
},
{
"url": "https://git.kernel.org/stable/c/93a528f67ce5095bcab46a69839eca97f43dd352"
}
],
"title": "drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46224",
"datePublished": "2026-05-28T09:40:42.819Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:42.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46223 (GCVE-0-2026-46223)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated
A chain of commits going back to v7.0 reworked rmdir to satisfy the
controller invariant that a subsystem's ->css_offline() must not run while
tasks are still doing kernel-side work in the cgroup.
[1] d245698d727a ("cgroup: Defer task cgroup unlink until after the task is done switching out")
[2] a72f73c4dd9b ("cgroup: Don't expose dead tasks in cgroup")
[3] 1b164b876c36 ("cgroup: Wait for dying tasks to leave on rmdir")
[4] 4c56a8ac6869 ("cgroup: Fix cgroup_drain_dying() testing the wrong condition")
[5] 13e786b64bd3 ("cgroup: Increment nr_dying_subsys_* from rmdir context")
[1] moved task cset unlink from do_exit() to finish_task_switch() so a
task's cset link drops only after the task has fully stopped scheduling.
That made tasks past exit_signals() linger on cset->tasks until their final
context switch, which led to a series of problems as what userspace expected
to see after rmdir diverged from what the kernel needs to wait for. [2]-[5]
tried to bridge that divergence: [2] filtered the exiting tasks from
cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4]
fixed the wait's condition; [5] made nr_dying_subsys_* visible
synchronously.
The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the
rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g.
host PID 1 systemd reaping orphan pids that were re-parented to it during
the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those
pids to free, the pids can't free because PID 1 is the reaper and it's stuck
in rmdir, and the system A-A deadlocks. No internal lock ordering breaks
this; the wait itself is the bug.
The css killing side that drove the original reorder, however, can be made
cleanly asynchronous: ->css_offline() is already async, run from
css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to
make that chain start only after all tasks have left the cgroup. rmdir's
user-visible side then returns as soon as cgroup.procs and friends are
empty, while ->css_offline() still runs only after the cgroup is fully
drained.
Verified by the original reproducer (pidns teardown + zombie reaper, runs
under vng) which hangs vanilla and succeeds here, and by per-commit
deterministic repros for [2], [3], [4], [5] with a boot parameter that
widens the post-exit_signals() window so each state is reliably reachable.
Some stress tests on top of that.
cgroup_apply_control_disable() has the same shape of pre-existing race:
when a controller is disabled via subtree_control, kill_css() ran
synchronously while tasks past exit_signals() could still be linked to
the cgroup's csets, and ->css_offline() could fire before they drained.
This patch preserves the existing synchronous behavior at that call site
(kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch
will defer kill_css_finish() there using a per-css trigger.
This seems like the right approach and I don't see problems with it. The
changes are somewhat invasive but not excessively so, so backporting to
-stable should be okay. If something does turn out to be wrong, the fallback
is to revert the entire chain ([1]-[5]) and rework in the development branch
instead.
v2: Pin cgrp across the deferred destroy work with explicit
cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1
wasn't actually broken (ordered cgroup_offline_wq + queue_work order
in cgroup_task_dead() saved it) but the explicit ref removes the
dependency on those non-obvious invariants. Also note the
pre-existing cgroup_apply_control_disable() race in the description;
a follow-up will defer kill_css_finish() there.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1b164b876c36c3eb5561dd9b37702b04401b0166 , < 33fa2e6b1507a0a377a151a8826438bedad1d0b0
(git)
Affected: 1b164b876c36c3eb5561dd9b37702b04401b0166 , < 93618edf753838a727dbff63c7c291dee22d656b (git) Affected: 78c72bce4a87819126211c0d24e18350010604fb (git) Affected: 6.19.12 , < 6.20 (semver) |
|
| Linux | Linux |
Affected:
7.0
Unaffected: 0 , < 7.0 (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/cgroup-defs.h",
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33fa2e6b1507a0a377a151a8826438bedad1d0b0",
"status": "affected",
"version": "1b164b876c36c3eb5561dd9b37702b04401b0166",
"versionType": "git"
},
{
"lessThan": "93618edf753838a727dbff63c7c291dee22d656b",
"status": "affected",
"version": "1b164b876c36c3eb5561dd9b37702b04401b0166",
"versionType": "git"
},
{
"status": "affected",
"version": "78c72bce4a87819126211c0d24e18350010604fb",
"versionType": "git"
},
{
"lessThan": "6.20",
"status": "affected",
"version": "6.19.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/cgroup-defs.h",
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.19.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated\n\nA chain of commits going back to v7.0 reworked rmdir to satisfy the\ncontroller invariant that a subsystem\u0027s -\u003ecss_offline() must not run while\ntasks are still doing kernel-side work in the cgroup.\n\n[1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\")\n[2] a72f73c4dd9b (\"cgroup: Don\u0027t expose dead tasks in cgroup\")\n[3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\")\n[4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\")\n[5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")\n\n[1] moved task cset unlink from do_exit() to finish_task_switch() so a\ntask\u0027s cset link drops only after the task has fully stopped scheduling.\nThat made tasks past exit_signals() linger on cset-\u003etasks until their final\ncontext switch, which led to a series of problems as what userspace expected\nto see after rmdir diverged from what the kernel needs to wait for. [2]-[5]\ntried to bridge that divergence: [2] filtered the exiting tasks from\ncgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4]\nfixed the wait\u0027s condition; [5] made nr_dying_subsys_* visible\nsynchronously.