Search
Find a vulnerability
Search criteria
13298 vulnerabilities
CVE-2026-64186 (GCVE-0-2026-64186)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
In iommu_mmio_write() and iommu_capability_write(), the variables
dbg_mmio_offset and dbg_cap_offset are declared as int. However, they
are populated using kstrtou32_from_user(). If a user provides a
sufficiently large value, it can become a negative integer.
Prior to this patch, the AMD IOMMU debugfs implementation was already
protected by different mechanisms.
1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so
e.g. 0xffffffff isn't a valid input.
if (cnt > OFS_IN_SZ)
return -EINVAL;
2. Implicit type promotion in iommu_mmio_write(), dbg_mmio_offset is int
and iommu->mmio_phys_end is u64
if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
return -EINVAL;
3. The show handlers would currently catch the negative number and
refuse to perform the read.
Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the
input, and check for negative values to explicitly prevent out-of-bounds
memory accesses directly in iommu_mmio_write() and
iommu_capability_write().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7a4ee419e8c144b747a8915856e91a034d7c8f34 , < 488d2c76bd9f78433a70690d1054bfae3d39a407
(git)
Affected: 7a4ee419e8c144b747a8915856e91a034d7c8f34 , < 62f9dfbf1aceae88b03c5ca08f7d36e943939dec (git) Affected: 7a4ee419e8c144b747a8915856e91a034d7c8f34 , < 8dfd3d8d74435344ee8dc9237596959c8b2a6cbe (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "488d2c76bd9f78433a70690d1054bfae3d39a407",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
},
{
"lessThan": "62f9dfbf1aceae88b03c5ca08f7d36e943939dec",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
},
{
"lessThan": "8dfd3d8d74435344ee8dc9237596959c8b2a6cbe",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Remove latent out-of-bounds access in IOMMU debugfs\n\nIn iommu_mmio_write() and iommu_capability_write(), the variables\ndbg_mmio_offset and dbg_cap_offset are declared as int. However, they\nare populated using kstrtou32_from_user(). If a user provides a\nsufficiently large value, it can become a negative integer.\n\nPrior to this patch, the AMD IOMMU debugfs implementation was already\nprotected by different mechanisms.\n\n1. #define OFS_IN_SZ 8 ensures the user string \u003c= 8 bytes, so\n e.g. 0xffffffff isn\u0027t a valid input.\n\n if (cnt \u003e OFS_IN_SZ)\n return -EINVAL;\n\n2. Implicit type promotion in iommu_mmio_write(), dbg_mmio_offset is int\n and iommu-\u003emmio_phys_end is u64\n\n if (dbg_mmio_offset \u003e iommu-\u003emmio_phys_end - sizeof(u64))\n return -EINVAL;\n\n3. The show handlers would currently catch the negative number and\n refuse to perform the read.\n\nReplace kstrtou32_from_user() with kstrtos32_from_user() to parse the\ninput, and check for negative values to explicitly prevent out-of-bounds\nmemory accesses directly in iommu_mmio_write() and\niommu_capability_write()."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:08.054Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/488d2c76bd9f78433a70690d1054bfae3d39a407"
},
{
"url": "https://git.kernel.org/stable/c/62f9dfbf1aceae88b03c5ca08f7d36e943939dec"
},
{
"url": "https://git.kernel.org/stable/c/8dfd3d8d74435344ee8dc9237596959c8b2a6cbe"
}
],
"title": "iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64186",
"datePublished": "2026-07-19T15:41:08.054Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:08.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64185 (GCVE-0-2026-64185)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
sysfs: don't remove existing directory on update failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
sysfs: don't remove existing directory on update failure
When sysfs_update_group() is called for a named group and create_files()
fails (e.g. -ENOMEM), internal_create_group() calls kernfs_remove(kn) on
the group directory. In the update path, kn was obtained via
kernfs_find_and_get() and refers to a directory that already existed
before this call. Removing it silently destroys a sysfs group that the
caller did not create.
Only remove the directory if we created it ourselves. On update failure
the directory remains as it is left empty by remove_files() inside
create_files(), but can be repopulated by a retry.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < c5e125c828b701afaf7493b42a14aa89362ff36d
(git)
Affected: c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < ccadd32cc1263802a5969c9efe0e96225450428c (git) Affected: c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < 14f2c14ae86c4af17a0a9f8ab46dacf2d5fd1d8a (git) Affected: c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < 31527d80234caf83dc96ad478645e57df9de4472 (git) Affected: c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < 57b285e0368290aa55f79ba11419b96d0ebdb418 (git) Affected: c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < 48fa96538bd2868034d33429e4565fda384d0736 (git) Affected: c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < 708f6926f61f71e09b5e9fd668b9882ccd46e69f (git) Affected: c855cf2759d27142f771173d9fd8e7fdf9cf5138 , < 237557b8a81ab948e8332f7c0058e758f081c0a3 (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/sysfs/group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5e125c828b701afaf7493b42a14aa89362ff36d",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
},
{
"lessThan": "ccadd32cc1263802a5969c9efe0e96225450428c",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
},
{
"lessThan": "14f2c14ae86c4af17a0a9f8ab46dacf2d5fd1d8a",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
},
{
"lessThan": "31527d80234caf83dc96ad478645e57df9de4472",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
},
{
"lessThan": "57b285e0368290aa55f79ba11419b96d0ebdb418",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
},
{
"lessThan": "48fa96538bd2868034d33429e4565fda384d0736",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
},
{
"lessThan": "708f6926f61f71e09b5e9fd668b9882ccd46e69f",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
},
{
"lessThan": "237557b8a81ab948e8332f7c0058e758f081c0a3",
"status": "affected",
"version": "c855cf2759d27142f771173d9fd8e7fdf9cf5138",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/sysfs/group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysfs: don\u0027t remove existing directory on update failure\n\nWhen sysfs_update_group() is called for a named group and create_files()\nfails (e.g. -ENOMEM), internal_create_group() calls kernfs_remove(kn) on\nthe group directory. In the update path, kn was obtained via\nkernfs_find_and_get() and refers to a directory that already existed\nbefore this call. Removing it silently destroys a sysfs group that the\ncaller did not create.\n\nOnly remove the directory if we created it ourselves. On update failure\nthe directory remains as it is left empty by remove_files() inside\ncreate_files(), but can be repopulated by a retry."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:07.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5e125c828b701afaf7493b42a14aa89362ff36d"
},
{
"url": "https://git.kernel.org/stable/c/ccadd32cc1263802a5969c9efe0e96225450428c"
},
{
"url": "https://git.kernel.org/stable/c/14f2c14ae86c4af17a0a9f8ab46dacf2d5fd1d8a"
},
{
"url": "https://git.kernel.org/stable/c/31527d80234caf83dc96ad478645e57df9de4472"
},
{
"url": "https://git.kernel.org/stable/c/57b285e0368290aa55f79ba11419b96d0ebdb418"
},
{
"url": "https://git.kernel.org/stable/c/48fa96538bd2868034d33429e4565fda384d0736"
},
{
"url": "https://git.kernel.org/stable/c/708f6926f61f71e09b5e9fd668b9882ccd46e69f"
},
{
"url": "https://git.kernel.org/stable/c/237557b8a81ab948e8332f7c0058e758f081c0a3"
}
],
"title": "sysfs: don\u0027t remove existing directory on update failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64185",
"datePublished": "2026-07-19T15:41:07.340Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:07.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64184 (GCVE-0-2026-64184)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
damon_sysfs_memcg_path_to_id() breaks mem_cgroup_iter() loop without
calling mem_cgroup_iter_break(). This leaks the cgroup reference. Fix
the issue by calling mem_cgroup_iter_break() before the break.
The issue was discovered [1] by Sashiko.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
29cbb9a13f05b20f0777c60db9603730b487a4e0 , < 082351f9d40007414ad6af062b3a26fa02fd4b5f
(git)
Affected: 29cbb9a13f05b20f0777c60db9603730b487a4e0 , < 30a361be33f3793b9ecbd10ab7be6d0564819b79 (git) Affected: 29cbb9a13f05b20f0777c60db9603730b487a4e0 , < 302e02f9ba49f81418ec2a749ae6f5cac1d424e9 (git) Affected: 29cbb9a13f05b20f0777c60db9603730b487a4e0 , < 1bd31386ec3b9ccec10c04429948a306ec5897c0 (git) Affected: 29cbb9a13f05b20f0777c60db9603730b487a4e0 , < d4e7b5c4cc353f154d5ab8bb2e1ce7714d77a6e9 (git) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs-schemes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "082351f9d40007414ad6af062b3a26fa02fd4b5f",
"status": "affected",
"version": "29cbb9a13f05b20f0777c60db9603730b487a4e0",
"versionType": "git"
},
{
"lessThan": "30a361be33f3793b9ecbd10ab7be6d0564819b79",
"status": "affected",
"version": "29cbb9a13f05b20f0777c60db9603730b487a4e0",
"versionType": "git"
},
{
"lessThan": "302e02f9ba49f81418ec2a749ae6f5cac1d424e9",
"status": "affected",
"version": "29cbb9a13f05b20f0777c60db9603730b487a4e0",
"versionType": "git"
},
{
"lessThan": "1bd31386ec3b9ccec10c04429948a306ec5897c0",
"status": "affected",
"version": "29cbb9a13f05b20f0777c60db9603730b487a4e0",
"versionType": "git"
},
{
"lessThan": "d4e7b5c4cc353f154d5ab8bb2e1ce7714d77a6e9",
"status": "affected",
"version": "29cbb9a13f05b20f0777c60db9603730b487a4e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs-schemes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()\n\ndamon_sysfs_memcg_path_to_id() breaks mem_cgroup_iter() loop without\ncalling mem_cgroup_iter_break(). This leaks the cgroup reference. Fix\nthe issue by calling mem_cgroup_iter_break() before the break.\n\nThe issue was discovered [1] by Sashiko."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:06.615Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/082351f9d40007414ad6af062b3a26fa02fd4b5f"
},
{
"url": "https://git.kernel.org/stable/c/30a361be33f3793b9ecbd10ab7be6d0564819b79"
},
{
"url": "https://git.kernel.org/stable/c/302e02f9ba49f81418ec2a749ae6f5cac1d424e9"
},
{
"url": "https://git.kernel.org/stable/c/1bd31386ec3b9ccec10c04429948a306ec5897c0"
},
{
"url": "https://git.kernel.org/stable/c/d4e7b5c4cc353f154d5ab8bb2e1ce7714d77a6e9"
}
],
"title": "mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64184",
"datePublished": "2026-07-19T15:41:06.615Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:06.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64183 (GCVE-0-2026-64183)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
efi: Allocate runtime workqueue before ACPI init
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: Allocate runtime workqueue before ACPI init
Since commit
5894cf571e14 ("acpi/prmt: Use EFI runtime sandbox to invoke PRM handlers")
ACPI PRM calls are delegated to a workqueue which runs in a kernel
thread, making it easier to detect and mitigate faulting memory accesses
performed by the firmware.
Rafael reports that such PRM accesses may occur before efisubsys_init()
executes, which is where the workqueue is allocated, leading to NULL
pointer dereferences. Since acpi_init() [which triggers the early PRM
accesses] executes as a subsys_initcall() as well, and has its own
dependencies that may be sensitive to initcall ordering, deferring
acpi_init() is not an option.
So instead, split off the workqueue allocation into its own postcore
initcall, as this is the only missing piece to allow EFI runtime calls
to be made. This ensures that EFI runtime call (including PRM calls) are
accessible to all code running at subsys_initcall() level.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5894cf571e14fb393a4d0a82538de032127b9d8b , < 29cd94e678fcb3c4fd0f359deeac6d61334323fc
(git)
Affected: 5894cf571e14fb393a4d0a82538de032127b9d8b , < 6996e954ae830f5b793ba6cf449885ca519dbdd2 (git) Affected: 5894cf571e14fb393a4d0a82538de032127b9d8b , < c32a1fbe0f9a48453a552bb315cc4f1e7a74084e (git) Affected: 5894cf571e14fb393a4d0a82538de032127b9d8b , < e871549f7894ad4114b3dd53f241aa25a268ba8b (git) Affected: 5894cf571e14fb393a4d0a82538de032127b9d8b , < 13c6da02e767152c9ac4330962247a5e47011035 (git) |
|
| Linux | Linux |
Affected:
6.6
Unaffected: 0 , < 6.6 (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29cd94e678fcb3c4fd0f359deeac6d61334323fc",
"status": "affected",
"version": "5894cf571e14fb393a4d0a82538de032127b9d8b",
"versionType": "git"
},
{
"lessThan": "6996e954ae830f5b793ba6cf449885ca519dbdd2",
"status": "affected",
"version": "5894cf571e14fb393a4d0a82538de032127b9d8b",
"versionType": "git"
},
{
"lessThan": "c32a1fbe0f9a48453a552bb315cc4f1e7a74084e",
"status": "affected",
"version": "5894cf571e14fb393a4d0a82538de032127b9d8b",
"versionType": "git"
},
{
"lessThan": "e871549f7894ad4114b3dd53f241aa25a268ba8b",
"status": "affected",
"version": "5894cf571e14fb393a4d0a82538de032127b9d8b",
"versionType": "git"
},
{
"lessThan": "13c6da02e767152c9ac4330962247a5e47011035",
"status": "affected",
"version": "5894cf571e14fb393a4d0a82538de032127b9d8b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: Allocate runtime workqueue before ACPI init\n\nSince commit\n\n 5894cf571e14 (\"acpi/prmt: Use EFI runtime sandbox to invoke PRM handlers\")\n\nACPI PRM calls are delegated to a workqueue which runs in a kernel\nthread, making it easier to detect and mitigate faulting memory accesses\nperformed by the firmware.\n\nRafael reports that such PRM accesses may occur before efisubsys_init()\nexecutes, which is where the workqueue is allocated, leading to NULL\npointer dereferences. Since acpi_init() [which triggers the early PRM\naccesses] executes as a subsys_initcall() as well, and has its own\ndependencies that may be sensitive to initcall ordering, deferring\nacpi_init() is not an option.\n\nSo instead, split off the workqueue allocation into its own postcore\ninitcall, as this is the only missing piece to allow EFI runtime calls\nto be made. This ensures that EFI runtime call (including PRM calls) are\naccessible to all code running at subsys_initcall() level."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:05.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29cd94e678fcb3c4fd0f359deeac6d61334323fc"
},
{
"url": "https://git.kernel.org/stable/c/6996e954ae830f5b793ba6cf449885ca519dbdd2"
},
{
"url": "https://git.kernel.org/stable/c/c32a1fbe0f9a48453a552bb315cc4f1e7a74084e"
},
{
"url": "https://git.kernel.org/stable/c/e871549f7894ad4114b3dd53f241aa25a268ba8b"
},
{
"url": "https://git.kernel.org/stable/c/13c6da02e767152c9ac4330962247a5e47011035"
}
],
"title": "efi: Allocate runtime workqueue before ACPI init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64183",
"datePublished": "2026-07-19T15:41:05.896Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:05.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64182 (GCVE-0-2026-64182)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
drivers/base/memory: fix memory block reference leak in poison accounting
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers/base/memory: fix memory block reference leak in poison accounting
memblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory block
via find_memory_block_by_id(), which acquires a reference to the memory
block device.
