Search
Find a vulnerability
Search criteria
16087 vulnerabilities by Linux
CVE-2026-53362 (GCVE-0-2026-53362)
Vulnerability from nvd – Published: 2026-07-04 11:56 – Updated: 2026-07-04 11:56
VLAI
Title
ipv6: account for fraggap on the paged allocation path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: account for fraggap on the paged allocation path
In __ip6_append_data(), when the paged-allocation branch is taken
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
computed as
alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;
datalen already includes fraggap (datalen = length + fraggap). When
fraggap is non-zero, this is not the first skb and transhdrlen is zero.
The fraggap bytes carried over from the previous skb are copied just past
the fragment headers in the new skb's linear area. The linear area is
therefore undersized by fraggap bytes while pagedlen is overstated by the
same amount, and the copy writes past skb->end into the trailing
skb_shared_info.
An unprivileged user can trigger this via a UDPv6 socket using
MSG_MORE together with MSG_SPLICE_PAGES.
The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
copy value caused -EINVAL to be returned. That later commit allowed
MSG_SPLICE_PAGES to proceed in this case, making the corruption
triggerable.
The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.
After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
773ba4fe9104a64a54d1c00f0fb6ffb95def2b03 , < 14200d435af9a9eeb444f529fc2f689a236b7962
(git)
Affected: 773ba4fe9104a64a54d1c00f0fb6ffb95def2b03 , < 65fb14cbebb0cd0eff903a22d33537ddc8b95769 (git) Affected: 773ba4fe9104a64a54d1c00f0fb6ffb95def2b03 , < 46f201f8b4c39633a1fa3dc12459f506d470993d (git) Affected: 773ba4fe9104a64a54d1c00f0fb6ffb95def2b03 , < 6374fb9edf72c67a118a2c214a0dddd04c921e0a (git) Affected: 773ba4fe9104a64a54d1c00f0fb6ffb95def2b03 , < e9eacf19281ea2498b36291b56c9606118c2d74e (git) Affected: 773ba4fe9104a64a54d1c00f0fb6ffb95def2b03 , < 736b380e28d0480c7bc3e022f1950f31fe53a7c5 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.177 , ≤ 6.1.* (semver) Unaffected: 6.6.144 , ≤ 6.6.* (semver) Unaffected: 6.12.95 , ≤ 6.12.* (semver) Unaffected: 6.18.38 , ≤ 6.18.* (semver) Unaffected: 7.1.3 , ≤ 7.1.* (semver) Unaffected: 7.2-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14200d435af9a9eeb444f529fc2f689a236b7962",
"status": "affected",
"version": "773ba4fe9104a64a54d1c00f0fb6ffb95def2b03",
"versionType": "git"
},
{
"lessThan": "65fb14cbebb0cd0eff903a22d33537ddc8b95769",
"status": "affected",
"version": "773ba4fe9104a64a54d1c00f0fb6ffb95def2b03",
"versionType": "git"
},
{
"lessThan": "46f201f8b4c39633a1fa3dc12459f506d470993d",
"status": "affected",
"version": "773ba4fe9104a64a54d1c00f0fb6ffb95def2b03",
"versionType": "git"
},
{
"lessThan": "6374fb9edf72c67a118a2c214a0dddd04c921e0a",
"status": "affected",
"version": "773ba4fe9104a64a54d1c00f0fb6ffb95def2b03",
"versionType": "git"
},
{
"lessThan": "e9eacf19281ea2498b36291b56c9606118c2d74e",
"status": "affected",
"version": "773ba4fe9104a64a54d1c00f0fb6ffb95def2b03",
"versionType": "git"
},
{
"lessThan": "736b380e28d0480c7bc3e022f1950f31fe53a7c5",
"status": "affected",
"version": "773ba4fe9104a64a54d1c00f0fb6ffb95def2b03",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.38",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.*",
"status": "unaffected",
"version": "7.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.2-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.177",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.144",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.95",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.38",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.2-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: account for fraggap on the paged allocation path\n\nIn __ip6_append_data(), when the paged-allocation branch is taken\n(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are\ncomputed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap (datalen = length + fraggap). When\nfraggap is non-zero, this is not the first skb and transhdrlen is zero.\nThe fraggap bytes carried over from the previous skb are copied just past\nthe fragment headers in the new skb\u0027s linear area. The linear area is\ntherefore undersized by fraggap bytes while pagedlen is overstated by the\nsame amount, and the copy writes past skb-\u003eend into the trailing\nskb_shared_info.\n\nAn unprivileged user can trigger this via a UDPv6 socket using\nMSG_MORE together with MSG_SPLICE_PAGES.\n\nThe bad accounting was introduced by commit 773ba4fe9104 (\"ipv6:\navoid partial copy for zc\"). Before commit ce650a166335 (\"udp6: Fix\n__ip6_append_data()\u0027s handling of MSG_SPLICE_PAGES\"), the negative\ncopy value caused -EINVAL to be returned. That later commit allowed\nMSG_SPLICE_PAGES to proceed in this case, making the corruption\ntriggerable.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic.\nSince a negative copy is no longer expected for a valid MSG_SPLICE_PAGES\ncase, remove the MSG_SPLICE_PAGES exception from the negative copy check."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T11:56:35.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14200d435af9a9eeb444f529fc2f689a236b7962"
},
{
"url": "https://git.kernel.org/stable/c/65fb14cbebb0cd0eff903a22d33537ddc8b95769"
},
{
"url": "https://git.kernel.org/stable/c/46f201f8b4c39633a1fa3dc12459f506d470993d"
},
{
"url": "https://git.kernel.org/stable/c/6374fb9edf72c67a118a2c214a0dddd04c921e0a"
},
{
"url": "https://git.kernel.org/stable/c/e9eacf19281ea2498b36291b56c9606118c2d74e"
},
{
"url": "https://git.kernel.org/stable/c/736b380e28d0480c7bc3e022f1950f31fe53a7c5"
}
],
"title": "ipv6: account for fraggap on the paged allocation path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53362",
"datePublished": "2026-07-04T11:56:35.864Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-04T11:56:35.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53361 (GCVE-0-2026-53361)
Vulnerability from nvd – Published: 2026-07-04 11:54 – Updated: 2026-07-04 11:54
VLAI
Title
af_unix: Set gc_in_progress to true in unix_gc().
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Set gc_in_progress to true in unix_gc().
Igor Ushakov reported that unix_gc() could run with gc_in_progress
being false if the work is scheduled while running:
Thread 1 Thread 2 Thread 3
-------- -------- --------
unix_schedule_gc() unix_schedule_gc()
`- if (!gc_in_progress) `- if (!gc_in_progress)
|- gc_in_progress = true |
`- queue_work() |
unix_gc() <----------------/ |
| |- gc_in_progress = true
... `- queue_work()
| |
`- gc_in_progress = false |
|
unix_gc() <---------------------------------------------'
|
... /* gc_in_progress == false */
|
`- gc_in_progress = false
unix_peek_fpl() relies on gc_in_progress not to confuse GC
by MSG_PEEK.