\n\nThe cgroup_drain_dying() wait in [3] turned out to be a dead end. When the\nrmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g.\nhost PID 1 systemd reaping orphan pids that were re-parented to it during\nthe same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those\npids to free, the pids can\u0027t free because PID 1 is the reaper and it\u0027s stuck\nin rmdir, and the system A-A deadlocks. No internal lock ordering breaks\nthis; the wait itself is the bug.\n\nThe css killing side that drove the original reorder, however, can be made\ncleanly asynchronous: -\u003ecss_offline() is already async, run from\ncss_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to\nmake that chain start only after all tasks have left the cgroup. rmdir\u0027s\nuser-visible side then returns as soon as cgroup.procs and friends are\nempty, while -\u003ecss_offline() still runs only after the cgroup is fully\ndrained.\n\nVerified by the original reproducer (pidns teardown + zombie reaper, runs\nunder vng) which hangs vanilla and succeeds here, and by per-commit\ndeterministic repros for [2], [3], [4], [5] with a boot parameter that\nwidens the post-exit_signals() window so each state is reliably reachable.\nSome stress tests on top of that.\n\ncgroup_apply_control_disable() has the same shape of pre-existing race:\nwhen a controller is disabled via subtree_control, kill_css() ran\nsynchronously while tasks past exit_signals() could still be linked to\nthe cgroup\u0027s csets, and -\u003ecss_offline() could fire before they drained.\nThis patch preserves the existing synchronous behavior at that call site\n(kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch\nwill defer kill_css_finish() there using a per-css trigger.\n\nThis seems like the right approach and I don\u0027t see problems with it. The\nchanges are somewhat invasive but not excessively so, so backporting to\n-stable should be okay. If something does turn out to be wrong, the fallback\nis to revert the entire chain ([1]-[5]) and rework in the development branch\ninstead.\n\nv2: Pin cgrp across the deferred destroy work with explicit\n cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1\n wasn\u0027t actually broken (ordered cgroup_offline_wq + queue_work order\n in cgroup_task_dead() saved it) but the explicit ref removes the\n dependency on those non-obvious invariants. Also note the\n pre-existing cgroup_apply_control_disable() race in the description;\n a follow-up will defer kill_css_finish() there."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:40.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33fa2e6b1507a0a377a151a8826438bedad1d0b0"
},
{
"url": "https://git.kernel.org/stable/c/93618edf753838a727dbff63c7c291dee22d656b"
}
],
"title": "cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46223",
"datePublished": "2026-05-28T09:40:40.791Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:40.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46222 (GCVE-0-2026-46222)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads
The pads missed checks for connected devices which may a null dereference
when the stream is enabled.
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000020
pc : rkcif_interface_enable_streams+0x48/0xf0
lr : rkcif_interface_enable_streams+0x44/0xf0
Call trace:
rkcif_interface_enable_streams+0x48/0xf0
v4l2_subdev_enable_streams+0x26c/0x3f0
rkcif_stream_start_streaming+0x140/0x278
vb2_start_streaming+0x74/0x188
vb2_core_streamon+0xe0/0x1d8
vb2_ioctl_streamon+0x60/0xa8
v4l_streamon+0x2c/0x40
__video_do_ioctl+0x34c/0x400
video_usercopy+0x2d0/0x800
video_ioctl2+0x20/0x60
v4l2_ioctl+0x48/0x78
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
85411d17bee99b0a99e983f37188f9cdacfded54 , < 318142640590342bfec7aa06d0bdcd0ddbf953d0
(git)
Affected: 85411d17bee99b0a99e983f37188f9cdacfded54 , < 8e3c751259dc2d1325838eff26f41032523c7b57 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-interface.c",
"drivers/media/platform/rockchip/rkcif/rkcif-stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "318142640590342bfec7aa06d0bdcd0ddbf953d0",
"status": "affected",
"version": "85411d17bee99b0a99e983f37188f9cdacfded54",
"versionType": "git"
},
{
"lessThan": "8e3c751259dc2d1325838eff26f41032523c7b57",
"status": "affected",
"version": "85411d17bee99b0a99e983f37188f9cdacfded54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-interface.c",
"drivers/media/platform/rockchip/rkcif/rkcif-stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rockchip: rkcif: Add missing MUST_CONNECT flag to pads\n\nThe pads missed checks for connected devices which may a null dereference\nwhen the stream is enabled.\n\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000020\npc : rkcif_interface_enable_streams+0x48/0xf0\nlr : rkcif_interface_enable_streams+0x44/0xf0\nCall trace:\n rkcif_interface_enable_streams+0x48/0xf0\n v4l2_subdev_enable_streams+0x26c/0x3f0\n rkcif_stream_start_streaming+0x140/0x278\n vb2_start_streaming+0x74/0x188\n vb2_core_streamon+0xe0/0x1d8\n vb2_ioctl_streamon+0x60/0xa8\n v4l_streamon+0x2c/0x40\n __video_do_ioctl+0x34c/0x400\n video_usercopy+0x2d0/0x800\n video_ioctl2+0x20/0x60\n v4l2_ioctl+0x48/0x78"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:38.777Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/318142640590342bfec7aa06d0bdcd0ddbf953d0"
},
{
"url": "https://git.kernel.org/stable/c/8e3c751259dc2d1325838eff26f41032523c7b57"
}
],
"title": "media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46222",
"datePublished": "2026-05-28T09:40:38.777Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:38.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46221 (GCVE-0-2026-46221)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
EDAC/versalnet: Fix device name memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/versalnet: Fix device name memory leak
The device name allocated via kzalloc() in init_one_mc() is assigned to
dev->init_name but never freed on the normal removal path. device_register()
copies init_name and then sets dev->init_name to NULL, so the name pointer
becomes unreachable from the device. Thus leaking memory.