Both helpers use the returned memory block without dropping that
reference, leaking the device reference on each successful lookup. Drop
the reference after updating nr_hwpoison.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5033091de814ab4b5623faed2755f3064e19e2d2 , < 686b4283f82cd630fafd7ca9b03dfc080b3ec8fa
(git)
Affected: 5033091de814ab4b5623faed2755f3064e19e2d2 , < ce60d9452a0f2effa72fd20ea270c59ca691d455 (git) Affected: 5033091de814ab4b5623faed2755f3064e19e2d2 , < 24840b3139d7415144b81e4f9f4c44670d15bed9 (git) Affected: 5033091de814ab4b5623faed2755f3064e19e2d2 , < 8502e2c2d0633f99d94d22ae8dabc10caae1fc2a (git) Affected: 5033091de814ab4b5623faed2755f3064e19e2d2 , < 03a2cc1756a0570f887d624cd6c535ea0cbd4951 (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "686b4283f82cd630fafd7ca9b03dfc080b3ec8fa",
"status": "affected",
"version": "5033091de814ab4b5623faed2755f3064e19e2d2",
"versionType": "git"
},
{
"lessThan": "ce60d9452a0f2effa72fd20ea270c59ca691d455",
"status": "affected",
"version": "5033091de814ab4b5623faed2755f3064e19e2d2",
"versionType": "git"
},
{
"lessThan": "24840b3139d7415144b81e4f9f4c44670d15bed9",
"status": "affected",
"version": "5033091de814ab4b5623faed2755f3064e19e2d2",
"versionType": "git"
},
{
"lessThan": "8502e2c2d0633f99d94d22ae8dabc10caae1fc2a",
"status": "affected",
"version": "5033091de814ab4b5623faed2755f3064e19e2d2",
"versionType": "git"
},
{
"lessThan": "03a2cc1756a0570f887d624cd6c535ea0cbd4951",
"status": "affected",
"version": "5033091de814ab4b5623faed2755f3064e19e2d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/base/memory: fix memory block reference leak in poison accounting\n\nmemblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory block\nvia find_memory_block_by_id(), which acquires a reference to the memory\nblock device.\n\nBoth helpers use the returned memory block without dropping that\nreference, leaking the device reference on each successful lookup. Drop\nthe reference after updating nr_hwpoison."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:05.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/686b4283f82cd630fafd7ca9b03dfc080b3ec8fa"
},
{
"url": "https://git.kernel.org/stable/c/ce60d9452a0f2effa72fd20ea270c59ca691d455"
},
{
"url": "https://git.kernel.org/stable/c/24840b3139d7415144b81e4f9f4c44670d15bed9"
},
{
"url": "https://git.kernel.org/stable/c/8502e2c2d0633f99d94d22ae8dabc10caae1fc2a"
},
{
"url": "https://git.kernel.org/stable/c/03a2cc1756a0570f887d624cd6c535ea0cbd4951"
}
],
"title": "drivers/base/memory: fix memory block reference leak in poison accounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64182",
"datePublished": "2026-07-19T15:41:05.186Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:05.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64181 (GCVE-0-2026-64181)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()
On x86 32-bit with THP enabled, zap_huge_pmd() is seen to generate a
"WARNING: mm/memory.c:735 at __vm_normal_page+0x6a/0x7d", from the
VM_WARN_ON_ONCE(is_zero_pfn(pfn) || is_huge_zero_pfn(pfn)); followed by
"BUG: Bad rss-counter state"s, then later "BUG: Bad page state"s when
reclaim gets to call shrink_huge_zero_folio_scan().
It's as if the _PAGE_SPECIAL bit never got set in the huge_zero pmd: and
indeed, whereas pte_special() and pte_mkspecial() are subject to a
dedicated CONFIG_ARCH_HAS_PTE_SPECIAL, pmd_special() and pmd_mkspecial()
are subject to CONFIG_ARCH_SUPPORTS_PMD_PFNMAP, which is never enabled on
any 32-bit architecture.
While the problem was exposed through commit d80a9cb1a64a
("mm/huge_memory: add and use normal_or_softleaf_folio_pmd()"), it was an
oversight in commit af38538801c6 ("mm/memory: factor out common code from
vm_normal_page_*()") and would result in other problems:
* huge zero folio accounted in smaps, pagemap (PAGE_IS_FILE) and
numamaps as file-backed THP
* folio_walk_start() returning the folio even without FW_ZEROPAGE set.
Callers seem to tolerate that, though.
... and triggering the VM_WARN_ON_ONE(), although never reported so far.
To fix it, teach vm_normal_page_pmd()/vm_normal_page_pud() to consider
whether pmd_special/pud_special is actually implemented.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
af38538801c6a97565b44700ee6695d7d60ad779 , < 62153767e8fc3889bc6508e9ffe927aaf64c4334
(git)
Affected: af38538801c6a97565b44700ee6695d7d60ad779 , < 9052ea2ee2233be5d4786b8909151ca2bfbedf99 (git) Affected: af38538801c6a97565b44700ee6695d7d60ad779 , < c0c6ccd9828c3a1950623b546fa57292a77b5c73 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62153767e8fc3889bc6508e9ffe927aaf64c4334",
"status": "affected",
"version": "af38538801c6a97565b44700ee6695d7d60ad779",
"versionType": "git"
},
{
"lessThan": "9052ea2ee2233be5d4786b8909151ca2bfbedf99",
"status": "affected",
"version": "af38538801c6a97565b44700ee6695d7d60ad779",
"versionType": "git"
},
{
"lessThan": "c0c6ccd9828c3a1950623b546fa57292a77b5c73",
"status": "affected",
"version": "af38538801c6a97565b44700ee6695d7d60ad779",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()\n\nOn x86 32-bit with THP enabled, zap_huge_pmd() is seen to generate a\n\"WARNING: mm/memory.c:735 at __vm_normal_page+0x6a/0x7d\", from the\nVM_WARN_ON_ONCE(is_zero_pfn(pfn) || is_huge_zero_pfn(pfn)); followed by\n\"BUG: Bad rss-counter state\"s, then later \"BUG: Bad page state\"s when\nreclaim gets to call shrink_huge_zero_folio_scan().\n\nIt\u0027s as if the _PAGE_SPECIAL bit never got set in the huge_zero pmd: and\nindeed, whereas pte_special() and pte_mkspecial() are subject to a\ndedicated CONFIG_ARCH_HAS_PTE_SPECIAL, pmd_special() and pmd_mkspecial()\nare subject to CONFIG_ARCH_SUPPORTS_PMD_PFNMAP, which is never enabled on\nany 32-bit architecture.\n\nWhile the problem was exposed through commit d80a9cb1a64a\n(\"mm/huge_memory: add and use normal_or_softleaf_folio_pmd()\"), it was an\noversight in commit af38538801c6 (\"mm/memory: factor out common code from\nvm_normal_page_*()\") and would result in other problems:\n* huge zero folio accounted in smaps, pagemap (PAGE_IS_FILE) and\n numamaps as file-backed THP\n* folio_walk_start() returning the folio even without FW_ZEROPAGE set.\n Callers seem to tolerate that, though.\n\n... and triggering the VM_WARN_ON_ONE(), although never reported so far.\n\nTo fix it, teach vm_normal_page_pmd()/vm_normal_page_pud() to consider\nwhether pmd_special/pud_special is actually implemented."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:04.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62153767e8fc3889bc6508e9ffe927aaf64c4334"
},
{
"url": "https://git.kernel.org/stable/c/9052ea2ee2233be5d4786b8909151ca2bfbedf99"
},
{
"url": "https://git.kernel.org/stable/c/c0c6ccd9828c3a1950623b546fa57292a77b5c73"
}
],
"title": "mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64181",
"datePublished": "2026-07-19T15:41:04.455Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:04.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64180 (GCVE-0-2026-64180)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
mm/memory_hotplug: fix memory block reference leak on remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/memory_hotplug: fix memory block reference leak on remove
Patch series "mm: Fix memory block leaks and locking", v2.
This series fixes two memory block device reference leaks and one locking
issue around the per-memory_block hwpoison counter.
This patch (of 2):
remove_memory_blocks_and_altmaps() looks up each memory block with
find_memory_block(), which acquires a reference to the memory block
device.
That reference is never dropped on this path, resulting in a leaked device
reference when removing memory blocks and their altmaps. Drop the
reference after retrieving mem->altmap and clearing mem->altmap, before
removing the memory block device.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6b8f0798b85aa529011570369db985a788f3003f , < b8ab30c79fc00147125b9c39f928561d9dd13d06
(git)
Affected: 6b8f0798b85aa529011570369db985a788f3003f , < 09ce923071e7852ece60d7368e05249bf32c7967 (git) Affected: 6b8f0798b85aa529011570369db985a788f3003f , < df64c0d21c3f85f844b2f656333e43d97e6ffa74 (git) Affected: 6b8f0798b85aa529011570369db985a788f3003f , < 93866f55f7e292fe3d47d36c9efe5ee10213a06b (git) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory_hotplug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8ab30c79fc00147125b9c39f928561d9dd13d06",
"status": "affected",
"version": "6b8f0798b85aa529011570369db985a788f3003f",
"versionType": "git"
},
{
"lessThan": "09ce923071e7852ece60d7368e05249bf32c7967",
"status": "affected",
"version": "6b8f0798b85aa529011570369db985a788f3003f",
"versionType": "git"
},
{
"lessThan": "df64c0d21c3f85f844b2f656333e43d97e6ffa74",
"status": "affected",
"version": "6b8f0798b85aa529011570369db985a788f3003f",
"versionType": "git"
},
{
"lessThan": "93866f55f7e292fe3d47d36c9efe5ee10213a06b",
"status": "affected",
"version": "6b8f0798b85aa529011570369db985a788f3003f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory_hotplug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory_hotplug: fix memory block reference leak on remove\n\nPatch series \"mm: Fix memory block leaks and locking\", v2.\n\nThis series fixes two memory block device reference leaks and one locking\nissue around the per-memory_block hwpoison counter.\n\n\nThis patch (of 2):\n\nremove_memory_blocks_and_altmaps() looks up each memory block with\nfind_memory_block(), which acquires a reference to the memory block\ndevice.\n\nThat reference is never dropped on this path, resulting in a leaked device\nreference when removing memory blocks and their altmaps. Drop the\nreference after retrieving mem-\u003ealtmap and clearing mem-\u003ealtmap, before\nremoving the memory block device."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:03.751Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8ab30c79fc00147125b9c39f928561d9dd13d06"
},
{
"url": "https://git.kernel.org/stable/c/09ce923071e7852ece60d7368e05249bf32c7967"
},
{
"url": "https://git.kernel.org/stable/c/df64c0d21c3f85f844b2f656333e43d97e6ffa74"
},
{
"url": "https://git.kernel.org/stable/c/93866f55f7e292fe3d47d36c9efe5ee10213a06b"
}
],
"title": "mm/memory_hotplug: fix memory block reference leak on remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64180",
"datePublished": "2026-07-19T15:41:03.751Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:03.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64179 (GCVE-0-2026-64179)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
The memory allocated in ipc_protocol_init() is not freed on the error
paths that follow in ipc_imem_init(). Fix that by calling the
corresponding release function ipc_protocol_deinit() in the error path.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3670970dd8c661c10c10c300d726f59428eaad32 , < f1a4d57847813fae42fbb7eb35f2dd48b9cff8a9
(git)
Affected: 3670970dd8c661c10c10c300d726f59428eaad32 , < ba6d8643019c33428f7c0658863e80e0b04a70f4 (git) Affected: 3670970dd8c661c10c10c300d726f59428eaad32 , < 6f63a60580ebdd9a1f22f89a84814d1fefe16b1c (git) Affected: 3670970dd8c661c10c10c300d726f59428eaad32 , < 583fd5a8fc797c8ecf2e1a7b923740c5e5734e85 (git) Affected: 3670970dd8c661c10c10c300d726f59428eaad32 , < ffb6dbb49c96be82f07c7b112e3ebc3e6fdd8dd5 (git) Affected: 3670970dd8c661c10c10c300d726f59428eaad32 , < 8f764a7810a9f114313c439d25b11f4417c6e0dd (git) Affected: 3670970dd8c661c10c10c300d726f59428eaad32 , < c5d93b2c40355e999715262a824965aac025a427 (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/iosm/iosm_ipc_imem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1a4d57847813fae42fbb7eb35f2dd48b9cff8a9",
"status": "affected",
"version": "3670970dd8c661c10c10c300d726f59428eaad32",
"versionType": "git"
},
{
"lessThan": "ba6d8643019c33428f7c0658863e80e0b04a70f4",
"status": "affected",
"version": "3670970dd8c661c10c10c300d726f59428eaad32",
"versionType": "git"
},
{
"lessThan": "6f63a60580ebdd9a1f22f89a84814d1fefe16b1c",
"status": "affected",
"version": "3670970dd8c661c10c10c300d726f59428eaad32",
"versionType": "git"
},
{
"lessThan": "583fd5a8fc797c8ecf2e1a7b923740c5e5734e85",
"status": "affected",
"version": "3670970dd8c661c10c10c300d726f59428eaad32",
"versionType": "git"
},
{
"lessThan": "ffb6dbb49c96be82f07c7b112e3ebc3e6fdd8dd5",
"status": "affected",
"version": "3670970dd8c661c10c10c300d726f59428eaad32",
"versionType": "git"
},
{
"lessThan": "8f764a7810a9f114313c439d25b11f4417c6e0dd",
"status": "affected",
"version": "3670970dd8c661c10c10c300d726f59428eaad32",
"versionType": "git"
},
{
"lessThan": "c5d93b2c40355e999715262a824965aac025a427",
"status": "affected",
"version": "3670970dd8c661c10c10c300d726f59428eaad32",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/iosm/iosm_ipc_imem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: fix potential memory leaks in ipc_imem_init()\n\nThe memory allocated in ipc_protocol_init() is not freed on the error\npaths that follow in ipc_imem_init(). Fix that by calling the\ncorresponding release function ipc_protocol_deinit() in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:03.019Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1a4d57847813fae42fbb7eb35f2dd48b9cff8a9"
},
{
"url": "https://git.kernel.org/stable/c/ba6d8643019c33428f7c0658863e80e0b04a70f4"
},
{
"url": "https://git.kernel.org/stable/c/6f63a60580ebdd9a1f22f89a84814d1fefe16b1c"
},
{
"url": "https://git.kernel.org/stable/c/583fd5a8fc797c8ecf2e1a7b923740c5e5734e85"
},
{
"url": "https://git.kernel.org/stable/c/ffb6dbb49c96be82f07c7b112e3ebc3e6fdd8dd5"
},
{
"url": "https://git.kernel.org/stable/c/8f764a7810a9f114313c439d25b11f4417c6e0dd"
},
{
"url": "https://git.kernel.org/stable/c/c5d93b2c40355e999715262a824965aac025a427"
}
],
"title": "net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64179",
"datePublished": "2026-07-19T15:41:03.019Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:03.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64178 (GCVE-0-2026-64178)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
Bluetooth: bnep: Fix UAF read of dev->name
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: bnep: Fix UAF read of dev->name
bnep_add_connection() needs to keep holding the bnep_session_sem while
reading dev->name (just like bnep_get_connlist() does); otherwise the
bnep_session() thread can concurrently free the net_device, which can for
example be triggered by a concurrent bnep_del_connection().
(This UAF is fairly uninteresting from a security perspective;
calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)
check. It also requires completely tearing down a netdev during a fairly
tight race window.)