Let's set gc_in_progress to true in unix_gc().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
328840c93bd6a4871dd10908d01b41eab83eb8e2 , < 82c17e13d404f686e164590483fd6c1abaa675d0
(git)
Affected: 8b90a9f819dc2a06baae4ec1a64d875e53b824ec , < 591f1ac217428a6d2b32a8ac14aac0fab44f155a (git) Affected: 8b90a9f819dc2a06baae4ec1a64d875e53b824ec , < 0cfa78c050662784fc8e3ab26dbfd1dc632b2082 (git) Affected: 8b90a9f819dc2a06baae4ec1a64d875e53b824ec , < d82ba05263c69fa2437fe93e4e561cc40f4c03af (git) Affected: ceb8bd6c69c1680fd9b45e7f16d7170c9c7513a5 (git) Affected: 6.6.93 , < 6.6.144 (semver) Affected: 6.1.141 , < 6.2 (semver) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.6.144 , ≤ 6.6.* (semver) Unaffected: 6.12.95 , ≤ 6.12.* (semver) Unaffected: 6.18.38 , ≤ 6.18.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82c17e13d404f686e164590483fd6c1abaa675d0",
"status": "affected",
"version": "328840c93bd6a4871dd10908d01b41eab83eb8e2",
"versionType": "git"
},
{
"lessThan": "591f1ac217428a6d2b32a8ac14aac0fab44f155a",
"status": "affected",
"version": "8b90a9f819dc2a06baae4ec1a64d875e53b824ec",
"versionType": "git"
},
{
"lessThan": "0cfa78c050662784fc8e3ab26dbfd1dc632b2082",
"status": "affected",
"version": "8b90a9f819dc2a06baae4ec1a64d875e53b824ec",
"versionType": "git"
},
{
"lessThan": "d82ba05263c69fa2437fe93e4e561cc40f4c03af",
"status": "affected",
"version": "8b90a9f819dc2a06baae4ec1a64d875e53b824ec",
"versionType": "git"
},
{
"status": "affected",
"version": "ceb8bd6c69c1680fd9b45e7f16d7170c9c7513a5",
"versionType": "git"
},
{
"lessThan": "6.6.144",
"status": "affected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.141",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.38",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.144",
"versionStartIncluding": "6.6.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.95",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.38",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.141",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Set gc_in_progress to true in unix_gc().\n\nIgor Ushakov reported that unix_gc() could run with gc_in_progress\nbeing false if the work is scheduled while running:\n\n Thread 1 Thread 2 Thread 3\n -------- -------- --------\n unix_schedule_gc() unix_schedule_gc()\n `- if (!gc_in_progress) `- if (!gc_in_progress)\n |- gc_in_progress = true |\n `- queue_work() |\n unix_gc() \u003c----------------/ |\n | |- gc_in_progress = true\n ... `- queue_work()\n | |\n `- gc_in_progress = false |\n |\n unix_gc() \u003c---------------------------------------------\u0027\n |\n ... /* gc_in_progress == false */\n |\n `- gc_in_progress = false\n\nunix_peek_fpl() relies on gc_in_progress not to confuse GC\nby MSG_PEEK.\n\nLet\u0027s set gc_in_progress to true in unix_gc()."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T11:54:52.543Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82c17e13d404f686e164590483fd6c1abaa675d0"
},
{
"url": "https://git.kernel.org/stable/c/591f1ac217428a6d2b32a8ac14aac0fab44f155a"
},
{
"url": "https://git.kernel.org/stable/c/0cfa78c050662784fc8e3ab26dbfd1dc632b2082"
},
{
"url": "https://git.kernel.org/stable/c/d82ba05263c69fa2437fe93e4e561cc40f4c03af"
}
],
"title": "af_unix: Set gc_in_progress to true in unix_gc().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53361",
"datePublished": "2026-07-04T11:54:52.543Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-04T11:54:52.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53360 (GCVE-0-2026-53360)
Vulnerability from nvd – Published: 2026-07-04 11:53 – Updated: 2026-07-04 11:53
VLAI
Title
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
As per the GHCB spec, when using GHCB v2+ require the software scratch area
to reside in the GHCB's shared buffer. Note, things like Page State Change
(PSC) requests _rely_ on this behavior, as the guest can't provide a length
when making the request, i.e. the size of the guest payload is bounded by
the size of the shared buffer.
Failure to force usage of the GHCB, and a slew of other flaws, lets a
malicious SNP guest corrupt host kernel heap memory, and leak host heap
layout information.
setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2),
where exit_info_2 is guest-controlled. With exit_info_2=24, this yields
a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer
holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only
entries[0] and entries[1] are in-bounds.
snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253)
but NOT against the actual buffer size:
idx_end = hdr->end_entry;
if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer
snp_complete_psc(svm, ...);
return 1;
}
for (idx = idx_start; idx <= idx_end; idx++) {
entry_start = entries[idx]; // OOB when idx >= 2
The guest sets end_entry=10+, causing the host to iterate entries[2+]
which are OOB into adjacent slab objects. For each OOB entry:
- The host reads 8 bytes (OOB READ / info leak oracle)
- If the data passes PSC validation, __snp_complete_one_psc() writes
cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806)
- If validation fails, the error response reveals whether adjacent
memory is zero vs non-zero (information disclosure to guest)
The guest controls allocation size (exit_info_2), entry range
(cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly
hit different slab positions.
By exploiting the variety of bugs, a malicious SEV-SNP guest can:
- OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure)
- OOB write cur_page bits into adjacent objects (heap corruption)
- Trigger use-after-free conditions across VMGEXITs
E.g. with KASAN enabled, a single insmod of the PoC guest module
produces 73 KASAN reports:
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890
Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890
Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199
The buggy address belongs to the object at ffff888XXXXXXXXX
which belongs to the cache kmalloc-cg-32 of size 32
The buggy address is located N bytes to the right of
allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX)
Breakdown:
62 slab-out-of-bounds (reads + writes past allocation)
7 slab-use-after-free
4 use-after-free
All credit to Stan for the wonderful description and reproducer!