Use a stack-local char array instead of using kzalloc() for name.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984 , < 24d2912962d087ebff7c4984f8ac34a5f23c8dbf
(git)
Affected: d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984 , < b16033c8774f5fb4c0cb9b445a1dfc68f499ae6a (git) Affected: d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984 , < 8cf5dd235eff6008cb04c3d8064d2acfa90616f1 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/versalnet_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24d2912962d087ebff7c4984f8ac34a5f23c8dbf",
"status": "affected",
"version": "d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984",
"versionType": "git"
},
{
"lessThan": "b16033c8774f5fb4c0cb9b445a1dfc68f499ae6a",
"status": "affected",
"version": "d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984",
"versionType": "git"
},
{
"lessThan": "8cf5dd235eff6008cb04c3d8064d2acfa90616f1",
"status": "affected",
"version": "d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/versalnet_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/versalnet: Fix device name memory leak\n\nThe device name allocated via kzalloc() in init_one_mc() is assigned to\ndev-\u003einit_name but never freed on the normal removal path. device_register()\ncopies init_name and then sets dev-\u003einit_name to NULL, so the name pointer\nbecomes unreachable from the device. Thus leaking memory.\n\nUse a stack-local char array instead of using kzalloc() for name."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:36.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24d2912962d087ebff7c4984f8ac34a5f23c8dbf"
},
{
"url": "https://git.kernel.org/stable/c/b16033c8774f5fb4c0cb9b445a1dfc68f499ae6a"
},
{
"url": "https://git.kernel.org/stable/c/8cf5dd235eff6008cb04c3d8064d2acfa90616f1"
}
],
"title": "EDAC/versalnet: Fix device name memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46221",
"datePublished": "2026-05-28T09:40:36.679Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:36.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46220 (GCVE-0-2026-46220)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
that verify fence writeback addresses are dword-aligned. These
assertions can be reached from unprivileged userspace via crafted
DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
scheduler worker thread.
Replace both BUG_ON() calls with WARN_ON() to log the condition without
crashing the kernel. A misaligned fence address at this point indicates
a driver bug, but crashing the kernel is never the correct response when
the assertion is reachable from userspace.
The CS IOCTL path is the correct place to filter invalid submissions;
the ring emission callback is too late to do anything about it.
(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7 , < 4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe
(git)
Affected: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7 , < d331fb241a4602253976ddd65144a8ba2b05665d (git) Affected: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7 , < 0b91ea46bb68abf98a082bf239092253bbd6aaa2 (git) Affected: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7 , < a4fd82fb0757c180bf622907397c528b89a827b2 (git) Affected: 2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7 , < 78d2e624fa073c14970aa097adcf3ea31c157a66 (git) |
|
| Linux | Linux |
Affected:
4.12
Unaffected: 0 , < 4.12 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe",
"status": "affected",
"version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
"versionType": "git"
},
{
"lessThan": "d331fb241a4602253976ddd65144a8ba2b05665d",
"status": "affected",
"version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
"versionType": "git"
},
{
"lessThan": "0b91ea46bb68abf98a082bf239092253bbd6aaa2",
"status": "affected",
"version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
"versionType": "git"
},
{
"lessThan": "a4fd82fb0757c180bf622907397c528b89a827b2",
"status": "affected",
"version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
"versionType": "git"
},
{
"lessThan": "78d2e624fa073c14970aa097adcf3ea31c157a66",
"status": "affected",
"version": "2130f89ced2cc0f5113bb427c1cbc7a4ca7729c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission\n\nsdma_v4_0_ring_emit_fence() contains two BUG_ON(addr \u0026 0x3) assertions\nthat verify fence writeback addresses are dword-aligned. These\nassertions can be reached from unprivileged userspace via crafted\nDRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a\nscheduler worker thread.\n\nReplace both BUG_ON() calls with WARN_ON() to log the condition without\ncrashing the kernel. A misaligned fence address at this point indicates\na driver bug, but crashing the kernel is never the correct response when\nthe assertion is reachable from userspace.\n\nThe CS IOCTL path is the correct place to filter invalid submissions;\nthe ring emission callback is too late to do anything about it.\n\n(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:35.971Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe"