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a75bbcb10cb21acc169b785e9804f57d97873a9c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4907596f25b1720fa948371ac5f6c1f8da10a5bc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 915a92182e2cda9cd7d2479020a44c6eda986f7c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fe69f634b076ae3ca81c5a5b845d9bba527036f7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b21805258d7e926adfd455fc820a447b90da3b82 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5506aec795135cdd4cbf4e845929155663b25055 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e7578529b97e5d4e439cf8f3e637c2303015338f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 59e932ded949fa6f0340bf7c6d7818f962fa4fd2 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/bnep/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a75bbcb10cb21acc169b785e9804f57d97873a9c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4907596f25b1720fa948371ac5f6c1f8da10a5bc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "915a92182e2cda9cd7d2479020a44c6eda986f7c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe69f634b076ae3ca81c5a5b845d9bba527036f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b21805258d7e926adfd455fc820a447b90da3b82",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5506aec795135cdd4cbf4e845929155663b25055",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e7578529b97e5d4e439cf8f3e637c2303015338f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59e932ded949fa6f0340bf7c6d7818f962fa4fd2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/bnep/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bnep: Fix UAF read of dev-\u003ename\n\nbnep_add_connection() needs to keep holding the bnep_session_sem while\nreading dev-\u003ename (just like bnep_get_connlist() does); otherwise the\nbnep_session() thread can concurrently free the net_device, which can for\nexample be triggered by a concurrent bnep_del_connection().\n\n(This UAF is fairly uninteresting from a security perspective;\ncalling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)\ncheck. It also requires completely tearing down a netdev during a fairly\ntight race window.)"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:02.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a75bbcb10cb21acc169b785e9804f57d97873a9c"
},
{
"url": "https://git.kernel.org/stable/c/4907596f25b1720fa948371ac5f6c1f8da10a5bc"
},
{
"url": "https://git.kernel.org/stable/c/915a92182e2cda9cd7d2479020a44c6eda986f7c"
},
{
"url": "https://git.kernel.org/stable/c/fe69f634b076ae3ca81c5a5b845d9bba527036f7"
},
{
"url": "https://git.kernel.org/stable/c/b21805258d7e926adfd455fc820a447b90da3b82"
},
{
"url": "https://git.kernel.org/stable/c/5506aec795135cdd4cbf4e845929155663b25055"
},
{
"url": "https://git.kernel.org/stable/c/e7578529b97e5d4e439cf8f3e637c2303015338f"
},
{
"url": "https://git.kernel.org/stable/c/59e932ded949fa6f0340bf7c6d7818f962fa4fd2"
}
],
"title": "Bluetooth: bnep: Fix UAF read of dev-\u003ename",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64178",
"datePublished": "2026-07-19T15:41:02.293Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:02.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64177 (GCVE-0-2026-64177)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
phonet/pep: disable BH around forwarded sk_receive_skb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
phonet/pep: disable BH around forwarded sk_receive_skb()
The networking receive path is usually run from softirq context, but
protocols that take the socket lock may have packets stored in the
backlog and processed later from process context. In that case
release_sock() -> __release_sock() drops the slock with spin_unlock_bh()
and then calls sk->sk_backlog_rcv() with bottom halves enabled.
Typical sk_backlog_rcv handlers process the socket whose backlog is
being drained, so the BH state at entry is irrelevant for the slocks
they touch. pep_do_rcv() is different: when the inbound skb targets an
existing PEP pipe, it forwards the skb to a different *child* socket
via sk_receive_skb(). That helper takes the child slock with
bh_lock_sock_nested(), which is just spin_lock_nested() and assumes BH
is already off. The same child slock therefore ends up acquired with
BH on (process path) and with BH off (softirq path):
process context softirq context
--------------- ---------------
release_sock(listener) __netif_receive_skb()
__release_sock() phonet_rcv()
spin_unlock_bh() __sk_receive_skb(listener)
[BH now ENABLED] [BH already disabled]
sk_backlog_rcv: sk_backlog_rcv:
pep_do_rcv() pep_do_rcv()
sk_receive_skb(child) sk_receive_skb(child)
bh_lock_sock_nested(child) bh_lock_sock_nested(child)
=> SOFTIRQ-ON-W => IN-SOFTIRQ-W
Lockdep flags this as inconsistent lock state, and it can become a real
self-deadlock if a softirq on the same CPU tries to receive to the same
child socket while its slock is held in the BH-enabled path:
WARNING: inconsistent lock state
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
(slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1cf/0x900
__sk_receive_skb net/core/sock.c:563
sk_receive_skb include/net/sock.h:2022 [inline]
pep_do_rcv net/phonet/pep.c:675
sk_backlog_rcv include/net/sock.h:1190
__release_sock net/core/sock.c:3216
release_sock net/core/sock.c:3815
pep_sock_accept net/phonet/pep.c:879
Wrap the forwarded sk_receive_skb() in local_bh_disable() /
local_bh_enable() so the child slock is always acquired with BH off.
local_bh_disable() nests safely on the softirq path.
Discovered via in-house syzkaller fuzzing; the same root cause also
on the linux-6.1.y syzbot dashboard as extid 44f0626dd6284f02663c.
Reproduced under KASAN + LOCKDEP + PROVE_LOCKING, reproducer:
https://pastebin.com/A3t8xzCR
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9641458d3ec42def729fde64669abf07f3220cd5 , < f08c45076e4fd8b0adbc5eb186d6e6a3e7350d7b
(git)
Affected: 9641458d3ec42def729fde64669abf07f3220cd5 , < b2606c302d7f2b4ee48da05e32ed60aed1b0cd53 (git) Affected: 9641458d3ec42def729fde64669abf07f3220cd5 , < 02c04df84de709060f63e1d52ec67488c4f6f212 (git) Affected: 9641458d3ec42def729fde64669abf07f3220cd5 , < 8420aa4900417797323dd567ba9d1512280c2dc3 (git) Affected: 9641458d3ec42def729fde64669abf07f3220cd5 , < bd795f106b3889fb0706c6e4831c4b27e2b5666b (git) Affected: 9641458d3ec42def729fde64669abf07f3220cd5 , < 84bc87beb4cd77670939b446326788e4c9b3db37 (git) Affected: 9641458d3ec42def729fde64669abf07f3220cd5 , < a3fc8f2dacd1c37325977fc1fbbf3d52141df99e (git) Affected: 9641458d3ec42def729fde64669abf07f3220cd5 , < dbc81608e3a653dea6cf403f20cae35468b8ab9c (git) |
|
| Linux | Linux |
Affected:
2.6.28
Unaffected: 0 , < 2.6.28 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/phonet/pep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f08c45076e4fd8b0adbc5eb186d6e6a3e7350d7b",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
},
{
"lessThan": "b2606c302d7f2b4ee48da05e32ed60aed1b0cd53",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
},
{
"lessThan": "02c04df84de709060f63e1d52ec67488c4f6f212",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
},
{
"lessThan": "8420aa4900417797323dd567ba9d1512280c2dc3",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
},
{
"lessThan": "bd795f106b3889fb0706c6e4831c4b27e2b5666b",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
},
{
"lessThan": "84bc87beb4cd77670939b446326788e4c9b3db37",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
},
{
"lessThan": "a3fc8f2dacd1c37325977fc1fbbf3d52141df99e",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
},
{
"lessThan": "dbc81608e3a653dea6cf403f20cae35468b8ab9c",
"status": "affected",
"version": "9641458d3ec42def729fde64669abf07f3220cd5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/phonet/pep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: disable BH around forwarded sk_receive_skb()\n\nThe networking receive path is usually run from softirq context, but\nprotocols that take the socket lock may have packets stored in the\nbacklog and processed later from process context. In that case\nrelease_sock() -\u003e __release_sock() drops the slock with spin_unlock_bh()\nand then calls sk-\u003esk_backlog_rcv() with bottom halves enabled.\n\nTypical sk_backlog_rcv handlers process the socket whose backlog is\nbeing drained, so the BH state at entry is irrelevant for the slocks\nthey touch. pep_do_rcv() is different: when the inbound skb targets an\nexisting PEP pipe, it forwards the skb to a different *child* socket\nvia sk_receive_skb(). That helper takes the child slock with\nbh_lock_sock_nested(), which is just spin_lock_nested() and assumes BH\nis already off. The same child slock therefore ends up acquired with\nBH on (process path) and with BH off (softirq path):\n\n process context softirq context\n --------------- ---------------\n release_sock(listener) __netif_receive_skb()\n __release_sock() phonet_rcv()\n spin_unlock_bh() __sk_receive_skb(listener)\n [BH now ENABLED] [BH already disabled]\n sk_backlog_rcv: sk_backlog_rcv:\n pep_do_rcv() pep_do_rcv()\n sk_receive_skb(child) sk_receive_skb(child)\n bh_lock_sock_nested(child) bh_lock_sock_nested(child)\n =\u003e SOFTIRQ-ON-W =\u003e IN-SOFTIRQ-W\n\nLockdep flags this as inconsistent lock state, and it can become a real\nself-deadlock if a softirq on the same CPU tries to receive to the same\nchild socket while its slock is held in the BH-enabled path:\n\n WARNING: inconsistent lock state\n inconsistent {SOFTIRQ-ON-W} -\u003e {IN-SOFTIRQ-W} usage.\n (slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1cf/0x900\n __sk_receive_skb net/core/sock.c:563\n sk_receive_skb include/net/sock.h:2022 [inline]\n pep_do_rcv net/phonet/pep.c:675\n sk_backlog_rcv include/net/sock.h:1190\n __release_sock net/core/sock.c:3216\n release_sock net/core/sock.c:3815\n pep_sock_accept net/phonet/pep.c:879\n\nWrap the forwarded sk_receive_skb() in local_bh_disable() /\nlocal_bh_enable() so the child slock is always acquired with BH off.\nlocal_bh_disable() nests safely on the softirq path.\n\nDiscovered via in-house syzkaller fuzzing; the same root cause also\non the linux-6.1.y syzbot dashboard as extid 44f0626dd6284f02663c.\nReproduced under KASAN + LOCKDEP + PROVE_LOCKING, reproducer:\nhttps://pastebin.com/A3t8xzCR"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:01.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f08c45076e4fd8b0adbc5eb186d6e6a3e7350d7b"
},
{
"url": "https://git.kernel.org/stable/c/b2606c302d7f2b4ee48da05e32ed60aed1b0cd53"
},
{
"url": "https://git.kernel.org/stable/c/02c04df84de709060f63e1d52ec67488c4f6f212"
},
{
"url": "https://git.kernel.org/stable/c/8420aa4900417797323dd567ba9d1512280c2dc3"
},
{
"url": "https://git.kernel.org/stable/c/bd795f106b3889fb0706c6e4831c4b27e2b5666b"
},
{
"url": "https://git.kernel.org/stable/c/84bc87beb4cd77670939b446326788e4c9b3db37"
},
{
"url": "https://git.kernel.org/stable/c/a3fc8f2dacd1c37325977fc1fbbf3d52141df99e"
},
{
"url": "https://git.kernel.org/stable/c/dbc81608e3a653dea6cf403f20cae35468b8ab9c"
}
],
"title": "phonet/pep: disable BH around forwarded sk_receive_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64177",
"datePublished": "2026-07-19T15:41:01.534Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:01.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64176 (GCVE-0-2026-64176)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
On old devices such as 7265D, rates are still encoded in version 1
format, which doesn't use the CCK/OFDM rate index (0-3/0-7) but
rather their PLCP value (e.g. 10 for 1 Mbps CCK rate.)
While introducing v3 rates, I changed the driver from internally
handling v1 rates and converting to v2, to internally handling v3
and converting to v1 or v2 according to the firmware. I accordingly
changed the code in iwl_mvm_mac80211_idx_to_hwrate() to no longer
have different values for different APIs. This was correct.
However, I later reverted this part of the change, because it was
reported that I had broken beacon rates, causing a FW assert/crash.
This caused TX_CMD rates to be set incorrectly, potentially causing
a warning when reported back from the device as having been used.
Fix this (hopefully correctly now) by handling beacon rates in the
TX_CMD that's embedded in the beacon template command separately.
Restore iwl_mvm_mac80211_idx_to_hwrate() to return only the rate
index, not PLCP value, fixing the real TX_CMD.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6fe92651b44fd3cfc8dcfdaad0e82885c384dada
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6b58a79f2cd98156856eb49e8b55db5facdd7e6d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fb84b5cbcaab3ca0f4e961d92a40ed7f3aac483b (git) Affected: 0 , < 6.18.34 (semver) Affected: 0 , < 7.0.11 (semver) |
|
| Linux | Linux |
Unaffected:
6.18.34 , ≤ 6.18.*
(semver)
Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c",
"drivers/net/wireless/intel/iwlwifi/mvm/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6fe92651b44fd3cfc8dcfdaad0e82885c384dada",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b58a79f2cd98156856eb49e8b55db5facdd7e6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb84b5cbcaab3ca0f4e961d92a40ed7f3aac483b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6.18.34",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c",
"drivers/net/wireless/intel/iwlwifi/mvm/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix driver-set TX rates on old devices\n\nOn old devices such as 7265D, rates are still encoded in version 1\nformat, which doesn\u0027t use the CCK/OFDM rate index (0-3/0-7) but\nrather their PLCP value (e.g. 10 for 1 Mbps CCK rate.)\n\nWhile introducing v3 rates, I changed the driver from internally\nhandling v1 rates and converting to v2, to internally handling v3\nand converting to v1 or v2 according to the firmware. I accordingly\nchanged the code in iwl_mvm_mac80211_idx_to_hwrate() to no longer\nhave different values for different APIs. This was correct.\n\nHowever, I later reverted this part of the change, because it was\nreported that I had broken beacon rates, causing a FW assert/crash.\nThis caused TX_CMD rates to be set incorrectly, potentially causing\na warning when reported back from the device as having been used.\n\nFix this (hopefully correctly now) by handling beacon rates in the\nTX_CMD that\u0027s embedded in the beacon template command separately.\nRestore iwl_mvm_mac80211_idx_to_hwrate() to return only the rate\nindex, not PLCP value, fixing the real TX_CMD."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:00.830Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6fe92651b44fd3cfc8dcfdaad0e82885c384dada"
},
{
"url": "https://git.kernel.org/stable/c/6b58a79f2cd98156856eb49e8b55db5facdd7e6d"
},
{
"url": "https://git.kernel.org/stable/c/fb84b5cbcaab3ca0f4e961d92a40ed7f3aac483b"
}
],
"title": "wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64176",
"datePublished": "2026-07-19T15:41:00.830Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:00.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64175 (GCVE-0-2026-64175)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:41 – Updated: 2026-07-19 15:41
VLAI
EPSS
VEX
Title
wifi: iwlwifi: mld: stop TX during firmware restart
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mld: stop TX during firmware restart
When iwlwifi firmware crashes (e.g., NMI_INTERRUPT_UNKNOWN on Intel
BE201/Wi-Fi 7), iwl_mld_nic_error() sets mld->fw_status.in_hw_restart
to true. However, iwl_mld_tx_from_txq() does not check this flag before
dequeuing frames from mac80211 and pushing them to the transport layer.
Since the firmware is dead, iwl_trans_tx() returns -EIO for each frame,
which then gets freed immediately. Under high-throughput conditions
(e.g., Tailscale UDP traffic or active SSH sessions), this creates a
tight dequeue-send-fail-free loop that wastes CPU cycles and generates
rapid skb allocation churn, leading to memory pressure from slab
fragmentation.
The RX path already has this guard (iwl_mld_rx_mpdu checks
in_hw_restart at rx.c:1906), and so does the TXQ allocation worker
(iwl_mld_add_txqs_wk at tx.c:156). Add the same guard to
iwl_mld_tx_from_txq() to stop all TX during firmware restart.
Frames left in mac80211's TXQs are naturally drained after restart
completes, when queue reallocation triggers iwl_mld_tx_from_txq()
via iwl_mld_add_txq_list(), or when new upper-layer traffic invokes
wake_tx_queue.