[sean: write changelog]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4af663c2f64a8d252e690c60cf8b8abf22dc2951 , < bf9ba093fbb83c0c9a3dedd50efec29424eca2fc
(git)
Affected: 4af663c2f64a8d252e690c60cf8b8abf22dc2951 , < c9b4198fbc6ed99a9da4bee9f74bb730f926c9ae (git) Affected: 4af663c2f64a8d252e690c60cf8b8abf22dc2951 , < b328ede59ac34e7998e1eee5e5f0cc26c2a91846 (git) Affected: 4af663c2f64a8d252e690c60cf8b8abf22dc2951 , < db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf9ba093fbb83c0c9a3dedd50efec29424eca2fc",
"status": "affected",
"version": "4af663c2f64a8d252e690c60cf8b8abf22dc2951",
"versionType": "git"
},
{
"lessThan": "c9b4198fbc6ed99a9da4bee9f74bb730f926c9ae",
"status": "affected",
"version": "4af663c2f64a8d252e690c60cf8b8abf22dc2951",
"versionType": "git"
},
{
"lessThan": "b328ede59ac34e7998e1eee5e5f0cc26c2a91846",
"status": "affected",
"version": "4af663c2f64a8d252e690c60cf8b8abf22dc2951",
"versionType": "git"
},
{
"lessThan": "db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7",
"status": "affected",
"version": "4af663c2f64a8d252e690c60cf8b8abf22dc2951",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use\n\nAs per the GHCB spec, when using GHCB v2+ require the software scratch area\nto reside in the GHCB\u0027s shared buffer. Note, things like Page State Change\n(PSC) requests _rely_ on this behavior, as the guest can\u0027t provide a length\nwhen making the request, i.e. the size of the guest payload is bounded by\nthe size of the shared buffer.\n\nFailure to force usage of the GHCB, and a slew of other flaws, lets a\nmalicious SNP guest corrupt host kernel heap memory, and leak host heap\nlayout information.\n\nsetup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2),\nwhere exit_info_2 is guest-controlled. With exit_info_2=24, this yields\na 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer\nholds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only\nentries[0] and entries[1] are in-bounds.\n\nsnp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253)\nbut NOT against the actual buffer size:\n\n idx_end = hdr-\u003eend_entry;\n\n if (idx_end \u003e= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer\n snp_complete_psc(svm, ...);\n return 1;\n }\n\n for (idx = idx_start; idx \u003c= idx_end; idx++) {\n entry_start = entries[idx]; // OOB when idx \u003e= 2\n\nThe guest sets end_entry=10+, causing the host to iterate entries[2+]\nwhich are OOB into adjacent slab objects. For each OOB entry:\n\n - The host reads 8 bytes (OOB READ / info leak oracle)\n - If the data passes PSC validation, __snp_complete_one_psc() writes\n cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806)\n - If validation fails, the error response reveals whether adjacent\n memory is zero vs non-zero (information disclosure to guest)\n\nThe guest controls allocation size (exit_info_2), entry range\n(cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly\nhit different slab positions.\n\nBy exploiting the variety of bugs, a malicious SEV-SNP guest can:\n - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure)\n - OOB write cur_page bits into adjacent objects (heap corruption)\n - Trigger use-after-free conditions across VMGEXITs\n\nE.g. with KASAN enabled, a single insmod of the PoC guest module\nproduces 73 KASAN reports:\n\n BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890\n Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199\n\n BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890\n Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199\n\n The buggy address belongs to the object at ffff888XXXXXXXXX\n which belongs to the cache kmalloc-cg-32 of size 32\n The buggy address is located N bytes to the right of\n allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX)\n\n Breakdown:\n 62 slab-out-of-bounds (reads + writes past allocation)\n 7 slab-use-after-free\n 4 use-after-free\n\nAll credit to Stan for the wonderful description and reproducer!\n\n[sean: write changelog]"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T11:53:58.657Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf9ba093fbb83c0c9a3dedd50efec29424eca2fc"
},
{
"url": "https://git.kernel.org/stable/c/c9b4198fbc6ed99a9da4bee9f74bb730f926c9ae"
},
{
"url": "https://git.kernel.org/stable/c/b328ede59ac34e7998e1eee5e5f0cc26c2a91846"
},
{
"url": "https://git.kernel.org/stable/c/db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7"
}
],
"title": "KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53360",
"datePublished": "2026-07-04T11:53:58.657Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-04T11:53:58.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53359 (GCVE-0-2026-53359)
Vulnerability from nvd – Published: 2026-07-04 11:51 – Updated: 2026-07-04 11:51
VLAI
Title
KVM: x86: Fix shadow paging use-after-free due to unexpected role
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Fix shadow paging use-after-free due to unexpected role
Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due
to unexpected GFN") fixed a shadow paging mismatch between stored and
computed GFNs; the bug could be triggered by changing a PDE mapping from
outside the guest, and then deleting a memslot. The rmap_remove()
call would miss entries created after the PDE change because the GFN
of the leaf SPTE does not match the GFN of the struct kvm_mmu_page.
A similar hole however remains if the modified PDE points to a non-leaf
page. In this case the gfn can be made to match, but the role does not
match: the original large 2MB page creates a kvm_mmu_page with direct=1,
while the new 4KB needs a kvm_mmu_page with direct=0. However,
kvm_mmu_get_child_sp() does not compare the role, and therefore reuses
the page.
The next step is installing a leaf (4KB) SPTE on the new path which
records an rmap entry under the gfn resolved by the walk. But when
that child is zapped its parent kvm_mmu_page has direct=1 and
kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as
sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[]
in older kernels). It therefore fails to remove the recorded entry.