},
{
"url": "https://git.kernel.org/stable/c/d331fb241a4602253976ddd65144a8ba2b05665d"
},
{
"url": "https://git.kernel.org/stable/c/0b91ea46bb68abf98a082bf239092253bbd6aaa2"
},
{
"url": "https://git.kernel.org/stable/c/a4fd82fb0757c180bf622907397c528b89a827b2"
},
{
"url": "https://git.kernel.org/stable/c/78d2e624fa073c14970aa097adcf3ea31c157a66"
}
],
"title": "drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46220",
"datePublished": "2026-05-28T09:40:35.971Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-05-28T09:40:35.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46219 (GCVE-0-2026-46219)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
spi: mpc52xx: fix use-after-free on unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: mpc52xx: fix use-after-free on unbind
The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59 , < bb6b50f709c5a01906ff72a07fdc070bb3357188
(git)
Affected: 90b72189de2cddacb26250579da0510b29a8b82b , < ee52da0dd83ebcd89ecbbe2660c57b15a25489f2 (git) Affected: 984836621aad98802d92c4a3047114cf518074c8 , < 6c3e413919a12627d04a31a4a5fccb9fc129bb02 (git) Affected: 984836621aad98802d92c4a3047114cf518074c8 , < bbcd6dd8e9f264440eaf6167382bf404911c1c46 (git) Affected: 984836621aad98802d92c4a3047114cf518074c8 , < 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 (git) Affected: d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1 (git) Affected: e0c6ce8424095c2da32a063d3fc027494c689817 (git) Affected: cd5106c77d6d6828aa82449f01f4eb436d602a21 (git) Affected: 373d55a47dc662e5e30d12ad5d334312f757c1f1 (git) Affected: 6.6.66 , < 6.6.140 (semver) Affected: 6.12.5 , < 6.12.90 (semver) Affected: 5.4.287 , < 5.5 (semver) Affected: 5.10.231 , < 5.11 (semver) Affected: 5.15.174 , < 5.16 (semver) Affected: 6.1.120 , < 6.2 (semver) |
|
| Linux | Linux |
Affected:
6.13
Unaffected: 0 , < 6.13 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-mpc52xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb6b50f709c5a01906ff72a07fdc070bb3357188",
"status": "affected",
"version": "f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59",
"versionType": "git"
},
{
"lessThan": "ee52da0dd83ebcd89ecbbe2660c57b15a25489f2",
"status": "affected",
"version": "90b72189de2cddacb26250579da0510b29a8b82b",
"versionType": "git"
},
{
"lessThan": "6c3e413919a12627d04a31a4a5fccb9fc129bb02",
"status": "affected",
"version": "984836621aad98802d92c4a3047114cf518074c8",
"versionType": "git"
},
{
"lessThan": "bbcd6dd8e9f264440eaf6167382bf404911c1c46",
"status": "affected",
"version": "984836621aad98802d92c4a3047114cf518074c8",
"versionType": "git"
},
{
"lessThan": "706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0",
"status": "affected",
"version": "984836621aad98802d92c4a3047114cf518074c8",
"versionType": "git"
},
{
"status": "affected",
"version": "d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1",
"versionType": "git"
},
{
"status": "affected",
"version": "e0c6ce8424095c2da32a063d3fc027494c689817",
"versionType": "git"
},
{
"status": "affected",
"version": "cd5106c77d6d6828aa82449f01f4eb436d602a21",
"versionType": "git"
},
{
"status": "affected",
"version": "373d55a47dc662e5e30d12ad5d334312f757c1f1",
"versionType": "git"
},
{
"lessThan": "6.6.140",
"status": "affected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThan": "6.12.90",
"status": "affected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.120",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-mpc52xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.6.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "6.12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.120",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mpc52xx: fix use-after-free on unbind\n\nThe state machine work is scheduled by the interrupt handler and\ntherefore needs to be cancelled after disabling interrupts to avoid a\npotential use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:35.297Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188"
},
{
"url": "https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2"
},
{
"url": "https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02"
},
{
"url": "https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46"
},
{
"url": "https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0"
}
],
"title": "spi: mpc52xx: fix use-after-free on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46219",
"datePublished": "2026-05-28T09:40:35.297Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:35.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46218 (GCVE-0-2026-46218)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm/amdgpu: Add bounds checking to ib_{get,set}_value
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Add bounds checking to ib_{get,set}_value
The uvd/vce/vcn code accesses the IB at predefined offsets without
checking that the IB is large enough. Check the bounds here. The caller
is responsible for making sure it can handle arbitrary return values.