Tested on ASUS Zenbook 14 UX3405CA with Intel BE201 (Wi-Fi 7) on
kernel 6.19.5 where the firmware crashes approximately every 10-15
minutes under Tailscale traffic.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d1e879ec600f9b3bdd253167533959facfefb17b , < dc31c69476520bb4c2a208211a8d3c310a62c4d0
(git)
Affected: d1e879ec600f9b3bdd253167533959facfefb17b , < 13f1786395dbbf3df73337063c798f1266be6151 (git) Affected: d1e879ec600f9b3bdd253167533959facfefb17b , < 2becb38a3e217ef2b2f42fddd7db7a25905ec291 (git) |
|
| Linux | Linux |
Affected:
6.15
Unaffected: 0 , < 6.15 (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mld/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc31c69476520bb4c2a208211a8d3c310a62c4d0",
"status": "affected",
"version": "d1e879ec600f9b3bdd253167533959facfefb17b",
"versionType": "git"
},
{
"lessThan": "13f1786395dbbf3df73337063c798f1266be6151",
"status": "affected",
"version": "d1e879ec600f9b3bdd253167533959facfefb17b",
"versionType": "git"
},
{
"lessThan": "2becb38a3e217ef2b2f42fddd7db7a25905ec291",
"status": "affected",
"version": "d1e879ec600f9b3bdd253167533959facfefb17b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mld/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mld: stop TX during firmware restart\n\nWhen iwlwifi firmware crashes (e.g., NMI_INTERRUPT_UNKNOWN on Intel\nBE201/Wi-Fi 7), iwl_mld_nic_error() sets mld-\u003efw_status.in_hw_restart\nto true. However, iwl_mld_tx_from_txq() does not check this flag before\ndequeuing frames from mac80211 and pushing them to the transport layer.\n\nSince the firmware is dead, iwl_trans_tx() returns -EIO for each frame,\nwhich then gets freed immediately. Under high-throughput conditions\n(e.g., Tailscale UDP traffic or active SSH sessions), this creates a\ntight dequeue-send-fail-free loop that wastes CPU cycles and generates\nrapid skb allocation churn, leading to memory pressure from slab\nfragmentation.\n\nThe RX path already has this guard (iwl_mld_rx_mpdu checks\nin_hw_restart at rx.c:1906), and so does the TXQ allocation worker\n(iwl_mld_add_txqs_wk at tx.c:156). Add the same guard to\niwl_mld_tx_from_txq() to stop all TX during firmware restart.\n\nFrames left in mac80211\u0027s TXQs are naturally drained after restart\ncompletes, when queue reallocation triggers iwl_mld_tx_from_txq()\nvia iwl_mld_add_txq_list(), or when new upper-layer traffic invokes\nwake_tx_queue.\n\nTested on ASUS Zenbook 14 UX3405CA with Intel BE201 (Wi-Fi 7) on\nkernel 6.19.5 where the firmware crashes approximately every 10-15\nminutes under Tailscale traffic."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:41:00.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc31c69476520bb4c2a208211a8d3c310a62c4d0"
},
{
"url": "https://git.kernel.org/stable/c/13f1786395dbbf3df73337063c798f1266be6151"
},
{
"url": "https://git.kernel.org/stable/c/2becb38a3e217ef2b2f42fddd7db7a25905ec291"
}
],
"title": "wifi: iwlwifi: mld: stop TX during firmware restart",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64175",
"datePublished": "2026-07-19T15:41:00.157Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:41:00.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64174 (GCVE-0-2026-64174)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls
cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)
but never advances mbssid_elem or sub_elem inside the body. Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.
Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).
A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in
cfg80211_merge_profile (up to as much as 2ms per beacon received),
which could theoretically be abused in some way.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fe806e4992c9047affd263bcc13b2c047029a726 , < 5817e1e5205498a5df66eba2b34e817f4210fd0f
(git)
Affected: fe806e4992c9047affd263bcc13b2c047029a726 , < cedbb608494ba1e7a5c6c56b7f1d3fd470094f28 (git) Affected: fe806e4992c9047affd263bcc13b2c047029a726 , < c0bc4c8bd556cbe036a5b9ed333c0aab9aadfcb8 (git) Affected: fe806e4992c9047affd263bcc13b2c047029a726 , < 1ced0f5a851f9cae274545a42a06c459b7fd8881 (git) Affected: fe806e4992c9047affd263bcc13b2c047029a726 , < 67915715fd3874057457363c87c63e18829527df (git) Affected: fe806e4992c9047affd263bcc13b2c047029a726 , < 6cfae4914439878b8acb35c7e3b40096eeb2ad9c (git) Affected: fe806e4992c9047affd263bcc13b2c047029a726 , < 1343a480f84b80c1249133a90ef87f8751d65cbb (git) Affected: fe806e4992c9047affd263bcc13b2c047029a726 , < 7666dbb1bacc4ba522b96740cba7283d243d16e1 (git) |
|
| Linux | Linux |
Affected:
5.2
Unaffected: 0 , < 5.2 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5817e1e5205498a5df66eba2b34e817f4210fd0f",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
},
{
"lessThan": "cedbb608494ba1e7a5c6c56b7f1d3fd470094f28",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
},
{
"lessThan": "c0bc4c8bd556cbe036a5b9ed333c0aab9aadfcb8",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
},
{
"lessThan": "1ced0f5a851f9cae274545a42a06c459b7fd8881",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
},
{
"lessThan": "67915715fd3874057457363c87c63e18829527df",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
},
{
"lessThan": "6cfae4914439878b8acb35c7e3b40096eeb2ad9c",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
},
{
"lessThan": "1343a480f84b80c1249133a90ef87f8751d65cbb",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
},
{
"lessThan": "7666dbb1bacc4ba522b96740cba7283d243d16e1",
"status": "affected",
"version": "fe806e4992c9047affd263bcc13b2c047029a726",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: advance loop vars in cfg80211_merge_profile()\n\ncfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS\nprofile that has been split across multiple consecutive MBSSID elements.\nIts while-loop calls\n\n\tcfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)\n\nbut never advances mbssid_elem or sub_elem inside the body. Each\niteration therefore searches for a continuation that follows the same\nfixed pair; the helper returns the same next_mbssid; and the same\nnext_sub bytes are memcpy()\u0027d into merged_ie at a growing offset until\nthe buffer fills.\n\nAdvance both mbssid_elem and sub_elem to the just-consumed continuation\nso the next call to cfg80211_get_profile_continuation() searches for a\nfurther continuation beyond it (or returns NULL when none exists).\n\nA specially-crafted malicious beacon can take advantage of this bug\nto cause the kernel to spend an excessive amount of time in\ncfg80211_merge_profile (up to as much as 2ms per beacon received),\nwhich could theoretically be abused in some way."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:59.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5817e1e5205498a5df66eba2b34e817f4210fd0f"
},
{
"url": "https://git.kernel.org/stable/c/cedbb608494ba1e7a5c6c56b7f1d3fd470094f28"
},
{
"url": "https://git.kernel.org/stable/c/c0bc4c8bd556cbe036a5b9ed333c0aab9aadfcb8"
},
{
"url": "https://git.kernel.org/stable/c/1ced0f5a851f9cae274545a42a06c459b7fd8881"
},
{
"url": "https://git.kernel.org/stable/c/67915715fd3874057457363c87c63e18829527df"
},
{
"url": "https://git.kernel.org/stable/c/6cfae4914439878b8acb35c7e3b40096eeb2ad9c"
},
{
"url": "https://git.kernel.org/stable/c/1343a480f84b80c1249133a90ef87f8751d65cbb"
},
{
"url": "https://git.kernel.org/stable/c/7666dbb1bacc4ba522b96740cba7283d243d16e1"
}
],
"title": "wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64174",
"datePublished": "2026-07-19T15:40:59.360Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:40:59.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64173 (GCVE-0-2026-64173)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
tracing: Do not call map->ops->elt_free() if elt_alloc() fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Do not call map->ops->elt_free() if elt_alloc() fails
In paths where tracing_map_elt_alloc() failed to allocate objects,
the map->ops->elt_alloc() call was never successful. In this case,
map->ops->elt_free() should not be called.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2734b629525a9dae5bf217cbf0a9651da93d2108 , < 49332e49ad5b20262cc719b03d4123b9362de701
(git)
Affected: 2734b629525a9dae5bf217cbf0a9651da93d2108 , < b559a218eece132de0c58d444877b5627cbee524 (git) Affected: 2734b629525a9dae5bf217cbf0a9651da93d2108 , < b427e9f6d81c9341cba23ef92f860f99f830d91d (git) Affected: 2734b629525a9dae5bf217cbf0a9651da93d2108 , < f383cff9fb382139980bac1bcd3f3f5d59f68435 (git) Affected: 2734b629525a9dae5bf217cbf0a9651da93d2108 , < 1a150947f8480262a46c860f1acb9c6597ca7097 (git) Affected: 2734b629525a9dae5bf217cbf0a9651da93d2108 , < 798183376d9d3e278a270ea0e75a5769c8f145d9 (git) Affected: 2734b629525a9dae5bf217cbf0a9651da93d2108 , < b6723339736320b2e1784258ad4490cec7aac11a (git) Affected: 2734b629525a9dae5bf217cbf0a9651da93d2108 , < 8f0f5c4fb9df0e19a341e0c6ed8dc4fda9124f03 (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/tracing_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49332e49ad5b20262cc719b03d4123b9362de701",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
},
{
"lessThan": "b559a218eece132de0c58d444877b5627cbee524",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
},
{
"lessThan": "b427e9f6d81c9341cba23ef92f860f99f830d91d",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
},
{
"lessThan": "f383cff9fb382139980bac1bcd3f3f5d59f68435",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
},
{
"lessThan": "1a150947f8480262a46c860f1acb9c6597ca7097",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
},
{
"lessThan": "798183376d9d3e278a270ea0e75a5769c8f145d9",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
},
{
"lessThan": "b6723339736320b2e1784258ad4490cec7aac11a",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
},
{
"lessThan": "8f0f5c4fb9df0e19a341e0c6ed8dc4fda9124f03",
"status": "affected",
"version": "2734b629525a9dae5bf217cbf0a9651da93d2108",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/tracing_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not call map-\u003eops-\u003eelt_free() if elt_alloc() fails\n\nIn paths where tracing_map_elt_alloc() failed to allocate objects,\nthe map-\u003eops-\u003eelt_alloc() call was never successful. In this case,\nmap-\u003eops-\u003eelt_free() should not be called."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:58.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49332e49ad5b20262cc719b03d4123b9362de701"
},
{
"url": "https://git.kernel.org/stable/c/b559a218eece132de0c58d444877b5627cbee524"
},
{
"url": "https://git.kernel.org/stable/c/b427e9f6d81c9341cba23ef92f860f99f830d91d"
},
{
"url": "https://git.kernel.org/stable/c/f383cff9fb382139980bac1bcd3f3f5d59f68435"
},
{
"url": "https://git.kernel.org/stable/c/1a150947f8480262a46c860f1acb9c6597ca7097"
},
{
"url": "https://git.kernel.org/stable/c/798183376d9d3e278a270ea0e75a5769c8f145d9"
},
{
"url": "https://git.kernel.org/stable/c/b6723339736320b2e1784258ad4490cec7aac11a"
},
{
"url": "https://git.kernel.org/stable/c/8f0f5c4fb9df0e19a341e0c6ed8dc4fda9124f03"
}
],
"title": "tracing: Do not call map-\u003eops-\u003eelt_free() if elt_alloc() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64173",
"datePublished": "2026-07-19T15:40:58.251Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:40:58.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64172 (GCVE-0-2026-64172)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)
Hygon Family 18h CPUs are derived from AMD Family 17h (Zen1) silicon and
share the same erratum #1235: hardware may read a stale IsRunning=1 bit
during ICR write emulation and silently fail to generate an
AVIC_IPI_FAILURE_TARGET_NOT_RUNNING VM-Exit on the sending vCPU.
The absence of the VM-Exit causes KVM to miss the required wakeup of
blocking target vCPUs, leading to hung vCPUs and unbounded delays in
guest execution.
Extend the existing AMD Family 17h erratum #1235 workaround to also cover
Hygon Family 18h. With IPI virtualization disabled, KVM never sets
IsRunning=1 in the Physical ID table, so every non-self IPI generates a
VM-Exit and is correctly emulated.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8de4a1c8164e5b2e40d1df764840a31de983f40b , < 94ade38f317ea086a181db0e6b69c574b3b70a5e
(git)
Affected: 8de4a1c8164e5b2e40d1df764840a31de983f40b , < 9560e6fee887a9594a89fa265b5b9c79b1591803 (git) Affected: 8de4a1c8164e5b2e40d1df764840a31de983f40b , < 9a12fa5213cfc391e0eed63902d3be98f0913765 (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94ade38f317ea086a181db0e6b69c574b3b70a5e",
"status": "affected",
"version": "8de4a1c8164e5b2e40d1df764840a31de983f40b",
"versionType": "git"
},
{
"lessThan": "9560e6fee887a9594a89fa265b5b9c79b1591803",
"status": "affected",
"version": "8de4a1c8164e5b2e40d1df764840a31de983f40b",
"versionType": "git"
},
{
"lessThan": "9a12fa5213cfc391e0eed63902d3be98f0913765",
"status": "affected",
"version": "8de4a1c8164e5b2e40d1df764840a31de983f40b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)\n\nHygon Family 18h CPUs are derived from AMD Family 17h (Zen1) silicon and\nshare the same erratum #1235: hardware may read a stale IsRunning=1 bit\nduring ICR write emulation and silently fail to generate an\nAVIC_IPI_FAILURE_TARGET_NOT_RUNNING VM-Exit on the sending vCPU.\n\nThe absence of the VM-Exit causes KVM to miss the required wakeup of\nblocking target vCPUs, leading to hung vCPUs and unbounded delays in\nguest execution.\n\nExtend the existing AMD Family 17h erratum #1235 workaround to also cover\nHygon Family 18h. With IPI virtualization disabled, KVM never sets\nIsRunning=1 in the Physical ID table, so every non-self IPI generates a\nVM-Exit and is correctly emulated."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:57.153Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94ade38f317ea086a181db0e6b69c574b3b70a5e"
},
{
"url": "https://git.kernel.org/stable/c/9560e6fee887a9594a89fa265b5b9c79b1591803"
},
{
"url": "https://git.kernel.org/stable/c/9a12fa5213cfc391e0eed63902d3be98f0913765"
}
],
"title": "KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64172",
"datePublished": "2026-07-19T15:40:57.153Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:40:57.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64171 (GCVE-0-2026-64171)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
i2c: tegra: fix pm_runtime leak on mutex_lock failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: tegra: fix pm_runtime leak on mutex_lock failure
If tegra_i2c_mutex_lock() fails, the function returns without calling
pm_runtime_put(), leaking the runtime PM reference acquired by the
preceding pm_runtime_get_sync(). This prevents the device from ever
entering runtime suspend.
Add the missing pm_runtime_put() before returning on lock failure.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6077cfd716fbd4d1f2a3702e49ae8bf65c072685 , < 8f7ed203b39004c02479a9156089d87d1ac2c1d8
(git)
Affected: 6077cfd716fbd4d1f2a3702e49ae8bf65c072685 , < 57cf4e8d6a57dc2ef5810f4852a23ba4c71b74bb (git) |
|
| Linux | Linux |
Affected:
7.0
Unaffected: 0 , < 7.0 (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-tegra.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f7ed203b39004c02479a9156089d87d1ac2c1d8",
"status": "affected",
"version": "6077cfd716fbd4d1f2a3702e49ae8bf65c072685",
"versionType": "git"
},
{
"lessThan": "57cf4e8d6a57dc2ef5810f4852a23ba4c71b74bb",
"status": "affected",
"version": "6077cfd716fbd4d1f2a3702e49ae8bf65c072685",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-tegra.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: tegra: fix pm_runtime leak on mutex_lock failure\n\nIf tegra_i2c_mutex_lock() fails, the function returns without calling\npm_runtime_put(), leaking the runtime PM reference acquired by the\npreceding pm_runtime_get_sync(). This prevents the device from ever\nentering runtime suspend.\n\nAdd the missing pm_runtime_put() before returning on lock failure."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:56.071Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f7ed203b39004c02479a9156089d87d1ac2c1d8"
},
{
"url": "https://git.kernel.org/stable/c/57cf4e8d6a57dc2ef5810f4852a23ba4c71b74bb"
}
],
"title": "i2c: tegra: fix pm_runtime leak on mutex_lock failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64171",
"datePublished": "2026-07-19T15:40:56.071Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:40:56.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64170 (GCVE-0-2026-64170)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
spi: qup: fix error pointer deref after DMA setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: qup: fix error pointer deref after DMA setup failure
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to the clear the DMA channel pointers on setup failure to
avoid dereferencing an error pointer (or attempting to release a channel
a second time) on later probe errors or driver unbind.