When the memslot is dropped the shadow page is freed but the rmap
entry survives, as in the scenario that was already fixed. Code that
later walks that gfn (dirty logging, MMU notifier invalidation, and
so on) dereferences an sptep that lies in the freed page, causing the
use-after-free.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2032a93d66fa282ba0f2ea9152eeff9511fa9a96 , < b1337aae5e194324e4810d561764e7793f8b3864
(git)
Affected: 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 , < 9291654d69e08542de37755cebe4d5b02c3170d1 (git) Affected: 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 , < 2ad3afa40ac6aa340dada122f9abfa46c0a6eb35 (git) Affected: 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 , < 5e470998a23e4c3d89ed24e8172cb22747e61efa (git) Affected: 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 , < 1ae7d5a6db6c190ce183e3098ca0e0846e14d462 (git) Affected: 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 , < 81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb (git) |
|
| Linux | Linux |
Affected:
2.6.36
Unaffected: 0 , < 2.6.36 (semver) Unaffected: 6.1.177 , ≤ 6.1.* (semver) Unaffected: 6.6.144 , ≤ 6.6.* (semver) Unaffected: 6.12.95 , ≤ 6.12.* (semver) Unaffected: 6.18.38 , ≤ 6.18.* (semver) Unaffected: 7.1.3 , ≤ 7.1.* (semver) Unaffected: 7.2-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1337aae5e194324e4810d561764e7793f8b3864",
"status": "affected",
"version": "2032a93d66fa282ba0f2ea9152eeff9511fa9a96",
"versionType": "git"
},
{
"lessThan": "9291654d69e08542de37755cebe4d5b02c3170d1",
"status": "affected",
"version": "2032a93d66fa282ba0f2ea9152eeff9511fa9a96",
"versionType": "git"
},
{
"lessThan": "2ad3afa40ac6aa340dada122f9abfa46c0a6eb35",
"status": "affected",
"version": "2032a93d66fa282ba0f2ea9152eeff9511fa9a96",
"versionType": "git"
},
{
"lessThan": "5e470998a23e4c3d89ed24e8172cb22747e61efa",
"status": "affected",
"version": "2032a93d66fa282ba0f2ea9152eeff9511fa9a96",
"versionType": "git"
},
{
"lessThan": "1ae7d5a6db6c190ce183e3098ca0e0846e14d462",
"status": "affected",
"version": "2032a93d66fa282ba0f2ea9152eeff9511fa9a96",
"versionType": "git"
},
{
"lessThan": "81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb",
"status": "affected",
"version": "2032a93d66fa282ba0f2ea9152eeff9511fa9a96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.38",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.*",
"status": "unaffected",
"version": "7.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.2-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.177",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.144",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.95",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.38",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.2-rc1",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix shadow paging use-after-free due to unexpected role\n\nCommit 0cb2af2ea66ad (\"KVM: x86: Fix shadow paging use-after-free due\nto unexpected GFN\") fixed a shadow paging mismatch between stored and\ncomputed GFNs; the bug could be triggered by changing a PDE mapping from\noutside the guest, and then deleting a memslot. The rmap_remove()\ncall would miss entries created after the PDE change because the GFN\nof the leaf SPTE does not match the GFN of the struct kvm_mmu_page.\n\nA similar hole however remains if the modified PDE points to a non-leaf\npage. In this case the gfn can be made to match, but the role does not\nmatch: the original large 2MB page creates a kvm_mmu_page with direct=1,\nwhile the new 4KB needs a kvm_mmu_page with direct=0. However,\nkvm_mmu_get_child_sp() does not compare the role, and therefore reuses\nthe page.\n\nThe next step is installing a leaf (4KB) SPTE on the new path which\nrecords an rmap entry under the gfn resolved by the walk. But when\nthat child is zapped its parent kvm_mmu_page has direct=1 and\nkvm_mmu_page_get_gfn() computes the gfn for the 4KB page as\nsp-\u003egfn + index instead of using sp-\u003eshadowed_translation[] (or sp-\u003egfns[]\nin older kernels). It therefore fails to remove the recorded entry.\n\nWhen the memslot is dropped the shadow page is freed but the rmap\nentry survives, as in the scenario that was already fixed. Code that\nlater walks that gfn (dirty logging, MMU notifier invalidation, and\nso on) dereferences an sptep that lies in the freed page, causing the\nuse-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T11:51:49.052Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1337aae5e194324e4810d561764e7793f8b3864"
},
{
"url": "https://git.kernel.org/stable/c/9291654d69e08542de37755cebe4d5b02c3170d1"
},
{
"url": "https://git.kernel.org/stable/c/2ad3afa40ac6aa340dada122f9abfa46c0a6eb35"
},
{
"url": "https://git.kernel.org/stable/c/5e470998a23e4c3d89ed24e8172cb22747e61efa"
},
{
"url": "https://git.kernel.org/stable/c/1ae7d5a6db6c190ce183e3098ca0e0846e14d462"
},
{
"url": "https://git.kernel.org/stable/c/81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb"
}
],
"title": "KVM: x86: Fix shadow paging use-after-free due to unexpected role",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53359",
"datePublished": "2026-07-04T11:51:49.052Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-04T11:51:49.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53358 (GCVE-0-2026-53358)
Vulnerability from nvd – Published: 2026-07-02 13:43 – Updated: 2026-07-02 13:43
VLAI
Title
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
l2cap_chan_close() removes the channel from conn->chan_l, which
must be done under conn->lock. cleanup_listen() runs under the
parent sk_lock, so acquiring conn->lock would invert the
established conn->lock -> chan->lock -> sk_lock order.
Instead of calling l2cap_chan_close() directly, schedule
l2cap_chan_timeout with delay 0 to close the channel
asynchronously. The timeout handler already acquires conn->lock
and chan->lock in the correct order.
The timer is only armed when chan->conn is still set: if it is
already NULL, l2cap_conn_del() has already processed this channel
(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),
so there is nothing left to do. If l2cap_conn_del() races in
after the timer is armed, __clear_chan_timer() inside
l2cap_chan_del() cancels it; if the timer has already fired, the
handler returns harmlessly because chan->conn was cleared.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3df91ea20e744344100b10ae69a17211fcf5b207 , < 3634cbdc2eb414b69ffa752ddbe5e0458518e321
(git)
Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < e1c100e2d61bd8c718b7d91fe3e050780a9bf72d (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 89dec92041717b027216e110599e4f6d6c921b79 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 50dfec218808b148ab4247b1858031b7a32015c5 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 859d3ace791ed878ae9ba5522c7844d960da8f88 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 7555fd885a0603f50e49a655850a1f2bd8a25398 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 8c8e620467a7b51562dbcefbd1f09f288d7d710d (git) |
|
| Linux | Linux |
Affected:
3.4
Unaffected: 0 , < 3.4 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3634cbdc2eb414b69ffa752ddbe5e0458518e321",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "e1c100e2d61bd8c718b7d91fe3e050780a9bf72d",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "89dec92041717b027216e110599e4f6d6c921b79",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "50dfec218808b148ab4247b1858031b7a32015c5",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "859d3ace791ed878ae9ba5522c7844d960da8f88",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "7555fd885a0603f50e49a655850a1f2bd8a25398",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "8c8e620467a7b51562dbcefbd1f09f288d7d710d",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: use chan timer to close channels in cleanup_listen()\n\nl2cap_chan_close() removes the channel from conn-\u003echan_l, which\nmust be done under conn-\u003elock. cleanup_listen() runs under the\nparent sk_lock, so acquiring conn-\u003elock would invert the\nestablished conn-\u003elock -\u003e chan-\u003elock -\u003e sk_lock order.\n\nInstead of calling l2cap_chan_close() directly, schedule\nl2cap_chan_timeout with delay 0 to close the channel\nasynchronously. The timeout handler already acquires conn-\u003elock\nand chan-\u003elock in the correct order.\n\nThe timer is only armed when chan-\u003econn is still set: if it is\nalready NULL, l2cap_conn_del() has already processed this channel\n(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),\nso there is nothing left to do. If l2cap_conn_del() races in\nafter the timer is armed, __clear_chan_timer() inside\nl2cap_chan_del() cancels it; if the timer has already fired, the\nhandler returns harmlessly because chan-\u003econn was cleared."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T13:43:17.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3634cbdc2eb414b69ffa752ddbe5e0458518e321"
},
{
"url": "https://git.kernel.org/stable/c/e1c100e2d61bd8c718b7d91fe3e050780a9bf72d"
},
{
"url": "https://git.kernel.org/stable/c/deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9"
},
{
"url": "https://git.kernel.org/stable/c/89dec92041717b027216e110599e4f6d6c921b79"
},
{
"url": "https://git.kernel.org/stable/c/50dfec218808b148ab4247b1858031b7a32015c5"
},
{
"url": "https://git.kernel.org/stable/c/859d3ace791ed878ae9ba5522c7844d960da8f88"
},
{
"url": "https://git.kernel.org/stable/c/7555fd885a0603f50e49a655850a1f2bd8a25398"
},
{
"url": "https://git.kernel.org/stable/c/8c8e620467a7b51562dbcefbd1f09f288d7d710d"
}
],
"title": "Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53358",
"datePublished": "2026-07-02T13:43:17.630Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-02T13:43:17.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53357 (GCVE-0-2026-53357)
Vulnerability from nvd – Published: 2026-07-02 13:43 – Updated: 2026-07-02 13:43
VLAI
Title
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.