Also make the idx a uint32_t to prevent overflows causing the condition
to fail.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0fb5cb556b249b2b64c0f818136c4c3e838ef53f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a853178d23e774adfe3a35073c375b04b3b20f7d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fec8b11b55e53ff51a741e56894fe331a516f5c6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 66085e206431ef88ce36f53c1f53d570790ccc9e (git) Affected: 0 , < 6.6.140 (semver) Affected: 0 , < 6.12.90 (semver) Affected: 0 , < 6.18.32 (semver) Affected: 0 , < 7.0.9 (semver) |
|
| Linux | Linux |
Unaffected:
6.6.140 , ≤ 6.6.*
(semver)
Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fb5cb556b249b2b64c0f818136c4c3e838ef53f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a853178d23e774adfe3a35073c375b04b3b20f7d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fec8b11b55e53ff51a741e56894fe331a516f5c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "66085e206431ef88ce36f53c1f53d570790ccc9e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6.6.140",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.90",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.32",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Add bounds checking to ib_{get,set}_value\n\nThe uvd/vce/vcn code accesses the IB at predefined offsets without\nchecking that the IB is large enough. Check the bounds here. The caller\nis responsible for making sure it can handle arbitrary return values.\n\nAlso make the idx a uint32_t to prevent overflows causing the condition\nto fail."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:34.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fb5cb556b249b2b64c0f818136c4c3e838ef53f"
},
{
"url": "https://git.kernel.org/stable/c/a853178d23e774adfe3a35073c375b04b3b20f7d"
},
{
"url": "https://git.kernel.org/stable/c/fec8b11b55e53ff51a741e56894fe331a516f5c6"
},
{
"url": "https://git.kernel.org/stable/c/ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7"
},
{
"url": "https://git.kernel.org/stable/c/66085e206431ef88ce36f53c1f53d570790ccc9e"
}
],
"title": "drm/amdgpu: Add bounds checking to ib_{get,set}_value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46218",
"datePublished": "2026-05-28T09:40:34.367Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:34.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46217 (GCVE-0-2026-46217)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm/amdgpu/vcn4: Avoid overflow on msg bound check
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/vcn4: Avoid overflow on msg bound check
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c72a8b4dc6d598e3831ef3abd9c6527dfbf4810e , < 5bb5faff4837b1d98fd655cf8bd7b5d4da0fc4dc
(git)
Affected: 7688143ca62edeecacb3ba0a2cea129dbd262a18 , < 73043d296787bf187d89ffb5c5dcf5bdc3db7885 (git) Affected: 63b51e8a9d54317d31cc3856c1e12407070d5fc2 , < 271cd5429513ff9b364a9bf8903e5b65b687eb25 (git) Affected: 3c817a60b09eaab926e475088e750936efcc95ae , < 30d12ee310a6024ff4c7b9eafdbbeab2db450d4a (git) Affected: 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 , < 65bce27ea6192320448c30267ffc17ffa094e713 (git) |
|
| Linux | Linux |
Affected:
7.1-rc1
Unaffected: 0 , < 7.1-rc1 (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bb5faff4837b1d98fd655cf8bd7b5d4da0fc4dc",
"status": "affected",
"version": "c72a8b4dc6d598e3831ef3abd9c6527dfbf4810e",
"versionType": "git"
},
{
"lessThan": "73043d296787bf187d89ffb5c5dcf5bdc3db7885",
"status": "affected",
"version": "7688143ca62edeecacb3ba0a2cea129dbd262a18",
"versionType": "git"
},
{
"lessThan": "271cd5429513ff9b364a9bf8903e5b65b687eb25",
"status": "affected",
"version": "63b51e8a9d54317d31cc3856c1e12407070d5fc2",
"versionType": "git"
},
{
"lessThan": "30d12ee310a6024ff4c7b9eafdbbeab2db450d4a",
"status": "affected",
"version": "3c817a60b09eaab926e475088e750936efcc95ae",
"versionType": "git"
},
{
"lessThan": "65bce27ea6192320448c30267ffc17ffa094e713",
"status": "affected",
"version": "0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.1-rc1"
},
{
"lessThan": "7.1-rc1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "7.1-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn4: Avoid overflow on msg bound check\n\nAs pointed out by SDL, the previous condition may be vulnerable to\noverflow.\n\n(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:33.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bb5faff4837b1d98fd655cf8bd7b5d4da0fc4dc"
},
{
"url": "https://git.kernel.org/stable/c/73043d296787bf187d89ffb5c5dcf5bdc3db7885"
},
{
"url": "https://git.kernel.org/stable/c/271cd5429513ff9b364a9bf8903e5b65b687eb25"
},
{
"url": "https://git.kernel.org/stable/c/30d12ee310a6024ff4c7b9eafdbbeab2db450d4a"
},
{
"url": "https://git.kernel.org/stable/c/65bce27ea6192320448c30267ffc17ffa094e713"
}
],
"title": "drm/amdgpu/vcn4: Avoid overflow on msg bound check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46217",
"datePublished": "2026-05-28T09:40:33.705Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:33.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46216 (GCVE-0-2026-46216)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
When media GT is disabled via configfs, there is no allocation for
media_gt, which is kept as NULL. In such scenario,
intel_hdcp_gsc_check_status() results in a kernel pagefault error due to
>->uc.gsc being evaluated as an invalid memory address.
Fix that by introducing a NULL check on media_gt and bailing out early
if so.
While at it, also drop the NULL check for gsc, since it can't be NULL if
media_gt is not NULL.
v2:
- Get address for gsc only after checking that gt is not NULL.