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
612762e82ae6058d69b4ce734598491bf030afe7 , < 0bb3bd442f0bdad3932739a61dd6c580c9c1955e
(git)
Affected: 612762e82ae6058d69b4ce734598491bf030afe7 , < d577c55d189e7ae150973058d13e299b6855633f (git) Affected: 612762e82ae6058d69b4ce734598491bf030afe7 , < 9e673affb92c29d9ba879bf4ea81c5e840166b56 (git) Affected: 612762e82ae6058d69b4ce734598491bf030afe7 , < 45760b72e84c1a1498f1a8a9047184c85299da20 (git) Affected: 612762e82ae6058d69b4ce734598491bf030afe7 , < 8f9b61d255b1e989b8913b06c8ebe0aba5e1b238 (git) Affected: 612762e82ae6058d69b4ce734598491bf030afe7 , < 4bb4764f2c51f03f657a28029eb0595d8223aab5 (git) Affected: 612762e82ae6058d69b4ce734598491bf030afe7 , < 4f4051e9d644c371c50de4a042b85bba6727d5c3 (git) Affected: 612762e82ae6058d69b4ce734598491bf030afe7 , < a7e8f3efd50a165ba0189f6dc57f7e51a7d149db (git) |
|
| Linux | Linux |
Affected:
4.1
Unaffected: 0 , < 4.1 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-qup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bb3bd442f0bdad3932739a61dd6c580c9c1955e",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
},
{
"lessThan": "d577c55d189e7ae150973058d13e299b6855633f",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
},
{
"lessThan": "9e673affb92c29d9ba879bf4ea81c5e840166b56",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
},
{
"lessThan": "45760b72e84c1a1498f1a8a9047184c85299da20",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
},
{
"lessThan": "8f9b61d255b1e989b8913b06c8ebe0aba5e1b238",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
},
{
"lessThan": "4bb4764f2c51f03f657a28029eb0595d8223aab5",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
},
{
"lessThan": "4f4051e9d644c371c50de4a042b85bba6727d5c3",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
},
{
"lessThan": "a7e8f3efd50a165ba0189f6dc57f7e51a7d149db",
"status": "affected",
"version": "612762e82ae6058d69b4ce734598491bf030afe7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-qup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: qup: fix error pointer deref after DMA setup failure\n\nThe driver falls back to PIO mode if DMA setup fails during probe.\n\nMake sure to the clear the DMA channel pointers on setup failure to\navoid dereferencing an error pointer (or attempting to release a channel\na second time) on later probe errors or driver unbind.\n\nThis issue was flagged by Sashiko when reviewing a devres allocation\nconversion patch."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:54.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bb3bd442f0bdad3932739a61dd6c580c9c1955e"
},
{
"url": "https://git.kernel.org/stable/c/d577c55d189e7ae150973058d13e299b6855633f"
},
{
"url": "https://git.kernel.org/stable/c/9e673affb92c29d9ba879bf4ea81c5e840166b56"
},
{
"url": "https://git.kernel.org/stable/c/45760b72e84c1a1498f1a8a9047184c85299da20"
},
{
"url": "https://git.kernel.org/stable/c/8f9b61d255b1e989b8913b06c8ebe0aba5e1b238"
},
{
"url": "https://git.kernel.org/stable/c/4bb4764f2c51f03f657a28029eb0595d8223aab5"
},
{
"url": "https://git.kernel.org/stable/c/4f4051e9d644c371c50de4a042b85bba6727d5c3"
},
{
"url": "https://git.kernel.org/stable/c/a7e8f3efd50a165ba0189f6dc57f7e51a7d149db"
}
],
"title": "spi: qup: fix error pointer deref after DMA setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64170",
"datePublished": "2026-07-19T15:40:54.999Z",
"dateReserved": "2026-07-19T07:54:57.039Z",
"dateUpdated": "2026-07-19T15:40:54.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64169 (GCVE-0-2026-64169)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
spi: ep93xx: fix error pointer deref after DMA setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: ep93xx: fix error pointer deref after DMA setup failure
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to the clear the DMA channel pointers on setup failure to
avoid dereferencing an error pointer on later probe errors or driver
unbind.
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e79e7c2df6277ee1ad9364a231f6183da4492415 , < b6c0dabea07e25bd7db19a77ebfd0d02b9e2671a
(git)
Affected: e79e7c2df6277ee1ad9364a231f6183da4492415 , < 8e027db9fa310b1d5e7ad928510be800c4f004d9 (git) Affected: e79e7c2df6277ee1ad9364a231f6183da4492415 , < 0e2189ab095e3657f37b8295f3f2bbcde0f27529 (git) Affected: e79e7c2df6277ee1ad9364a231f6183da4492415 , < 5e121a81667a83e9a01d62b429e340f5a4a84abc (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ep93xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6c0dabea07e25bd7db19a77ebfd0d02b9e2671a",
"status": "affected",
"version": "e79e7c2df6277ee1ad9364a231f6183da4492415",
"versionType": "git"
},
{
"lessThan": "8e027db9fa310b1d5e7ad928510be800c4f004d9",
"status": "affected",
"version": "e79e7c2df6277ee1ad9364a231f6183da4492415",
"versionType": "git"
},
{
"lessThan": "0e2189ab095e3657f37b8295f3f2bbcde0f27529",
"status": "affected",
"version": "e79e7c2df6277ee1ad9364a231f6183da4492415",
"versionType": "git"
},
{
"lessThan": "5e121a81667a83e9a01d62b429e340f5a4a84abc",
"status": "affected",
"version": "e79e7c2df6277ee1ad9364a231f6183da4492415",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-ep93xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ep93xx: fix error pointer deref after DMA setup failure\n\nThe driver falls back to PIO mode if DMA setup fails during probe.\n\nMake sure to the clear the DMA channel pointers on setup failure to\navoid dereferencing an error pointer on later probe errors or driver\nunbind.\n\nThis issue was flagged by Sashiko when reviewing a devres allocation\nconversion patch."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:54.092Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6c0dabea07e25bd7db19a77ebfd0d02b9e2671a"
},
{
"url": "https://git.kernel.org/stable/c/8e027db9fa310b1d5e7ad928510be800c4f004d9"
},
{
"url": "https://git.kernel.org/stable/c/0e2189ab095e3657f37b8295f3f2bbcde0f27529"
},
{
"url": "https://git.kernel.org/stable/c/5e121a81667a83e9a01d62b429e340f5a4a84abc"
}
],
"title": "spi: ep93xx: fix error pointer deref after DMA setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64169",
"datePublished": "2026-07-19T15:40:54.092Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:54.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64168 (GCVE-0-2026-64168)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
spi: sprd: fix error pointer deref after DMA setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: sprd: fix error pointer deref after DMA setup failure
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to check the dma.enabled flag before trying to release the DMA
channels also on late probe errors to avoid dereferencing an error
pointer (or attempting to release a channel a second time).
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
386119bc7be9fa5114ced0274a22a943df890b4b , < be74e276111f3c23b8e040c8c5e308f67a573add
(git)
Affected: 386119bc7be9fa5114ced0274a22a943df890b4b , < a8f233fb0c7be29b97cd249f64120bf35ce72805 (git) Affected: 386119bc7be9fa5114ced0274a22a943df890b4b , < 0cdea166c1a07c200caf9d0b722224fca43b23ae (git) Affected: 386119bc7be9fa5114ced0274a22a943df890b4b , < 450c319dd04d0eeff4184889768f7ada826a2e35 (git) Affected: 386119bc7be9fa5114ced0274a22a943df890b4b , < b6f1acf4e57ccf708cdc0cb70f5bb5b65162963b (git) Affected: 386119bc7be9fa5114ced0274a22a943df890b4b , < be409d2bbe9ca7da7b05cc7dde7499bc481f0766 (git) Affected: 386119bc7be9fa5114ced0274a22a943df890b4b , < c33b4496e95d04722055446c0a31213639438536 (git) Affected: 386119bc7be9fa5114ced0274a22a943df890b4b , < 3d67fffb74267772d461c02c67f1eff893ad547d (git) |
|
| Linux | Linux |
Affected:
5.1
Unaffected: 0 , < 5.1 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-sprd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be74e276111f3c23b8e040c8c5e308f67a573add",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
},
{
"lessThan": "a8f233fb0c7be29b97cd249f64120bf35ce72805",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
},
{
"lessThan": "0cdea166c1a07c200caf9d0b722224fca43b23ae",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
},
{
"lessThan": "450c319dd04d0eeff4184889768f7ada826a2e35",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
},
{
"lessThan": "b6f1acf4e57ccf708cdc0cb70f5bb5b65162963b",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
},
{
"lessThan": "be409d2bbe9ca7da7b05cc7dde7499bc481f0766",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
},
{
"lessThan": "c33b4496e95d04722055446c0a31213639438536",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
},
{
"lessThan": "3d67fffb74267772d461c02c67f1eff893ad547d",
"status": "affected",
"version": "386119bc7be9fa5114ced0274a22a943df890b4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-sprd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sprd: fix error pointer deref after DMA setup failure\n\nThe driver falls back to PIO mode if DMA setup fails during probe.\n\nMake sure to check the dma.enabled flag before trying to release the DMA\nchannels also on late probe errors to avoid dereferencing an error\npointer (or attempting to release a channel a second time).\n\nThis issue was flagged by Sashiko when reviewing a devres allocation\nconversion patch."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:52.741Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be74e276111f3c23b8e040c8c5e308f67a573add"
},
{
"url": "https://git.kernel.org/stable/c/a8f233fb0c7be29b97cd249f64120bf35ce72805"
},
{
"url": "https://git.kernel.org/stable/c/0cdea166c1a07c200caf9d0b722224fca43b23ae"
},
{
"url": "https://git.kernel.org/stable/c/450c319dd04d0eeff4184889768f7ada826a2e35"
},
{
"url": "https://git.kernel.org/stable/c/b6f1acf4e57ccf708cdc0cb70f5bb5b65162963b"
},
{
"url": "https://git.kernel.org/stable/c/be409d2bbe9ca7da7b05cc7dde7499bc481f0766"
},
{
"url": "https://git.kernel.org/stable/c/c33b4496e95d04722055446c0a31213639438536"
},
{
"url": "https://git.kernel.org/stable/c/3d67fffb74267772d461c02c67f1eff893ad547d"
}
],
"title": "spi: sprd: fix error pointer deref after DMA setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64168",
"datePublished": "2026-07-19T15:40:52.741Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:52.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64167 (GCVE-0-2026-64167)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
kho: skip KHO for crash kernel
Summary
In the Linux kernel, the following vulnerability has been resolved:
kho: skip KHO for crash kernel
kho_fill_kimage() unconditionally populates the kimage with KHO
metadata for every kexec image type. When the image is a crash kernel,
this can be problematic as the crash kernel can run in a small reserved
region and the KHO scratch areas can sit outside it.
The crash kernel then faults during kho_memory_init() when it
tries phys_to_virt() on the KHO FDT address:
Unable to handle kernel paging request at virtual address xxxxxxxx
...
fdt_offset_ptr+...
fdt_check_node_offset_+...
fdt_first_property_offset+...
fdt_get_property_namelen_+...
fdt_getprop+...
kho_memory_init+...
mm_core_init+...
start_kernel+...
kho_locate_mem_hole() already skips KHO logic for KEXEC_TYPE_CRASH
images, but kho_fill_kimage() was missing the same guard. As
kho_fill_kimage() is the single point that populates image->kho.fdt
and image->kho.scratch, fixing it here is sufficient for both arm64
and x86 as the FDT and boot_params path are bailing out when these
fields are unset.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d7255959b69a4e727c61eb04231d11390d4f391e , < a6ac6721326a75ff2d14c68db05f93b576d8762f
(git)
Affected: d7255959b69a4e727c61eb04231d11390d4f391e , < a6715d7ec472a476db17787697a4abda62962284 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/liveupdate/kexec_handover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6ac6721326a75ff2d14c68db05f93b576d8762f",
"status": "affected",
"version": "d7255959b69a4e727c61eb04231d11390d4f391e",
"versionType": "git"
},
{
"lessThan": "a6715d7ec472a476db17787697a4abda62962284",
"status": "affected",
"version": "d7255959b69a4e727c61eb04231d11390d4f391e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/liveupdate/kexec_handover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkho: skip KHO for crash kernel\n\nkho_fill_kimage() unconditionally populates the kimage with KHO\nmetadata for every kexec image type. When the image is a crash kernel,\nthis can be problematic as the crash kernel can run in a small reserved\nregion and the KHO scratch areas can sit outside it.\nThe crash kernel then faults during kho_memory_init() when it\ntries phys_to_virt() on the KHO FDT address:\n\n Unable to handle kernel paging request at virtual address xxxxxxxx\n ...\n fdt_offset_ptr+...\n fdt_check_node_offset_+...\n fdt_first_property_offset+...\n fdt_get_property_namelen_+...\n fdt_getprop+...\n kho_memory_init+...\n mm_core_init+...\n start_kernel+...\n\nkho_locate_mem_hole() already skips KHO logic for KEXEC_TYPE_CRASH\nimages, but kho_fill_kimage() was missing the same guard. As\nkho_fill_kimage() is the single point that populates image-\u003ekho.fdt\nand image-\u003ekho.scratch, fixing it here is sufficient for both arm64\nand x86 as the FDT and boot_params path are bailing out when these\nfields are unset."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:52.023Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6ac6721326a75ff2d14c68db05f93b576d8762f"
},
{
"url": "https://git.kernel.org/stable/c/a6715d7ec472a476db17787697a4abda62962284"
}
],
"title": "kho: skip KHO for crash kernel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64167",
"datePublished": "2026-07-19T15:40:52.023Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:52.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64166 (GCVE-0-2026-64166)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
The bus match callback assumes that every FF-A driver provides an
id_table and dereferences it unconditionally. Enforce that contract at
registration time so a buggy client driver cannot crash the bus during
match.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
92743071464fca5acbbe812d9a0d88de3eaaad36 , < f98f131256beaddd51ad468e95d90d857fef12bf
(git)
Affected: 92743071464fca5acbbe812d9a0d88de3eaaad36 , < bc499d1acddbb75b5b4bce05f5296dd8ef9611fd (git) Affected: 92743071464fca5acbbe812d9a0d88de3eaaad36 , < adfff93d08a2e12ecf2a1eba272d18bc749f13c0 (git) Affected: 92743071464fca5acbbe812d9a0d88de3eaaad36 , < 34f59211984f66788390e7469f3e99d3796db4a8 (git) Affected: 92743071464fca5acbbe812d9a0d88de3eaaad36 , < 820245d86ce58898fb48b4fefc77d0cafc02801d (git) Affected: 92743071464fca5acbbe812d9a0d88de3eaaad36 , < 198f6c86d508ed562f07dc00276cac6dbb5dd3bf (git) Affected: 92743071464fca5acbbe812d9a0d88de3eaaad36 , < 0a5e695095c557d2380131b613dea4e8d90371be (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_ffa/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f98f131256beaddd51ad468e95d90d857fef12bf",
"status": "affected",
"version": "92743071464fca5acbbe812d9a0d88de3eaaad36",
"versionType": "git"
},
{
"lessThan": "bc499d1acddbb75b5b4bce05f5296dd8ef9611fd",
"status": "affected",
"version": "92743071464fca5acbbe812d9a0d88de3eaaad36",
"versionType": "git"
},
{
"lessThan": "adfff93d08a2e12ecf2a1eba272d18bc749f13c0",
"status": "affected",
"version": "92743071464fca5acbbe812d9a0d88de3eaaad36",
"versionType": "git"
},
{
"lessThan": "34f59211984f66788390e7469f3e99d3796db4a8",
"status": "affected",
"version": "92743071464fca5acbbe812d9a0d88de3eaaad36",
"versionType": "git"
},
{
"lessThan": "820245d86ce58898fb48b4fefc77d0cafc02801d",
"status": "affected",
"version": "92743071464fca5acbbe812d9a0d88de3eaaad36",
"versionType": "git"
},
{
"lessThan": "198f6c86d508ed562f07dc00276cac6dbb5dd3bf",
"status": "affected",
"version": "92743071464fca5acbbe812d9a0d88de3eaaad36",
"versionType": "git"
},
{
"lessThan": "0a5e695095c557d2380131b613dea4e8d90371be",
"status": "affected",
"version": "92743071464fca5acbbe812d9a0d88de3eaaad36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_ffa/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Check for NULL FF-A ID table while driver registration\n\nThe bus match callback assumes that every FF-A driver provides an\nid_table and dereferences it unconditionally. Enforce that contract at\nregistration time so a buggy client driver cannot crash the bus during\nmatch."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:51.305Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f98f131256beaddd51ad468e95d90d857fef12bf"
},
{
"url": "https://git.kernel.org/stable/c/bc499d1acddbb75b5b4bce05f5296dd8ef9611fd"
},
{
"url": "https://git.kernel.org/stable/c/adfff93d08a2e12ecf2a1eba272d18bc749f13c0"
},
{
"url": "https://git.kernel.org/stable/c/34f59211984f66788390e7469f3e99d3796db4a8"
},
{
"url": "https://git.kernel.org/stable/c/820245d86ce58898fb48b4fefc77d0cafc02801d"
},
{
"url": "https://git.kernel.org/stable/c/198f6c86d508ed562f07dc00276cac6dbb5dd3bf"
},
{
"url": "https://git.kernel.org/stable/c/0a5e695095c557d2380131b613dea4e8d90371be"
}
],
"title": "firmware: arm_ffa: Check for NULL FF-A ID table while driver registration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64166",
"datePublished": "2026-07-19T15:40:51.305Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:51.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64165 (GCVE-0-2026-64165)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
ARM: integrator: Fix early initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: integrator: Fix early initialization
Starting with commit bdb249fce9ad4 ("ARM: integrator: read counter using
syscon/regmap"), intcp_init_early calls syscon_regmap_lookup_by_compatible
which in turn calls of_syscon_register. This function allocates memory.