l2cap_sock_cleanup_listen() walks these children on listening-socket
close. A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
BUG: KASAN: slab-use-after-free in l2cap_sock_kill
l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
This is distinct from the two fixes already in this area: commit
e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.
Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).
KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
15f02b91056253e8cdc592888f431da0731337b8 , < 751de6ec671fe75ad9cf65a0638d2a06b6a5984d
(git)
Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 407217734835d21d4e0105ebf347860dc1806f88 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 7eebd4c2c86f573af87ff165d08a83432eb0b919 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 5d86d2f1b4d9a508c441d3e45277ae1a73cfed57 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 87c543e2f78d0871f271df92dab98901bbd5b6f5 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < added1213395071470a900cc845a042fb51882a6 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < a5ca86a6097a8b030ca3226cd300b17ed330f966 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < ab1513597c6cf17cd1ad2a21e3b045421b48e022 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_sock.c",
"net/bluetooth/rfcomm/sock.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "751de6ec671fe75ad9cf65a0638d2a06b6a5984d",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "407217734835d21d4e0105ebf347860dc1806f88",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "7eebd4c2c86f573af87ff165d08a83432eb0b919",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "5d86d2f1b4d9a508c441d3e45277ae1a73cfed57",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "87c543e2f78d0871f271df92dab98901bbd5b6f5",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "added1213395071470a900cc845a042fb51882a6",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "a5ca86a6097a8b030ca3226cd300b17ed330f966",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "ab1513597c6cf17cd1ad2a21e3b045421b48e022",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_sock.c",
"net/bluetooth/rfcomm/sock.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()\n\nbt_accept_dequeue() unlinks a not-yet-accepted child from the parent\naccept queue and release_sock()s it before returning, so the returned\nsk has no caller reference and is unlocked.\n\nl2cap_sock_cleanup_listen() walks these children on listening-socket\nclose. A concurrent HCI disconnect drives hci_rx_work -\u003e\nl2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and\nfrees the child sk and its l2cap_chan; cleanup_listen() then uses both:\n\n BUG: KASAN: slab-use-after-free in l2cap_sock_kill\n l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close\n Freed by: l2cap_conn_del -\u003e l2cap_sock_close_cb -\u003e l2cap_sock_kill\n\nThis is distinct from the two fixes already in this area: commit\ne83f5e24da741 (\"Bluetooth: serialize accept_q access\") serialises the\naccept_q list/poll and takes temporary refs inside bt_accept_dequeue(),\nand CVE-2025-39860 serialises the userspace close()/accept() race by\ncalling cleanup_listen() under lock_sock() in l2cap_sock_release().\nNeither covers l2cap_conn_del() running from hci_rx_work, so this UAF\nstill reproduces on current bluetooth/master.\n\nTake the reference at the source: bt_accept_dequeue() does sock_hold()\nwhile sk is still locked, before release_sock(); callers sock_put().\ncleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under\na brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops\nit before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on\nSOCK_DEAD. conn-\u003elock is not taken here: cleanup_listen() runs under\nthe parent sk lock and that would invert\nconn-\u003elock -\u003e chan-\u003elock -\u003e sk_lock (lockdep).\n\nKASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced\n12 use-after-free reports per run before this change; 0, and no lockdep\nreport, over 1600+ raced iterations after it on bluetooth/master."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T13:43:17.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/751de6ec671fe75ad9cf65a0638d2a06b6a5984d"
},
{
"url": "https://git.kernel.org/stable/c/407217734835d21d4e0105ebf347860dc1806f88"
},
{
"url": "https://git.kernel.org/stable/c/7eebd4c2c86f573af87ff165d08a83432eb0b919"
},
{
"url": "https://git.kernel.org/stable/c/5d86d2f1b4d9a508c441d3e45277ae1a73cfed57"
},
{
"url": "https://git.kernel.org/stable/c/87c543e2f78d0871f271df92dab98901bbd5b6f5"
},
{
"url": "https://git.kernel.org/stable/c/added1213395071470a900cc845a042fb51882a6"
},
{
"url": "https://git.kernel.org/stable/c/a5ca86a6097a8b030ca3226cd300b17ed330f966"
},
{
"url": "https://git.kernel.org/stable/c/ab1513597c6cf17cd1ad2a21e3b045421b48e022"
}
],
"title": "Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53357",
"datePublished": "2026-07-02T13:43:17.077Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-02T13:43:17.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53356 (GCVE-0-2026-53356)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
drm/i915/gem: Fix phys BO pread/pwrite with offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: Fix phys BO pread/pwrite with offset
sg_page() returns struct page pointer not (void *) so the scaling
of pread/pwrite is wrong for phys BO and wrong parts of BO would be
accessed if non-zero offset is used.
Last impacted platform with overlay or cursor planes using phys
mapping was Gen3/945G/Lakeport.