(Shuicheng)
- Drop the NULL check for gsc. (Shuicheng)
v3:
- Add "Fixes" and "Cc: <stable...>" tags. (Matt)
(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4af50beb4e0f9e6aed9cd53436c099f1dba826f1 , < d8ab4b47edf4578dbfbe5e95817107a514fa34cc
(git)
Affected: 4af50beb4e0f9e6aed9cd53436c099f1dba826f1 , < 60a1e131a811b68703da58fd805ab359b704ab03 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/display/xe_hdcp_gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8ab4b47edf4578dbfbe5e95817107a514fa34cc",
"status": "affected",
"version": "4af50beb4e0f9e6aed9cd53436c099f1dba826f1",
"versionType": "git"
},
{
"lessThan": "60a1e131a811b68703da58fd805ab359b704ab03",
"status": "affected",
"version": "4af50beb4e0f9e6aed9cd53436c099f1dba826f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/display/xe_hdcp_gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()\n\nWhen media GT is disabled via configfs, there is no allocation for\nmedia_gt, which is kept as NULL. In such scenario,\nintel_hdcp_gsc_check_status() results in a kernel pagefault error due to\n\u0026gt-\u003euc.gsc being evaluated as an invalid memory address.\n\nFix that by introducing a NULL check on media_gt and bailing out early\nif so.\n\nWhile at it, also drop the NULL check for gsc, since it can\u0027t be NULL if\nmedia_gt is not NULL.\n\nv2:\n - Get address for gsc only after checking that gt is not NULL.\n (Shuicheng)\n - Drop the NULL check for gsc. (Shuicheng)\nv3:\n - Add \"Fixes\" and \"Cc: \u003cstable...\u003e\" tags. (Matt)\n\n(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:32.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8ab4b47edf4578dbfbe5e95817107a514fa34cc"
},
{
"url": "https://git.kernel.org/stable/c/60a1e131a811b68703da58fd805ab359b704ab03"
}
],
"title": "drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46216",
"datePublished": "2026-05-28T09:40:32.891Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:32.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46215 (GCVE-0-2026-46215)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
drm: Set old handle to NULL before prime swap in change_handle
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: Set old handle to NULL before prime swap in change_handle
There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and remove one of the handles
while leaving the other one dangling, which could subsequently
be dereferenced for a use-after-free.
To fix this, do the same dance that gem_close itself does.
(f6cd7daecff5 drm: Release driver references to handle before making it available again)
First idr_replace the old handle to NULL. Later, if the prime
operations are successful, actually close it.
create_tail required a similar dance to avoid a similar problem.
(bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail())
It idr_allocs the new handle with NULL, then swaps in the correct
object later to avoid races. We don't need to do that here, since
the only operations that could race are drm_prime, and
change_handle holds the prime lock for the entire duration.
v2: cleanups of error paths
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
53096728b8910c6916ecc6c46a5abc5c678b58d9 , < 672464dd53231509c9c771110798c56d4660e19e
(git)
Affected: 53096728b8910c6916ecc6c46a5abc5c678b58d9 , < 61bd96d3e5472c253f9c1ab77608f0c8aaa9d025 (git) Affected: 53096728b8910c6916ecc6c46a5abc5c678b58d9 , < 5e28b7b94408897e41c63477aabc9e1db439bc8c (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "672464dd53231509c9c771110798c56d4660e19e",
"status": "affected",
"version": "53096728b8910c6916ecc6c46a5abc5c678b58d9",
"versionType": "git"
},
{
"lessThan": "61bd96d3e5472c253f9c1ab77608f0c8aaa9d025",
"status": "affected",
"version": "53096728b8910c6916ecc6c46a5abc5c678b58d9",
"versionType": "git"
},
{
"lessThan": "5e28b7b94408897e41c63477aabc9e1db439bc8c",
"status": "affected",
"version": "53096728b8910c6916ecc6c46a5abc5c678b58d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Set old handle to NULL before prime swap in change_handle\n\nThere was a potential race condition in change_handle. The ioctl\nbriefly had a single object with two idr entries; a concurrent\ngem_close could delete the object and remove one of the handles\nwhile leaving the other one dangling, which could subsequently\nbe dereferenced for a use-after-free.\n\nTo fix this, do the same dance that gem_close itself does.\n(f6cd7daecff5 drm: Release driver references to handle before making it available again)\nFirst idr_replace the old handle to NULL. Later, if the prime\noperations are successful, actually close it.\n\ncreate_tail required a similar dance to avoid a similar problem.\n(bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail())\nIt idr_allocs the new handle with NULL, then swaps in the correct\nobject later to avoid races. We don\u0027t need to do that here, since\nthe only operations that could race are drm_prime, and\nchange_handle holds the prime lock for the entire duration.\n\nv2: cleanups of error paths"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:32.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/672464dd53231509c9c771110798c56d4660e19e"
},
{
"url": "https://git.kernel.org/stable/c/61bd96d3e5472c253f9c1ab77608f0c8aaa9d025"
},
{
"url": "https://git.kernel.org/stable/c/5e28b7b94408897e41c63477aabc9e1db439bc8c"
}
],
"title": "drm: Set old handle to NULL before prime swap in change_handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46215",
"datePublished": "2026-05-28T09:40:32.050Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:32.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46214 (GCVE-0-2026-46214)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
vsock/virtio: fix accept queue count leak on transport mismatch
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix accept queue count leak on transport mismatch
virtio_transport_recv_listen() calls sk_acceptq_added() before
vsock_assign_transport(). If vsock_assign_transport() fails or
selects a different transport, the error path returns without
calling sk_acceptq_removed(), permanently incrementing
sk_ack_backlog.
After approximately backlog+1 such failures, sk_acceptq_is_full()
returns true, causing the listener to reject all new connections.