Since the memory management code has not been initialized at that time,
the call always fails. It either returns -ENOMEM or crashes as follows.
Unable to handle kernel NULL pointer dereference at virtual address 0000000c when read
[0000000c] *pgd=00000000
Internal error: Oops: 5 [#1] ARM
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc5-00026-g5fcc9bf84ee5 #1 PREEMPT
Hardware name: ARM Integrator/CP (Device Tree)
PC is at __kmalloc_cache_noprof+0xec/0x39c
LR is at __kmalloc_cache_noprof+0x34/0x39c
...
Call trace:
__kmalloc_cache_noprof from of_syscon_register+0x7c/0x310
of_syscon_register from device_node_get_regmap+0xa4/0xb0
device_node_get_regmap from intcp_init_early+0xc/0x40
intcp_init_early from start_kernel+0x60/0x688
start_kernel from 0x0
The crash is seen due to a dereferenced pointer which is not supposed to be
NULL but is NULL if the memory management subsystem has not been
initialized. The crash is not seen with all versions of gcc. Some versions
such as gcc 9.x apparently do not dereference the pointer, presumably if
tracing is disabled. The problem has been reproduced with gcc 10.x, 11.x,
and 13.x. Either case, if the crash is not seen, the call to
syscon_regmap_lookup_by_compatible returns -ENOMEM, and
sched_clock_register is never called.
Fix the problem by moving the early initialization code into the standard
machine initialization code.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bdb249fce9ad44aab340be3b7a77060114f7193b , < 22c738fb51f2d8b23ddff5cc0ccb2dd685bb39d3
(git)
Affected: bdb249fce9ad44aab340be3b7a77060114f7193b , < 812103fb6da904bd03d62cf6a9826e537318ceed (git) Affected: bdb249fce9ad44aab340be3b7a77060114f7193b , < 6624854554c4c2bdfed3559e5c11bb03b16e7bd1 (git) Affected: bdb249fce9ad44aab340be3b7a77060114f7193b , < 508b1193d63b5e073a3fe103eeb785fcba2d368c (git) Affected: bdb249fce9ad44aab340be3b7a77060114f7193b , < 58a112b0973f6cd6bcb8c503d1ff88be411ed0f0 (git) Affected: bdb249fce9ad44aab340be3b7a77060114f7193b , < e984dc22e2c24dc34d6728e338c82b1ce7862753 (git) Affected: bdb249fce9ad44aab340be3b7a77060114f7193b , < 33ad014abec90f37dade0e00560f28864187e21a (git) Affected: bdb249fce9ad44aab340be3b7a77060114f7193b , < 90d77b30a666049ad24df463f52e5d529c44e8cd (git) |
|
| Linux | Linux |
Affected:
4.9
Unaffected: 0 , < 4.9 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-versatile/integrator_cp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22c738fb51f2d8b23ddff5cc0ccb2dd685bb39d3",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
},
{
"lessThan": "812103fb6da904bd03d62cf6a9826e537318ceed",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
},
{
"lessThan": "6624854554c4c2bdfed3559e5c11bb03b16e7bd1",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
},
{
"lessThan": "508b1193d63b5e073a3fe103eeb785fcba2d368c",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
},
{
"lessThan": "58a112b0973f6cd6bcb8c503d1ff88be411ed0f0",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
},
{
"lessThan": "e984dc22e2c24dc34d6728e338c82b1ce7862753",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
},
{
"lessThan": "33ad014abec90f37dade0e00560f28864187e21a",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
},
{
"lessThan": "90d77b30a666049ad24df463f52e5d529c44e8cd",
"status": "affected",
"version": "bdb249fce9ad44aab340be3b7a77060114f7193b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-versatile/integrator_cp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: integrator: Fix early initialization\n\nStarting with commit bdb249fce9ad4 (\"ARM: integrator: read counter using\nsyscon/regmap\"), intcp_init_early calls syscon_regmap_lookup_by_compatible\nwhich in turn calls of_syscon_register. This function allocates memory.\nSince the memory management code has not been initialized at that time,\nthe call always fails. It either returns -ENOMEM or crashes as follows.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000c when read\n[0000000c] *pgd=00000000\nInternal error: Oops: 5 [#1] ARM\nModules linked in:\nCPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc5-00026-g5fcc9bf84ee5 #1 PREEMPT\nHardware name: ARM Integrator/CP (Device Tree)\nPC is at __kmalloc_cache_noprof+0xec/0x39c\nLR is at __kmalloc_cache_noprof+0x34/0x39c\n...\nCall trace:\n __kmalloc_cache_noprof from of_syscon_register+0x7c/0x310\n of_syscon_register from device_node_get_regmap+0xa4/0xb0\n device_node_get_regmap from intcp_init_early+0xc/0x40\n intcp_init_early from start_kernel+0x60/0x688\n start_kernel from 0x0\n\nThe crash is seen due to a dereferenced pointer which is not supposed to be\nNULL but is NULL if the memory management subsystem has not been\ninitialized. The crash is not seen with all versions of gcc. Some versions\nsuch as gcc 9.x apparently do not dereference the pointer, presumably if\ntracing is disabled. The problem has been reproduced with gcc 10.x, 11.x,\nand 13.x. Either case, if the crash is not seen, the call to\nsyscon_regmap_lookup_by_compatible returns -ENOMEM, and\nsched_clock_register is never called.\n\nFix the problem by moving the early initialization code into the standard\nmachine initialization code."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:50.585Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22c738fb51f2d8b23ddff5cc0ccb2dd685bb39d3"
},
{
"url": "https://git.kernel.org/stable/c/812103fb6da904bd03d62cf6a9826e537318ceed"
},
{
"url": "https://git.kernel.org/stable/c/6624854554c4c2bdfed3559e5c11bb03b16e7bd1"
},
{
"url": "https://git.kernel.org/stable/c/508b1193d63b5e073a3fe103eeb785fcba2d368c"
},
{
"url": "https://git.kernel.org/stable/c/58a112b0973f6cd6bcb8c503d1ff88be411ed0f0"
},
{
"url": "https://git.kernel.org/stable/c/e984dc22e2c24dc34d6728e338c82b1ce7862753"
},
{
"url": "https://git.kernel.org/stable/c/33ad014abec90f37dade0e00560f28864187e21a"
},
{
"url": "https://git.kernel.org/stable/c/90d77b30a666049ad24df463f52e5d529c44e8cd"
}
],
"title": "ARM: integrator: Fix early initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64165",
"datePublished": "2026-07-19T15:40:50.585Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:50.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64164 (GCVE-0-2026-64164)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
The trace event btrfs_sync_file() is called in an atomic context (all trace
events are) and its call to dput(), which is needed due to the call to
dget_parent(), can sleep, triggering a kernel splat.
This can be reproduced by enabling the trace event and running btrfs/056
from fstests for example. The splat shown in dmesg is the following:
[53.919] BUG: sleeping function called from invalid context at fs/dcache.c:970
[53.947] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 32773, name: xfs_io
[53.988] preempt_count: 2, expected: 0
[53.967] RCU nest depth: 0, expected: 0
[53.943] Preemption disabled at:
[53.944] [<0000000000000000>] 0x0
[54.078] CPU: 0 UID: 0 PID: 32773 Comm: xfs_io Tainted: G W 7.1.0-rc1-btrfs-next-232+ #1 PREEMPT(full)
[54.070] Tainted: [W]=WARN
[54.071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[54.072] Call Trace:
[54.074] <TASK>
[54.076] dump_stack_lvl+0x56/0x80
[54.079] __might_resched.cold+0xd6/0x10f
[54.072] dput.part.0+0x24/0x110
[54.078] trace_event_raw_event_btrfs_sync_file+0x75/0x140 [btrfs]
[54.089] btrfs_sync_file+0x1ed/0x530 [btrfs]
[54.087] ? __handle_mm_fault+0x8ae/0xed0
[54.089] btrfs_do_write_iter+0x172/0x210 [btrfs]
[54.091] vfs_write+0x21f/0x450
[54.094] __x64_sys_pwrite64+0x8d/0xc0
[54.096] ? do_user_addr_fault+0x20c/0x670
[54.099] do_syscall_64+0x60/0xf20
[54.092] ? clear_bhb_loop+0x60/0xb0
[54.094] entry_SYSCALL_64_after_hwframe+0x76/0x7e
So stop using dget_parent() and dput() and access the parent dentry
directly as dentry->d_parent. This is also what ext4 is doing in
its equivalent trace event ext4_sync_file_enter().
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4a7bab35fad5251c8cb738161152578cd83b6b9c , < d78b0a80eac36879ef5478707135c446920e134b
(git)
Affected: 520e8b4bcf872a534a7bf61ccf880047642df296 , < 4361954f0e158af0530caa1e57f12b531be4658f (git) Affected: e252db8ca2a01f82d472091f35d549b313278636 , < 6279992c9ba2774901c9d4dd4a481162e2534714 (git) Affected: c09a7446aab5773f38d6abb25fce99b8e1dfbc97 , < 26b2290baaf6da6add0f782a100766e686a33f4f (git) Affected: 32372781d664a9b03c40343e96c29d0a6139f97d , < 12a0487945c09760a5968d9333383014ea294117 (git) Affected: 2e4adfaec97ee053ad1bdfb5036845e66f7e0d8a , < c32a7e0e3c73c1c0768556a56bd78de9f7b83780 (git) Affected: a85b46db143fda5869e7d8df8f258ccef5fa1719 , < 0a96d9a85cd2240481297156b9bb72e10b7a8036 (git) Affected: a85b46db143fda5869e7d8df8f258ccef5fa1719 , < c73370c677646e86fc4b1780fb07027bdf847375 (git) Affected: d110d7cdb045715c0b45b0dfd974525bb38f653d (git) Affected: 6.6.136 , < 6.6.142 (semver) Affected: 6.12.83 , < 6.12.92 (semver) Affected: 6.18.24 , < 6.18.34 (semver) Affected: 6.19.14 , < 6.20 (semver) |
|
| Linux | Linux |
Affected:
7.0
Unaffected: 0 , < 7.0 (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/btrfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d78b0a80eac36879ef5478707135c446920e134b",
"status": "affected",
"version": "4a7bab35fad5251c8cb738161152578cd83b6b9c",
"versionType": "git"
},
{
"lessThan": "4361954f0e158af0530caa1e57f12b531be4658f",
"status": "affected",
"version": "520e8b4bcf872a534a7bf61ccf880047642df296",
"versionType": "git"
},
{
"lessThan": "6279992c9ba2774901c9d4dd4a481162e2534714",
"status": "affected",
"version": "e252db8ca2a01f82d472091f35d549b313278636",
"versionType": "git"
},
{
"lessThan": "26b2290baaf6da6add0f782a100766e686a33f4f",
"status": "affected",
"version": "c09a7446aab5773f38d6abb25fce99b8e1dfbc97",
"versionType": "git"
},
{
"lessThan": "12a0487945c09760a5968d9333383014ea294117",
"status": "affected",
"version": "32372781d664a9b03c40343e96c29d0a6139f97d",
"versionType": "git"
},
{
"lessThan": "c32a7e0e3c73c1c0768556a56bd78de9f7b83780",
"status": "affected",
"version": "2e4adfaec97ee053ad1bdfb5036845e66f7e0d8a",
"versionType": "git"
},
{
"lessThan": "0a96d9a85cd2240481297156b9bb72e10b7a8036",
"status": "affected",
"version": "a85b46db143fda5869e7d8df8f258ccef5fa1719",
"versionType": "git"
},
{
"lessThan": "c73370c677646e86fc4b1780fb07027bdf847375",
"status": "affected",
"version": "a85b46db143fda5869e7d8df8f258ccef5fa1719",
"versionType": "git"
},
{
"status": "affected",
"version": "d110d7cdb045715c0b45b0dfd974525bb38f653d",
"versionType": "git"
},
{
"lessThan": "6.6.142",
"status": "affected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThan": "6.12.92",
"status": "affected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThan": "6.18.34",
"status": "affected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThan": "6.20",
"status": "affected",
"version": "6.19.14",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/btrfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.6.136",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.12.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.18.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.19.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()\n\nThe trace event btrfs_sync_file() is called in an atomic context (all trace\nevents are) and its call to dput(), which is needed due to the call to\ndget_parent(), can sleep, triggering a kernel splat.\n\nThis can be reproduced by enabling the trace event and running btrfs/056\nfrom fstests for example. The splat shown in dmesg is the following:\n\n [53.919] BUG: sleeping function called from invalid context at fs/dcache.c:970\n [53.947] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 32773, name: xfs_io\n [53.988] preempt_count: 2, expected: 0\n [53.967] RCU nest depth: 0, expected: 0\n [53.943] Preemption disabled at:\n [53.944] [\u003c0000000000000000\u003e] 0x0\n [54.078] CPU: 0 UID: 0 PID: 32773 Comm: xfs_io Tainted: G W 7.1.0-rc1-btrfs-next-232+ #1 PREEMPT(full)\n [54.070] Tainted: [W]=WARN\n [54.071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [54.072] Call Trace:\n [54.074] \u003cTASK\u003e\n [54.076] dump_stack_lvl+0x56/0x80\n [54.079] __might_resched.cold+0xd6/0x10f\n [54.072] dput.part.0+0x24/0x110\n [54.078] trace_event_raw_event_btrfs_sync_file+0x75/0x140 [btrfs]\n [54.089] btrfs_sync_file+0x1ed/0x530 [btrfs]\n [54.087] ? __handle_mm_fault+0x8ae/0xed0\n [54.089] btrfs_do_write_iter+0x172/0x210 [btrfs]\n [54.091] vfs_write+0x21f/0x450\n [54.094] __x64_sys_pwrite64+0x8d/0xc0\n [54.096] ? do_user_addr_fault+0x20c/0x670\n [54.099] do_syscall_64+0x60/0xf20\n [54.092] ? clear_bhb_loop+0x60/0xb0\n [54.094] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSo stop using dget_parent() and dput() and access the parent dentry\ndirectly as dentry-\u003ed_parent. This is also what ext4 is doing in\nits equivalent trace event ext4_sync_file_enter()."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:49.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d78b0a80eac36879ef5478707135c446920e134b"
},
{
"url": "https://git.kernel.org/stable/c/4361954f0e158af0530caa1e57f12b531be4658f"
},
{
"url": "https://git.kernel.org/stable/c/6279992c9ba2774901c9d4dd4a481162e2534714"
},
{
"url": "https://git.kernel.org/stable/c/26b2290baaf6da6add0f782a100766e686a33f4f"
},
{
"url": "https://git.kernel.org/stable/c/12a0487945c09760a5968d9333383014ea294117"
},
{
"url": "https://git.kernel.org/stable/c/c32a7e0e3c73c1c0768556a56bd78de9f7b83780"
},
{
"url": "https://git.kernel.org/stable/c/0a96d9a85cd2240481297156b9bb72e10b7a8036"
},
{
"url": "https://git.kernel.org/stable/c/c73370c677646e86fc4b1780fb07027bdf847375"
}
],
"title": "btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64164",
"datePublished": "2026-07-19T15:40:49.894Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:49.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64163 (GCVE-0-2026-64163)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
test_kprobes: clear kprobes between test runs
Summary
In the Linux kernel, the following vulnerability has been resolved:
test_kprobes: clear kprobes between test runs
Running the kprobes sanity tests twice makes all tests fail and
eventually crashes the kernel.