(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c6790dc22312f592c1434577258b31c48c72d52a , < 40f738991058eb3e3530c3006a5bd6fd5e29f035
(git)
Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 1ec8fc63e9cdb22da54e48e536c9204020416fc6 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 14469860e2e39b7095dcd658d2bad38a11110a68 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 07c33be968d9e0cab6cba38c81850a09942fcb2e (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 3bd168dd835b93a3862cd05b0d13c432b115f9d6 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 32d4c5d328a3ff995420f4f85163e1e403f43628 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < dd51a2eeb93bc6faa892ff9083911dd23f82c187 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < d21ad938398bca695a511307de38a65889e3b354 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_phys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40f738991058eb3e3530c3006a5bd6fd5e29f035",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "1ec8fc63e9cdb22da54e48e536c9204020416fc6",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "14469860e2e39b7095dcd658d2bad38a11110a68",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "07c33be968d9e0cab6cba38c81850a09942fcb2e",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "3bd168dd835b93a3862cd05b0d13c432b115f9d6",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "32d4c5d328a3ff995420f4f85163e1e403f43628",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "dd51a2eeb93bc6faa892ff9083911dd23f82c187",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "d21ad938398bca695a511307de38a65889e3b354",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_phys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix phys BO pread/pwrite with offset\n\nsg_page() returns struct page pointer not (void *) so the scaling\nof pread/pwrite is wrong for phys BO and wrong parts of BO would be\naccessed if non-zero offset is used.\n\nLast impacted platform with overlay or cursor planes using phys\nmapping was Gen3/945G/Lakeport.\n\n(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:31.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40f738991058eb3e3530c3006a5bd6fd5e29f035"
},
{
"url": "https://git.kernel.org/stable/c/1ec8fc63e9cdb22da54e48e536c9204020416fc6"
},
{
"url": "https://git.kernel.org/stable/c/14469860e2e39b7095dcd658d2bad38a11110a68"
},
{
"url": "https://git.kernel.org/stable/c/07c33be968d9e0cab6cba38c81850a09942fcb2e"
},
{
"url": "https://git.kernel.org/stable/c/3bd168dd835b93a3862cd05b0d13c432b115f9d6"
},
{
"url": "https://git.kernel.org/stable/c/32d4c5d328a3ff995420f4f85163e1e403f43628"
},
{
"url": "https://git.kernel.org/stable/c/dd51a2eeb93bc6faa892ff9083911dd23f82c187"
},
{
"url": "https://git.kernel.org/stable/c/d21ad938398bca695a511307de38a65889e3b354"
}
],
"title": "drm/i915/gem: Fix phys BO pread/pwrite with offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53356",
"datePublished": "2026-07-01T13:32:31.428Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:31.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53355 (GCVE-0-2026-53355)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
net: rds: clear i_sends on setup unwind
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rds: clear i_sends on setup unwind
The RDS IB connection teardown path is written so it can run during
partial startup and on repeated shutdown attempts. It uses NULL
pointers to distinguish resources that are still owned from resources
that have already been released.
When rds_ib_setup_qp() fails after allocating i_sends but before
allocating i_recvs, the sends_out path frees i_sends without clearing
the pointer. A later shutdown pass can still treat that stale pointer
as a live send ring allocation.
Clear i_sends after vfree() in the error unwind path so the existing
shutdown logic continues to use the correct ownership state.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3b12f73a5c2977153f28a224392fd4729b50d1dc , < 66cccec111421a10efdc2c74499d15b93e7acae5
(git)
Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 2c5e5e4a5970c41f16e3ad801a78719ed5d5c71b (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 29d940026dce39e3018dab6f67c9427249321270 (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < e7cf30aa5f1fc6c2a86df65df8b731df20e44d79 (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < f16ad421a4e3e7db2d14bdf3b16f583bc4f3b30a (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 1d4ec754ee3871f7e3670c67bb0298c9c5760926 (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 27040bbca289a704eafcacca167d310c6ce2b1bc (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 20cf0fb715c41111469577e85e35d15f099473e0 (git) Affected: 75a12b2fa80c2e4cc40a9f9305f95899850b7426 (git) Affected: c9459693fae9a1bf3f51f3db98617f694112e897 (git) Affected: 13099ee9c7d54b0a25f6c8397675aed99e9cfa45 (git) Affected: 5c6712ab4efb6cf60e16719ab6bcaface9cc268c (git) Affected: 3.18.74 , < 3.19 (semver) Affected: 4.1.46 , < 4.2 (semver) Affected: 4.4.91 , < 4.5 (semver) Affected: 4.9.54 , < 4.10 (semver) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/ib_cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66cccec111421a10efdc2c74499d15b93e7acae5",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "2c5e5e4a5970c41f16e3ad801a78719ed5d5c71b",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "29d940026dce39e3018dab6f67c9427249321270",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "e7cf30aa5f1fc6c2a86df65df8b731df20e44d79",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "f16ad421a4e3e7db2d14bdf3b16f583bc4f3b30a",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "1d4ec754ee3871f7e3670c67bb0298c9c5760926",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "27040bbca289a704eafcacca167d310c6ce2b1bc",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "20cf0fb715c41111469577e85e35d15f099473e0",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"status": "affected",
"version": "75a12b2fa80c2e4cc40a9f9305f95899850b7426",
"versionType": "git"
},
{
"status": "affected",
"version": "c9459693fae9a1bf3f51f3db98617f694112e897",
"versionType": "git"
},
{
"status": "affected",
"version": "13099ee9c7d54b0a25f6c8397675aed99e9cfa45",
"versionType": "git"
},
{
"status": "affected",
"version": "5c6712ab4efb6cf60e16719ab6bcaface9cc268c",
"versionType": "git"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.74",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.46",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.91",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.54",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/ib_cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: clear i_sends on setup unwind\n\nThe RDS IB connection teardown path is written so it can run during\npartial startup and on repeated shutdown attempts. It uses NULL\npointers to distinguish resources that are still owned from resources\nthat have already been released.\n\nWhen rds_ib_setup_qp() fails after allocating i_sends but before\nallocating i_recvs, the sends_out path frees i_sends without clearing\nthe pointer. A later shutdown pass can still treat that stale pointer\nas a live send ring allocation.\n\nClear i_sends after vfree() in the error unwind path so the existing\nshutdown logic continues to use the correct ownership state."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:30.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66cccec111421a10efdc2c74499d15b93e7acae5"
},
{
"url": "https://git.kernel.org/stable/c/2c5e5e4a5970c41f16e3ad801a78719ed5d5c71b"
},
{
"url": "https://git.kernel.org/stable/c/29d940026dce39e3018dab6f67c9427249321270"
},
{
"url": "https://git.kernel.org/stable/c/e7cf30aa5f1fc6c2a86df65df8b731df20e44d79"
},
{
"url": "https://git.kernel.org/stable/c/f16ad421a4e3e7db2d14bdf3b16f583bc4f3b30a"
},
{
"url": "https://git.kernel.org/stable/c/1d4ec754ee3871f7e3670c67bb0298c9c5760926"
},
{
"url": "https://git.kernel.org/stable/c/27040bbca289a704eafcacca167d310c6ce2b1bc"
},
{
"url": "https://git.kernel.org/stable/c/20cf0fb715c41111469577e85e35d15f099473e0"
}
],
"title": "net: rds: clear i_sends on setup unwind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53355",
"datePublished": "2026-07-01T13:32:30.831Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:30.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53354 (GCVE-0-2026-53354)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
arm64: errata: Mitigate TLBI errata on various Arm CPUs
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: errata: Mitigate TLBI errata on various Arm CPUs
A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.