Fix by moving sk_acceptq_added() to after the transport validation,
matching the pattern used by vmci_transport and hyperv_transport.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 65c484726e74013a2ec7ba67a34d87760ae8f390
(git)
Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 29371f3cc83e2a92265b4768014a30b80234112f (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < e9edf9893cf26d060705c910a9b62d8cc96ed56a (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 6d3275fc4ed968938e1d556c344798046776668d (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 52bcb57a4e8a0865a76c587c2451906342ae1b2d (git) |
|
| Linux | Linux |
Affected:
5.5
Unaffected: 0 , < 5.5 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65c484726e74013a2ec7ba67a34d87760ae8f390",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "29371f3cc83e2a92265b4768014a30b80234112f",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "e9edf9893cf26d060705c910a9b62d8cc96ed56a",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "6d3275fc4ed968938e1d556c344798046776668d",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "52bcb57a4e8a0865a76c587c2451906342ae1b2d",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix accept queue count leak on transport mismatch\n\nvirtio_transport_recv_listen() calls sk_acceptq_added() before\nvsock_assign_transport(). If vsock_assign_transport() fails or\nselects a different transport, the error path returns without\ncalling sk_acceptq_removed(), permanently incrementing\nsk_ack_backlog.\n\nAfter approximately backlog+1 such failures, sk_acceptq_is_full()\nreturns true, causing the listener to reject all new connections.\n\nFix by moving sk_acceptq_added() to after the transport validation,\nmatching the pattern used by vmci_transport and hyperv_transport."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:31.245Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390"
},
{
"url": "https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f"
},
{
"url": "https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a"
},
{
"url": "https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d"
},
{
"url": "https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d"
}
],
"title": "vsock/virtio: fix accept queue count leak on transport mismatch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46214",
"datePublished": "2026-05-28T09:40:31.245Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:31.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46213 (GCVE-0-2026-46213)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in
appletb_kbd_probe") added timer_delete_sync(&kbd->inactivity_timer) to
both the probe close_hw error path and appletb_kbd_remove(), but the
way it was wired in left the inactivity timer reachable during driver
tear-down via two distinct windows.
Window A -- put_device() before timer_delete_sync():
put_device(&kbd->backlight_dev->dev);
timer_delete_sync(&kbd->inactivity_timer);
The inactivity_timer softirq reads kbd->backlight_dev and calls
backlight_device_set_brightness() -> mutex_lock(&ops_lock). If a
concurrent hid_appletb_bl unbind drops the last devm reference
between these two calls, the backlight_device is freed and the
mutex_lock() touches freed memory.
Window B -- backlight cleanup before hid_hw_stop():
if (kbd->backlight_dev) {
timer_delete_sync(...);
put_device(...);
}
hid_hw_close(hdev);
hid_hw_stop(hdev);
Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run
afterwards, so a late ".event" callback from the HID core (USB URB
completion on real Apple hardware) can arrive after
timer_delete_sync() drained the softirq but before put_device() drops
the reference. That callback reaches reset_inactivity_timer(), which
calls mod_timer() and re-arms the timer. The freshly re-armed timer
can then fire on the about-to-be-freed backlight_device.
Both windows produce the same KASAN slab-use-after-free:
BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0
Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0
Call Trace:
<IRQ>
__mutex_lock
backlight_device_set_brightness
appletb_inactivity_timer
call_timer_fn
run_timer_softirq
handle_softirqs
Allocated by task N:
devm_backlight_device_register
appletb_bl_probe
Freed by task M:
(concurrent hid_appletb_bl unbind path)
Close both windows at once by reworking the tear-down in
appletb_kbd_remove() and in the probe close_hw error path so that
1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,
guaranteeing no further .event callback can fire and re-arm the
timer, and
2) inside the "if (kbd->backlight_dev)" block, timer_delete_sync()
runs before put_device(), so the softirq is drained before the
final reference is dropped.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
38224c472a038fa9ccd4085511dd9f3d6119dbf9 , < 59a79938ca5541fe55d675304116b7ea684afef0
(git)
Affected: 38224c472a038fa9ccd4085511dd9f3d6119dbf9 , < 93d989e47bc316c793a69c6a332e053c90e29f02 (git) Affected: 38224c472a038fa9ccd4085511dd9f3d6119dbf9 , < 4db2af929279c799b5653a39eb0795c72baffca4 (git) Affected: 51720dee3a61ebace36c3dcdd0b4a488e0970f29 (git) Affected: 6.15.6 , < 6.16 (semver) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-appletb-kbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59a79938ca5541fe55d675304116b7ea684afef0",
"status": "affected",
"version": "38224c472a038fa9ccd4085511dd9f3d6119dbf9",
"versionType": "git"
},
{
"lessThan": "93d989e47bc316c793a69c6a332e053c90e29f02",
"status": "affected",
"version": "38224c472a038fa9ccd4085511dd9f3d6119dbf9",
"versionType": "git"
},
{
"lessThan": "4db2af929279c799b5653a39eb0795c72baffca4",
"status": "affected",
"version": "38224c472a038fa9ccd4085511dd9f3d6119dbf9",
"versionType": "git"
},
{
"status": "affected",
"version": "51720dee3a61ebace36c3dcdd0b4a488e0970f29",