[root@martin-riscv-1 ~]# echo 1 > /sys/kernel/debug/kunit/kprobes_test/run
...
# Totals: pass:5 fail:0 skip:0 total:5
ok 1 kprobes_test
[root@martin-riscv-1 ~]# echo 1 > /sys/kernel/debug/kunit/kprobes_test/run
...
# test_kprobe: EXPECTATION FAILED at lib/tests/test_kprobes.c:64
Expected 0 == register_kprobe(&kp), but
register_kprobe(&kp) == -22 (0xffffffffffffffea)
...
Unable to handle kernel paging request ...
The testsuite defines several kprobes and kretprobes as static variables
that are preserved across test runs.
After register_kprobe and unregister_kprobe, a kprobe contains some
leftover data that must be cleared before the kprobe can be registered
again. The tests are setting symbol_name to define the probe location.
Address and flags must be cleared.
The existing code clears some of the probes between subsequent tests, but
not between two test runs. The leftover data from a previous test run
makes the registrations fail in the next run.
Move the cleanups for all kprobes into kprobes_test_init, this function
is called before each single test (including the first test of a test
run).
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e44e81c5b90f698025eadceb7eef8661eda117d5 , < 08d355936fcf70c81c94f9fe7310450b65c53399
(git)
Affected: e44e81c5b90f698025eadceb7eef8661eda117d5 , < accc0004c501a9918313142282b094d408af06fb (git) Affected: e44e81c5b90f698025eadceb7eef8661eda117d5 , < 1c24cf1fd67f6702c719ab73499392cb7af956ae (git) Affected: e44e81c5b90f698025eadceb7eef8661eda117d5 , < 96515819d79f356f40da5540968d838ea570fab9 (git) Affected: e44e81c5b90f698025eadceb7eef8661eda117d5 , < ef5581bb30efb939cc2bf093475c6cc85258e5cd (git) |
|
| Linux | Linux |
Affected:
5.16
Unaffected: 0 , < 5.16 (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/tests/test_kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08d355936fcf70c81c94f9fe7310450b65c53399",
"status": "affected",
"version": "e44e81c5b90f698025eadceb7eef8661eda117d5",
"versionType": "git"
},
{
"lessThan": "accc0004c501a9918313142282b094d408af06fb",
"status": "affected",
"version": "e44e81c5b90f698025eadceb7eef8661eda117d5",
"versionType": "git"
},
{
"lessThan": "1c24cf1fd67f6702c719ab73499392cb7af956ae",
"status": "affected",
"version": "e44e81c5b90f698025eadceb7eef8661eda117d5",
"versionType": "git"
},
{
"lessThan": "96515819d79f356f40da5540968d838ea570fab9",
"status": "affected",
"version": "e44e81c5b90f698025eadceb7eef8661eda117d5",
"versionType": "git"
},
{
"lessThan": "ef5581bb30efb939cc2bf093475c6cc85258e5cd",
"status": "affected",
"version": "e44e81c5b90f698025eadceb7eef8661eda117d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/tests/test_kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntest_kprobes: clear kprobes between test runs\n\nRunning the kprobes sanity tests twice makes all tests fail and\neventually crashes the kernel.\n\n[root@martin-riscv-1 ~]# echo 1 \u003e /sys/kernel/debug/kunit/kprobes_test/run\n...\n # Totals: pass:5 fail:0 skip:0 total:5\n ok 1 kprobes_test\n[root@martin-riscv-1 ~]# echo 1 \u003e /sys/kernel/debug/kunit/kprobes_test/run\n...\n # test_kprobe: EXPECTATION FAILED at lib/tests/test_kprobes.c:64\n Expected 0 == register_kprobe(\u0026kp), but\n register_kprobe(\u0026kp) == -22 (0xffffffffffffffea)\n...\n Unable to handle kernel paging request ...\n\nThe testsuite defines several kprobes and kretprobes as static variables\nthat are preserved across test runs.\n\nAfter register_kprobe and unregister_kprobe, a kprobe contains some\nleftover data that must be cleared before the kprobe can be registered\nagain. The tests are setting symbol_name to define the probe location.\nAddress and flags must be cleared.\n\nThe existing code clears some of the probes between subsequent tests, but\nnot between two test runs. The leftover data from a previous test run\nmakes the registrations fail in the next run.\n\nMove the cleanups for all kprobes into kprobes_test_init, this function\nis called before each single test (including the first test of a test\nrun)."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:49.172Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08d355936fcf70c81c94f9fe7310450b65c53399"
},
{
"url": "https://git.kernel.org/stable/c/accc0004c501a9918313142282b094d408af06fb"
},
{
"url": "https://git.kernel.org/stable/c/1c24cf1fd67f6702c719ab73499392cb7af956ae"
},
{
"url": "https://git.kernel.org/stable/c/96515819d79f356f40da5540968d838ea570fab9"
},
{
"url": "https://git.kernel.org/stable/c/ef5581bb30efb939cc2bf093475c6cc85258e5cd"
}
],
"title": "test_kprobes: clear kprobes between test runs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64163",
"datePublished": "2026-07-19T15:40:49.172Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:49.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64162 (GCVE-0-2026-64162)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()
In idpf_ptp_init(), read_dev_clk_lock is initialized after
ptp_schedule_worker() had already been called (and after
idpf_ptp_settime64() could reach the lock). The PTP aux worker
fires immediately upon scheduling and can call into
idpf_ptp_read_src_clk_reg_direct(), which takes
spin_lock(&ptp->read_dev_clk_lock) on an uninitialized lock, triggering
the lockdep "non-static key" warning:
[12973.796587] idpf 0000:83:00.0: Device HW Reset initiated
[12974.094507] INFO: trying to register non-static key.
...
[12974.097208] Call Trace:
[12974.097213] <TASK>
[12974.097218] dump_stack_lvl+0x93/0xe0
[12974.097234] register_lock_class+0x4c4/0x4e0
[12974.097249] ? __lock_acquire+0x427/0x2290
[12974.097259] __lock_acquire+0x98/0x2290
[12974.097272] lock_acquire+0xc6/0x310
[12974.097281] ? idpf_ptp_read_src_clk_reg+0xb7/0x150 [idpf]
[12974.097311] ? lockdep_hardirqs_on_prepare+0xde/0x190
[12974.097318] ? finish_task_switch.isra.0+0xd2/0x350
[12974.097330] ? __pfx_ptp_aux_kworker+0x10/0x10 [ptp]
[12974.097343] _raw_spin_lock+0x30/0x40
[12974.097353] ? idpf_ptp_read_src_clk_reg+0xb7/0x150 [idpf]
[12974.097373] idpf_ptp_read_src_clk_reg+0xb7/0x150 [idpf]
[12974.097391] ? kthread_worker_fn+0x88/0x3d0
[12974.097404] ? kthread_worker_fn+0x4e/0x3d0
[12974.097411] idpf_ptp_update_cached_phctime+0x26/0x120 [idpf]
[12974.097428] ? _raw_spin_unlock_irq+0x28/0x50
[12974.097436] idpf_ptp_do_aux_work+0x15/0x20 [idpf]
[12974.097454] ptp_aux_kworker+0x20/0x40 [ptp]
[12974.097464] kthread_worker_fn+0xd5/0x3d0
[12974.097474] ? __pfx_kthread_worker_fn+0x10/0x10
[12974.097482] kthread+0xf4/0x130
[12974.097489] ? __pfx_kthread+0x10/0x10
[12974.097498] ret_from_fork+0x32c/0x410
[12974.097512] ? __pfx_kthread+0x10/0x10
[12974.097519] ret_from_fork_asm+0x1a/0x30
[12974.097540] </TASK>
Move the call to spin_lock_init() up a bit to make sure read_dev_clk_lock
is not touched before it's been initialized.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5cb8805d2366b20ee4d7afff586d8acf17649330 , < eb5991d4c8ba2e8153dfcda3e66a9608377b7dce
(git)
Affected: 5cb8805d2366b20ee4d7afff586d8acf17649330 , < 3122d70b7c0101d897fb795658a7b93f854935f2 (git) Affected: 5cb8805d2366b20ee4d7afff586d8acf17649330 , < da4f76b6a84ede14a71282ef841768299ead0221 (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb5991d4c8ba2e8153dfcda3e66a9608377b7dce",
"status": "affected",
"version": "5cb8805d2366b20ee4d7afff586d8acf17649330",
"versionType": "git"
},
{
"lessThan": "3122d70b7c0101d897fb795658a7b93f854935f2",
"status": "affected",
"version": "5cb8805d2366b20ee4d7afff586d8acf17649330",
"versionType": "git"
},
{
"lessThan": "da4f76b6a84ede14a71282ef841768299ead0221",
"status": "affected",
"version": "5cb8805d2366b20ee4d7afff586d8acf17649330",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()\n\nIn idpf_ptp_init(), read_dev_clk_lock is initialized after\nptp_schedule_worker() had already been called (and after\nidpf_ptp_settime64() could reach the lock). The PTP aux worker\nfires immediately upon scheduling and can call into\nidpf_ptp_read_src_clk_reg_direct(), which takes\nspin_lock(\u0026ptp-\u003eread_dev_clk_lock) on an uninitialized lock, triggering\nthe lockdep \"non-static key\" warning:\n\n[12973.796587] idpf 0000:83:00.0: Device HW Reset initiated\n[12974.094507] INFO: trying to register non-static key.\n...\n[12974.097208] Call Trace:\n[12974.097213] \u003cTASK\u003e\n[12974.097218] dump_stack_lvl+0x93/0xe0\n[12974.097234] register_lock_class+0x4c4/0x4e0\n[12974.097249] ? __lock_acquire+0x427/0x2290\n[12974.097259] __lock_acquire+0x98/0x2290\n[12974.097272] lock_acquire+0xc6/0x310\n[12974.097281] ? idpf_ptp_read_src_clk_reg+0xb7/0x150 [idpf]\n[12974.097311] ? lockdep_hardirqs_on_prepare+0xde/0x190\n[12974.097318] ? finish_task_switch.isra.0+0xd2/0x350\n[12974.097330] ? __pfx_ptp_aux_kworker+0x10/0x10 [ptp]\n[12974.097343] _raw_spin_lock+0x30/0x40\n[12974.097353] ? idpf_ptp_read_src_clk_reg+0xb7/0x150 [idpf]\n[12974.097373] idpf_ptp_read_src_clk_reg+0xb7/0x150 [idpf]\n[12974.097391] ? kthread_worker_fn+0x88/0x3d0\n[12974.097404] ? kthread_worker_fn+0x4e/0x3d0\n[12974.097411] idpf_ptp_update_cached_phctime+0x26/0x120 [idpf]\n[12974.097428] ? _raw_spin_unlock_irq+0x28/0x50\n[12974.097436] idpf_ptp_do_aux_work+0x15/0x20 [idpf]\n[12974.097454] ptp_aux_kworker+0x20/0x40 [ptp]\n[12974.097464] kthread_worker_fn+0xd5/0x3d0\n[12974.097474] ? __pfx_kthread_worker_fn+0x10/0x10\n[12974.097482] kthread+0xf4/0x130\n[12974.097489] ? __pfx_kthread+0x10/0x10\n[12974.097498] ret_from_fork+0x32c/0x410\n[12974.097512] ? __pfx_kthread+0x10/0x10\n[12974.097519] ret_from_fork_asm+0x1a/0x30\n[12974.097540] \u003c/TASK\u003e\n\nMove the call to spin_lock_init() up a bit to make sure read_dev_clk_lock\nis not touched before it\u0027s been initialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:48.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb5991d4c8ba2e8153dfcda3e66a9608377b7dce"
},
{
"url": "https://git.kernel.org/stable/c/3122d70b7c0101d897fb795658a7b93f854935f2"
},
{
"url": "https://git.kernel.org/stable/c/da4f76b6a84ede14a71282ef841768299ead0221"
}
],
"title": "idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64162",
"datePublished": "2026-07-19T15:40:48.461Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:48.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64161 (GCVE-0-2026-64161)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
net: ti: icssm-prueth: fix eth_ports_node leak in probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ti: icssm-prueth: fix eth_ports_node leak in probe
The error path on of_property_read_u32() failure inside
icssm_prueth_probe() returns without putting eth_ports_node,
which was acquired before the for_each_child_of_node() loop.
Drop it before returning.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
511f6c1ae093c7045742299d29eba71925709a71 , < 994358adc0982d17731ffea7dfacd25afcc89773
(git)
Affected: 511f6c1ae093c7045742299d29eba71925709a71 , < ca029dde6ad732a5aba28d6b107d7a84ba5e302b (git) Affected: 511f6c1ae093c7045742299d29eba71925709a71 , < 6635fa84403c3a59455b66007c019a7cc632db30 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/icssm/icssm_prueth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994358adc0982d17731ffea7dfacd25afcc89773",
"status": "affected",
"version": "511f6c1ae093c7045742299d29eba71925709a71",
"versionType": "git"
},
{
"lessThan": "ca029dde6ad732a5aba28d6b107d7a84ba5e302b",
"status": "affected",
"version": "511f6c1ae093c7045742299d29eba71925709a71",
"versionType": "git"
},
{
"lessThan": "6635fa84403c3a59455b66007c019a7cc632db30",
"status": "affected",
"version": "511f6c1ae093c7045742299d29eba71925709a71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/icssm/icssm_prueth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssm-prueth: fix eth_ports_node leak in probe\n\nThe error path on of_property_read_u32() failure inside\nicssm_prueth_probe() returns without putting eth_ports_node,\nwhich was acquired before the for_each_child_of_node() loop.\n\nDrop it before returning."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:47.761Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994358adc0982d17731ffea7dfacd25afcc89773"
},
{
"url": "https://git.kernel.org/stable/c/ca029dde6ad732a5aba28d6b107d7a84ba5e302b"
},
{
"url": "https://git.kernel.org/stable/c/6635fa84403c3a59455b66007c019a7cc632db30"
}
],
"title": "net: ti: icssm-prueth: fix eth_ports_node leak in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64161",
"datePublished": "2026-07-19T15:40:47.761Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:47.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64160 (GCVE-0-2026-64160)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
netfs: Fix potential for tearing in ->remote_i_size and ->zero_point
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix potential for tearing in ->remote_i_size and ->zero_point
Fix potential tearing in using ->remote_i_size and ->zero_point by copying
i_size_read() and i_size_write() and using the same seqcount as for i_size.