These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.
This issue has been assigned CVE ID CVE-2025-10263.
To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.
The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.
Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.
Severity
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 925058203229403008d77a52b1e63e2ae5f4a3cf
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8364384ae82fbffdf8968abaac3455ed854da18d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7c3ad9365079e716b57d2363d3081ee7680cc18e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e717a4d08779f1a28d6e0275e75040b12c33c753 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d4fd4282204044fdedd1e42abbe70a9206f74ec0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b47b1e1d8675fdf5f6e11e7fa19c704d8c6f5cd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1268c64e2bcb6e968152990e87bd10c440fcc9c0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cfd391e74134db664feb499d43af286380b10ba8 (git) Affected: 0 , < 5.10.259 (semver) Affected: 0 , < 5.15.210 (semver) Affected: 0 , < 6.1.176 (semver) Affected: 0 , < 6.6.143 (semver) Affected: 0 , < 6.12.94 (semver) Affected: 0 , < 6.18.36 (semver) Affected: 0 , < 7.0.13 (semver) Affected: 0 , < 7.1.1 (semver) |
|
| Linux | Linux |
Unaffected:
5.10.259 , ≤ 5.10.*
(semver)
Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1.1 , ≤ 7.1.* (semver) Unaffected: 7.2-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"Documentation/arch/arm64/silicon-errata.rst",
"arch/arm64/Kconfig",
"arch/arm64/kernel/cpu_errata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "925058203229403008d77a52b1e63e2ae5f4a3cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8364384ae82fbffdf8968abaac3455ed854da18d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c3ad9365079e716b57d2363d3081ee7680cc18e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e717a4d08779f1a28d6e0275e75040b12c33c753",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d4fd4282204044fdedd1e42abbe70a9206f74ec0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b47b1e1d8675fdf5f6e11e7fa19c704d8c6f5cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1268c64e2bcb6e968152990e87bd10c440fcc9c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfd391e74134db664feb499d43af286380b10ba8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5.10.259",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.15.210",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.36",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"Documentation/arch/arm64/silicon-errata.rst",
"arch/arm64/Kconfig",
"arch/arm64/kernel/cpu_errata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.*",
"status": "unaffected",
"version": "7.1.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.2-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.2-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Mitigate TLBI errata on various Arm CPUs\n\nA number of CPUs developed by Arm suffer from errata whereby a broadcast\nTLBI;DSB sequence may complete before the global observation of writes\nwhich are translated by an affected TLB entry.\n\nThese errata ONLY affect the completion of memory accesses which have\nbeen translated by an invalidated TLB entry, and these errata DO NOT\naffect the actual invalidation of TLB entries. TLB entries are removed\ncorrectly.\n\nThis issue has been assigned CVE ID CVE-2025-10263.\n\nTo mitigate this issue, Arm recommends that software follows any\naffected TLBI;DSB sequence with an additional TLBI;DSB, which will\nensure that all memory write effects affected by the first TLBI have\nbeen globally observed. The additional TLBI can use any operation that\nis broadcast to affected CPUs, and the additional DSB can use any option\nthat is sufficient to complete the additional TLBI.\n\nThe ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate\nthe issue. Enable this workaround for affected CPUs, and update the\nsilicon errata documentation accordingly.\n\nNote that due to the manner in which Arm develops IP and tracks errata,\nsome CPUs share a common erratum number."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:30.246Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/925058203229403008d77a52b1e63e2ae5f4a3cf"
},
{
"url": "https://git.kernel.org/stable/c/8364384ae82fbffdf8968abaac3455ed854da18d"
},
{
"url": "https://git.kernel.org/stable/c/7c3ad9365079e716b57d2363d3081ee7680cc18e"
},
{
"url": "https://git.kernel.org/stable/c/e717a4d08779f1a28d6e0275e75040b12c33c753"
},
{
"url": "https://git.kernel.org/stable/c/4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8"
},
{
"url": "https://git.kernel.org/stable/c/d4fd4282204044fdedd1e42abbe70a9206f74ec0"
},
{
"url": "https://git.kernel.org/stable/c/1b47b1e1d8675fdf5f6e11e7fa19c704d8c6f5cd"
},
{
"url": "https://git.kernel.org/stable/c/1268c64e2bcb6e968152990e87bd10c440fcc9c0"
},
{
"url": "https://git.kernel.org/stable/c/cfd391e74134db664feb499d43af286380b10ba8"
}
],
"title": "arm64: errata: Mitigate TLBI errata on various Arm CPUs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53354",
"datePublished": "2026-07-01T13:32:30.246Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:30.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53353 (GCVE-0-2026-53353)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
hsr: Remove WARN_ONCE() in hsr_addr_is_self().
Summary
In the Linux kernel, the following vulnerability has been resolved:
hsr: Remove WARN_ONCE() in hsr_addr_is_self().
syzbot reported the warning [0] in hsr_addr_is_self(),
whose assumption is simply wrong.
hsr->self_node is cleared in hsr_del_self_node(), which
is called from hsr_dellink().
Since dev->rtnl_link_ops->dellink() is called before
unregister_netdevice_many(), there is a window when
user can find the device but without hsr->self_node.
Let's remove WARN_ONCE() in hsr_addr_is_self().