"versionType": "git"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-appletb-kbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix UAF in inactivity-timer cleanup path\n\nCommit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in\nappletb_kbd_probe\") added timer_delete_sync(\u0026kbd-\u003einactivity_timer) to\nboth the probe close_hw error path and appletb_kbd_remove(), but the\nway it was wired in left the inactivity timer reachable during driver\ntear-down via two distinct windows.\n\nWindow A -- put_device() before timer_delete_sync():\n\n\tput_device(\u0026kbd-\u003ebacklight_dev-\u003edev);\n\ttimer_delete_sync(\u0026kbd-\u003einactivity_timer);\n\nThe inactivity_timer softirq reads kbd-\u003ebacklight_dev and calls\nbacklight_device_set_brightness() -\u003e mutex_lock(\u0026ops_lock). If a\nconcurrent hid_appletb_bl unbind drops the last devm reference\nbetween these two calls, the backlight_device is freed and the\nmutex_lock() touches freed memory.\n\nWindow B -- backlight cleanup before hid_hw_stop():\n\n\tif (kbd-\u003ebacklight_dev) {\n\t\ttimer_delete_sync(...);\n\t\tput_device(...);\n\t}\n\thid_hw_close(hdev);\n\thid_hw_stop(hdev);\n\nEven after Window A is closed, hid_hw_close()/hid_hw_stop() still run\nafterwards, so a late \".event\" callback from the HID core (USB URB\ncompletion on real Apple hardware) can arrive after\ntimer_delete_sync() drained the softirq but before put_device() drops\nthe reference. That callback reaches reset_inactivity_timer(), which\ncalls mod_timer() and re-arms the timer. The freshly re-armed timer\ncan then fire on the about-to-be-freed backlight_device.\n\nBoth windows produce the same KASAN slab-use-after-free:\n\n BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0\n Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0\n Call Trace:\n \u003cIRQ\u003e\n __mutex_lock\n backlight_device_set_brightness\n appletb_inactivity_timer\n call_timer_fn\n run_timer_softirq\n handle_softirqs\n Allocated by task N:\n devm_backlight_device_register\n appletb_bl_probe\n Freed by task M:\n (concurrent hid_appletb_bl unbind path)\n\nClose both windows at once by reworking the tear-down in\nappletb_kbd_remove() and in the probe close_hw error path so that\n\n 1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,\n guaranteeing no further .event callback can fire and re-arm the\n timer, and\n 2) inside the \"if (kbd-\u003ebacklight_dev)\" block, timer_delete_sync()\n runs before put_device(), so the softirq is drained before the\n final reference is dropped."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:30.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59a79938ca5541fe55d675304116b7ea684afef0"
},
{
"url": "https://git.kernel.org/stable/c/93d989e47bc316c793a69c6a332e053c90e29f02"
},
{
"url": "https://git.kernel.org/stable/c/4db2af929279c799b5653a39eb0795c72baffca4"
}
],
"title": "HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46213",
"datePublished": "2026-05-28T09:40:30.429Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:30.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46212 (GCVE-0-2026-46212)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
batman-adv: bla: prevent use-after-free when deleting claims
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: prevent use-after-free when deleting claims
When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
does this by dropping the link entry in the hash list. This list entry
itself was one of the references which need to be dropped at the same time
via batadv_claim_put().
But the batadv_claim_put() must not be done before the last access to the
claim object in this function. Otherwise the claim might be freed already
by the batadv_claim_release() function before the list entry was dropped.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
23721387c409087fd3b97e274f34d3ddc0970b74 , < 368449e467d5f1e2c2e987bf2bd57000ba75e10b
(git)
Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472 (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401 (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 0cc9847c64cb6e61118bc78c9187c8209a7197fa (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 4ae1709a314060a196981b344610d023ea841e57 (git) |
|
| Linux | Linux |
Affected:
3.5
Unaffected: 0 , < 3.5 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "368449e467d5f1e2c2e987bf2bd57000ba75e10b",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "0cc9847c64cb6e61118bc78c9187c8209a7197fa",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "4ae1709a314060a196981b344610d023ea841e57",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: prevent use-after-free when deleting claims\n\nWhen batadv_bla_del_backbone_claims() removes all claims for a backbone, it\ndoes this by dropping the link entry in the hash list. This list entry\nitself was one of the references which need to be dropped at the same time\nvia batadv_claim_put().\n\nBut the batadv_claim_put() must not be done before the last access to the\nclaim object in this function. Otherwise the claim might be freed already\nby the batadv_claim_release() function before the list entry was dropped."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T09:40:29.712Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/368449e467d5f1e2c2e987bf2bd57000ba75e10b"
},
{
"url": "https://git.kernel.org/stable/c/6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472"
},
{
"url": "https://git.kernel.org/stable/c/00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401"
},
{
"url": "https://git.kernel.org/stable/c/0cc9847c64cb6e61118bc78c9187c8209a7197fa"
},
{
"url": "https://git.kernel.org/stable/c/4ae1709a314060a196981b344610d023ea841e57"
}
],
"title": "batman-adv: bla: prevent use-after-free when deleting claims",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46212",
"datePublished": "2026-05-28T09:40:29.712Z",
"dateReserved": "2026-05-13T15:03:33.105Z",
"dateUpdated": "2026-05-28T09:40:29.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}