We need to make sure that netfslib and the filesystems that use it always
hold i_lock whilst updating any of the sizes to prevent i_size_seqcount
from getting corrupted.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4058f742105ecfcbdf99e1139e6c1f74fb8e6db9 , < 55970f238d495517edc961d55c44c772594d0969
(git)
Affected: 4058f742105ecfcbdf99e1139e6c1f74fb8e6db9 , < 2c8f4742bb76117d735f92a3932d85239b16c494 (git) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs_vfs.h",
"fs/9p/vfs_inode.c",
"fs/9p/vfs_inode_dotl.c",
"fs/afs/file.c",
"fs/afs/inode.c",
"fs/afs/internal.h",
"fs/afs/write.c",
"fs/netfs/buffered_read.c",
"fs/netfs/buffered_write.c",
"fs/netfs/direct_write.c",
"fs/netfs/misc.c",
"fs/netfs/write_collect.c",
"fs/smb/client/cifsfs.c",
"fs/smb/client/cifssmb.c",
"fs/smb/client/file.c",
"fs/smb/client/inode.c",
"fs/smb/client/readdir.c",
"fs/smb/client/smb2ops.c",
"fs/smb/client/smb2pdu.c",
"include/linux/netfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "55970f238d495517edc961d55c44c772594d0969",
"status": "affected",
"version": "4058f742105ecfcbdf99e1139e6c1f74fb8e6db9",
"versionType": "git"
},
{
"lessThan": "2c8f4742bb76117d735f92a3932d85239b16c494",
"status": "affected",
"version": "4058f742105ecfcbdf99e1139e6c1f74fb8e6db9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs_vfs.h",
"fs/9p/vfs_inode.c",
"fs/9p/vfs_inode_dotl.c",
"fs/afs/file.c",
"fs/afs/inode.c",
"fs/afs/internal.h",
"fs/afs/write.c",
"fs/netfs/buffered_read.c",
"fs/netfs/buffered_write.c",
"fs/netfs/direct_write.c",
"fs/netfs/misc.c",
"fs/netfs/write_collect.c",
"fs/smb/client/cifsfs.c",
"fs/smb/client/cifssmb.c",
"fs/smb/client/file.c",
"fs/smb/client/inode.c",
"fs/smb/client/readdir.c",
"fs/smb/client/smb2ops.c",
"fs/smb/client/smb2pdu.c",
"include/linux/netfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix potential for tearing in -\u003eremote_i_size and -\u003ezero_point\n\nFix potential tearing in using -\u003eremote_i_size and -\u003ezero_point by copying\ni_size_read() and i_size_write() and using the same seqcount as for i_size.\n\nWe need to make sure that netfslib and the filesystems that use it always\nhold i_lock whilst updating any of the sizes to prevent i_size_seqcount\nfrom getting corrupted."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:47.063Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/55970f238d495517edc961d55c44c772594d0969"
},
{
"url": "https://git.kernel.org/stable/c/2c8f4742bb76117d735f92a3932d85239b16c494"
}
],
"title": "netfs: Fix potential for tearing in -\u003eremote_i_size and -\u003ezero_point",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64160",
"datePublished": "2026-07-19T15:40:47.063Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:47.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64159 (GCVE-0-2026-64159)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
netfs: Fix zeropoint update where i_size > remote_i_size
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix zeropoint update where i_size > remote_i_size
Fix the update of the zero point[*] by netfs_release_folio() when there is
uncommitted data in the pagecache beyond the folio being released but the
on-server EOF is in this folio (ie. i_size > remote_i_size). The update
needs to limit zero_point to remote_i_size, not i_size as i_size is a local
phenomenon reflecting updates made locally to the pagecache, not stuff
written to the server. remote_i_size tracks the server's i_size.
[*] The zero point is the file position from which we can assume that the
server will just return zeros, so we can avoid generating reads.
Note that netfs_invalidate_folio() probably doesn't need fixing as
zero_point should be updated by setattr after truncation or fallocate.
Found with:
fsx -q -N 1000000 -p 10000 -o 128000 -l 600000 \
/xfstest.test/junk --replay-ops=junk.fsxops
using the following as junk.fsxops:
truncate 0x0 0x1bbae 0x82864
write 0x3ef2e 0xf9c8 0x1bbae
write 0x67e05 0xcb5a 0x4e8f6
mapread 0x57781 0x85b6 0x7495f
copy_range 0x5d3d 0x10329 0x54fac 0x7495f
write 0x64710 0x1c2b 0x7495f
mapread 0x64000 0x1000 0x7495f
on cifs with the default cache option.
It shows read-gaps on folio 0x64 failing with a short read (ie. it hits
EOF) if the FMODE_READ check is commented out in netfs_perform_write():
if (//(file->f_mode & FMODE_READ) ||
netfs_is_cache_enabled(ctx)) {
and no fscache. This was initially found with the generic/522 xfstest.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cce6bfa6ca0e30af9927b0074c97fe6a92f28092 , < 5cd5207de519ef0c085f4f559adf5eefcb4c5202
(git)
Affected: cce6bfa6ca0e30af9927b0074c97fe6a92f28092 , < 4543a4d737944134a1394afe797622546fbcc98a (git) Affected: e2814004138a541110d4b2dc254a8f619c2c4ce0 (git) Affected: 6.10.8 , < 6.11 (semver) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/netfs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5cd5207de519ef0c085f4f559adf5eefcb4c5202",
"status": "affected",
"version": "cce6bfa6ca0e30af9927b0074c97fe6a92f28092",
"versionType": "git"
},
{
"lessThan": "4543a4d737944134a1394afe797622546fbcc98a",
"status": "affected",
"version": "cce6bfa6ca0e30af9927b0074c97fe6a92f28092",
"versionType": "git"
},
{
"status": "affected",
"version": "e2814004138a541110d4b2dc254a8f619c2c4ce0",
"versionType": "git"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/netfs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix zeropoint update where i_size \u003e remote_i_size\n\nFix the update of the zero point[*] by netfs_release_folio() when there is\nuncommitted data in the pagecache beyond the folio being released but the\non-server EOF is in this folio (ie. i_size \u003e remote_i_size). The update\nneeds to limit zero_point to remote_i_size, not i_size as i_size is a local\nphenomenon reflecting updates made locally to the pagecache, not stuff\nwritten to the server. remote_i_size tracks the server\u0027s i_size.\n\n[*] The zero point is the file position from which we can assume that the\n server will just return zeros, so we can avoid generating reads.\n\nNote that netfs_invalidate_folio() probably doesn\u0027t need fixing as\nzero_point should be updated by setattr after truncation or fallocate.\n\nFound with:\n\n fsx -q -N 1000000 -p 10000 -o 128000 -l 600000 \\\n /xfstest.test/junk --replay-ops=junk.fsxops\n\nusing the following as junk.fsxops:\n\n truncate 0x0 0x1bbae 0x82864\n write 0x3ef2e 0xf9c8 0x1bbae\n write 0x67e05 0xcb5a 0x4e8f6\n mapread 0x57781 0x85b6 0x7495f\n copy_range 0x5d3d 0x10329 0x54fac 0x7495f\n write 0x64710 0x1c2b 0x7495f\n mapread 0x64000 0x1000 0x7495f\n\non cifs with the default cache option.\n\nIt shows read-gaps on folio 0x64 failing with a short read (ie. it hits\nEOF) if the FMODE_READ check is commented out in netfs_perform_write():\n\n if (//(file-\u003ef_mode \u0026 FMODE_READ) ||\n netfs_is_cache_enabled(ctx)) {\n\nand no fscache. This was initially found with the generic/522 xfstest."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:46.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5cd5207de519ef0c085f4f559adf5eefcb4c5202"
},
{
"url": "https://git.kernel.org/stable/c/4543a4d737944134a1394afe797622546fbcc98a"
}
],
"title": "netfs: Fix zeropoint update where i_size \u003e remote_i_size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64159",
"datePublished": "2026-07-19T15:40:46.400Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:46.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64158 (GCVE-0-2026-64158)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
netfs: Fix write streaming disablement if fd open O_RDWR
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix write streaming disablement if fd open O_RDWR
In netfs_perform_write(), "write streaming" (the caching of dirty data in
dirty but !uptodate folios) is performed to avoid the need to read data
that is just going to get immediately overwritten. However, this is/will
be disabled in three circumstances: if the fd is open O_RDWR, if fscache is
in use (as we need to round out the blocks for DIO) or if content
encryption is enabled (again for rounding out purposes).
The idea behind disabling it if the fd is open O_RDWR is that we'd need to
flush the write-streaming page before we could read the data, particularly
through mmap. But netfs now fills in the gaps if ->read_folio() is called
on the page, so that is unnecessary. Further, this doesn't actually work
if a separate fd is open for reading.
Fix this by removing the check for O_RDWR, thereby allowing streaming
writes even when we might read.
This caused a number of problems with the generic/522 xfstest, but those
are now fixed.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c38f4e96e605f17990e871214e6ea1496bc4e65f , < 9adf8e47d73d5e3c2fe77dea649dcde350ccd65c
(git)
Affected: c38f4e96e605f17990e871214e6ea1496bc4e65f , < 616578e40dcba3f94810d841c5a52b7e3bc8ede7 (git) Affected: c38f4e96e605f17990e871214e6ea1496bc4e65f , < 7a9fa5b020a3a40f8291a71cd44c08d931da430d (git) Affected: c38f4e96e605f17990e871214e6ea1496bc4e65f , < 70a7b9193bbbfceaab5974de66834c64ccc875dd (git) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/netfs/buffered_write.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9adf8e47d73d5e3c2fe77dea649dcde350ccd65c",
"status": "affected",
"version": "c38f4e96e605f17990e871214e6ea1496bc4e65f",
"versionType": "git"
},
{
"lessThan": "616578e40dcba3f94810d841c5a52b7e3bc8ede7",
"status": "affected",
"version": "c38f4e96e605f17990e871214e6ea1496bc4e65f",
"versionType": "git"
},
{
"lessThan": "7a9fa5b020a3a40f8291a71cd44c08d931da430d",
"status": "affected",
"version": "c38f4e96e605f17990e871214e6ea1496bc4e65f",
"versionType": "git"
},
{
"lessThan": "70a7b9193bbbfceaab5974de66834c64ccc875dd",
"status": "affected",
"version": "c38f4e96e605f17990e871214e6ea1496bc4e65f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/netfs/buffered_write.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix write streaming disablement if fd open O_RDWR\n\nIn netfs_perform_write(), \"write streaming\" (the caching of dirty data in\ndirty but !uptodate folios) is performed to avoid the need to read data\nthat is just going to get immediately overwritten. However, this is/will\nbe disabled in three circumstances: if the fd is open O_RDWR, if fscache is\nin use (as we need to round out the blocks for DIO) or if content\nencryption is enabled (again for rounding out purposes).\n\nThe idea behind disabling it if the fd is open O_RDWR is that we\u0027d need to\nflush the write-streaming page before we could read the data, particularly\nthrough mmap. But netfs now fills in the gaps if -\u003eread_folio() is called\non the page, so that is unnecessary. Further, this doesn\u0027t actually work\nif a separate fd is open for reading.\n\nFix this by removing the check for O_RDWR, thereby allowing streaming\nwrites even when we might read.\n\nThis caused a number of problems with the generic/522 xfstest, but those\nare now fixed."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:45.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9adf8e47d73d5e3c2fe77dea649dcde350ccd65c"
},
{
"url": "https://git.kernel.org/stable/c/616578e40dcba3f94810d841c5a52b7e3bc8ede7"
},
{
"url": "https://git.kernel.org/stable/c/7a9fa5b020a3a40f8291a71cd44c08d931da430d"
},
{
"url": "https://git.kernel.org/stable/c/70a7b9193bbbfceaab5974de66834c64ccc875dd"
}
],
"title": "netfs: Fix write streaming disablement if fd open O_RDWR",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64158",
"datePublished": "2026-07-19T15:40:45.692Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:45.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-64157 (GCVE-0-2026-64157)
Vulnerability from cvelistv5 – Published: 2026-07-19 15:40 – Updated: 2026-07-19 15:40
VLAI
EPSS
VEX
Title
netfs: Fix partial invalidation of streaming-write folio
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix partial invalidation of streaming-write folio
In netfs_invalidate_folio(), if the region of a partial invalidation
overlaps the front (but not all) of a dirty write cached in a streaming
write page (dirty, but not uptodate, with the dirty region tracked by a
netfs_folio struct), the function modifies the dirty region - but
incorrectly as it moves the region forward by setting the start to the
start, not the end, of the invalidation region.
Fix this by setting finfo->dirty_offset to the end of the invalidation
region (iend).
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cce6bfa6ca0e30af9927b0074c97fe6a92f28092 , < f6b2569ae29b666fd15ff2848684c445ba442a39
(git)
Affected: cce6bfa6ca0e30af9927b0074c97fe6a92f28092 , < 3d9601c029b934b5b6a10f99791467b10eb6b211 (git) Affected: cce6bfa6ca0e30af9927b0074c97fe6a92f28092 , < 6a3d27116be2c5fb9a03d5cf37c486ac517f3689 (git) Affected: cce6bfa6ca0e30af9927b0074c97fe6a92f28092 , < 6d91acc7fb85d33ea58fca9b964a32a453937f4b (git) Affected: e2814004138a541110d4b2dc254a8f619c2c4ce0 (git) Affected: 6.10.8 , < 6.11 (semver) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/netfs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6b2569ae29b666fd15ff2848684c445ba442a39",
"status": "affected",
"version": "cce6bfa6ca0e30af9927b0074c97fe6a92f28092",
"versionType": "git"
},
{
"lessThan": "3d9601c029b934b5b6a10f99791467b10eb6b211",
"status": "affected",
"version": "cce6bfa6ca0e30af9927b0074c97fe6a92f28092",
"versionType": "git"
},
{
"lessThan": "6a3d27116be2c5fb9a03d5cf37c486ac517f3689",
"status": "affected",
"version": "cce6bfa6ca0e30af9927b0074c97fe6a92f28092",
"versionType": "git"
},
{
"lessThan": "6d91acc7fb85d33ea58fca9b964a32a453937f4b",
"status": "affected",
"version": "cce6bfa6ca0e30af9927b0074c97fe6a92f28092",
"versionType": "git"
},
{
"status": "affected",
"version": "e2814004138a541110d4b2dc254a8f619c2c4ce0",
"versionType": "git"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/netfs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix partial invalidation of streaming-write folio\n\nIn netfs_invalidate_folio(), if the region of a partial invalidation\noverlaps the front (but not all) of a dirty write cached in a streaming\nwrite page (dirty, but not uptodate, with the dirty region tracked by a\nnetfs_folio struct), the function modifies the dirty region - but\nincorrectly as it moves the region forward by setting the start to the\nstart, not the end, of the invalidation region.\n\nFix this by setting finfo-\u003edirty_offset to the end of the invalidation\nregion (iend)."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-19T15:40:44.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6b2569ae29b666fd15ff2848684c445ba442a39"
},
{
"url": "https://git.kernel.org/stable/c/3d9601c029b934b5b6a10f99791467b10eb6b211"
},
{
"url": "https://git.kernel.org/stable/c/6a3d27116be2c5fb9a03d5cf37c486ac517f3689"
},
{
"url": "https://git.kernel.org/stable/c/6d91acc7fb85d33ea58fca9b964a32a453937f4b"
}
],
"title": "netfs: Fix partial invalidation of streaming-write folio",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-64157",
"datePublished": "2026-07-19T15:40:44.964Z",
"dateReserved": "2026-07-19T07:54:57.038Z",
"dateUpdated": "2026-07-19T15:40:44.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}