[0]:
HSR: No self node
WARNING: net/hsr/hsr_framereg.c:39 at hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39, CPU#0: syz.4.16848/17220
Modules linked in:
CPU: 0 UID: 0 PID: 17220 Comm: syz.4.16848 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39
Code: 33 2f 41 0f b7 dd 89 ee 09 de 31 ff e8 c8 b4 c6 f6 09 dd 74 54 e8 0f b0 c6 f6 31 ed eb 53 e8 06 b0 c6 f6 48 8d 3d 2f 50 9c 04 <67> 48 0f b9 3a 31 ed eb 42 e8 c1 13 1f 00 89 c5 31 ff 89 c6 e8 96
RSP: 0018:ffffc900041c70e0 EFLAGS: 00010283
RAX: ffffffff8afdc6ca RBX: ffffffff8afdc4e6 RCX: 0000000000080000
RDX: ffffc90010493000 RSI: 0000000000000948 RDI: ffffffff8f9a1700
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900041c71e8 R11: fffff52000838e3f R12: dffffc0000000000
R13: ffff888041f9e3c0 R14: ffff888086ee3802 R15: 0000000000000000
FS: 00007f6fe985d6c0(0000) GS:ffff888126176000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f80bd437dac CR3: 0000000025096000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000002
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
check_local_dest net/hsr/hsr_forward.c:592 [inline]
fill_frame_info net/hsr/hsr_forward.c:728 [inline]
hsr_forward_skb+0xa11/0x2a80 net/hsr/hsr_forward.c:739
hsr_dev_xmit+0x253/0x370 net/hsr/hsr_device.c:236
__netdev_start_xmit include/linux/netdevice.h:5368 [inline]
netdev_start_xmit include/linux/netdevice.h:5377 [inline]
xmit_one net/core/dev.c:3888 [inline]
dev_hard_start_xmit+0x2df/0x860 net/core/dev.c:3904
__dev_queue_xmit+0x1428/0x3900 net/core/dev.c:4870
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xcec/0x10b0 net/ipv4/ip_output.c:237
ip_send_skb net/ipv4/ip_output.c:1510 [inline]
ip_push_pending_frames+0x8b/0x110 net/ipv4/ip_output.c:1530
raw_sendmsg+0x1547/0x1a50 net/ipv4/raw.c:659
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x7da/0x9c0 net/socket.c:2698
___sys_sendmsg+0x2a5/0x360 net/socket.c:2752
__sys_sendmsg net/socket.c:2784 [inline]
__do_sys_sendmsg net/socket.c:2789 [inline]
__se_sys_sendmsg net/socket.c:2787 [inline]
__x64_sys_sendmsg+0x1c3/0x2a0 net/socket.c:2787
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6feb62ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6fe985d028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6feb8a6090 RCX: 00007f6feb62ce59
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000004
RBP: 00007f6feb6c2d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6feb8a6128 R14: 00007f6feb8a6090 R15: 00007ffcf01cc488
</TASK>
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f266a683a4804dc499efc6c2206ef68efed029d0 , < 271355c2ef6171dbc815e7ae653eed63444bbd58
(git)
Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 0232b6fcb7615fb7fecfe0727a23065a53e228b8 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 66a46e22396fd5d09606f37f73643eb20e99aa42 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < d71bb171661ec0225bf4babdd4d296d744982fb3 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < afd0f17ca46258cec3a5cc48b8df9327fe772490 (git) |
|
| Linux | Linux |
Affected:
3.17
Unaffected: 0 , < 3.17 (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_framereg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "271355c2ef6171dbc815e7ae653eed63444bbd58",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "0232b6fcb7615fb7fecfe0727a23065a53e228b8",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "66a46e22396fd5d09606f37f73643eb20e99aa42",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "d71bb171661ec0225bf4babdd4d296d744982fb3",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "afd0f17ca46258cec3a5cc48b8df9327fe772490",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_framereg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Remove WARN_ONCE() in hsr_addr_is_self().\n\nsyzbot reported the warning [0] in hsr_addr_is_self(),\nwhose assumption is simply wrong.\n\nhsr-\u003eself_node is cleared in hsr_del_self_node(), which\nis called from hsr_dellink().\n\nSince dev-\u003ertnl_link_ops-\u003edellink() is called before\nunregister_netdevice_many(), there is a window when\nuser can find the device but without hsr-\u003eself_node.\n\nLet\u0027s remove WARN_ONCE() in hsr_addr_is_self().\n\n[0]:\nHSR: No self node\nWARNING: net/hsr/hsr_framereg.c:39 at hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39, CPU#0: syz.4.16848/17220\nModules linked in:\nCPU: 0 UID: 0 PID: 17220 Comm: syz.4.16848 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026\nRIP: 0010:hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39\nCode: 33 2f 41 0f b7 dd 89 ee 09 de 31 ff e8 c8 b4 c6 f6 09 dd 74 54 e8 0f b0 c6 f6 31 ed eb 53 e8 06 b0 c6 f6 48 8d 3d 2f 50 9c 04 \u003c67\u003e 48 0f b9 3a 31 ed eb 42 e8 c1 13 1f 00 89 c5 31 ff 89 c6 e8 96\nRSP: 0018:ffffc900041c70e0 EFLAGS: 00010283\nRAX: ffffffff8afdc6ca RBX: ffffffff8afdc4e6 RCX: 0000000000080000\nRDX: ffffc90010493000 RSI: 0000000000000948 RDI: ffffffff8f9a1700\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc900041c71e8 R11: fffff52000838e3f R12: dffffc0000000000\nR13: ffff888041f9e3c0 R14: ffff888086ee3802 R15: 0000000000000000\nFS: 00007f6fe985d6c0(0000) GS:ffff888126176000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f80bd437dac CR3: 0000000025096000 CR4: 00000000003526f0\nDR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000002\nDR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n check_local_dest net/hsr/hsr_forward.c:592 [inline]\n fill_frame_info net/hsr/hsr_forward.c:728 [inline]\n hsr_forward_skb+0xa11/0x2a80 net/hsr/hsr_forward.c:739\n hsr_dev_xmit+0x253/0x370 net/hsr/hsr_device.c:236\n __netdev_start_xmit include/linux/netdevice.h:5368 [inline]\n netdev_start_xmit include/linux/netdevice.h:5377 [inline]\n xmit_one net/core/dev.c:3888 [inline]\n dev_hard_start_xmit+0x2df/0x860 net/core/dev.c:3904\n __dev_queue_xmit+0x1428/0x3900 net/core/dev.c:4870\n neigh_output include/net/neighbour.h:556 [inline]\n ip_finish_output2+0xcec/0x10b0 net/ipv4/ip_output.c:237\n ip_send_skb net/ipv4/ip_output.c:1510 [inline]\n ip_push_pending_frames+0x8b/0x110 net/ipv4/ip_output.c:1530\n raw_sendmsg+0x1547/0x1a50 net/ipv4/raw.c:659\n sock_sendmsg_nosec net/socket.c:787 [inline]\n __sock_sendmsg net/socket.c:802 [inline]\n ____sys_sendmsg+0x7da/0x9c0 net/socket.c:2698\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2752\n __sys_sendmsg net/socket.c:2784 [inline]\n __do_sys_sendmsg net/socket.c:2789 [inline]\n __se_sys_sendmsg net/socket.c:2787 [inline]\n __x64_sys_sendmsg+0x1c3/0x2a0 net/socket.c:2787\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f6feb62ce59\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f6fe985d028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f6feb8a6090 RCX: 00007f6feb62ce59\nRDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000004\nRBP: 00007f6feb6c2d6f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f6feb8a6128 R14: 00007f6feb8a6090 R15: 00007ffcf01cc488\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:29.699Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/271355c2ef6171dbc815e7ae653eed63444bbd58"
},
{
"url": "https://git.kernel.org/stable/c/0232b6fcb7615fb7fecfe0727a23065a53e228b8"
},
{
"url": "https://git.kernel.org/stable/c/66a46e22396fd5d09606f37f73643eb20e99aa42"
},
{
"url": "https://git.kernel.org/stable/c/d71bb171661ec0225bf4babdd4d296d744982fb3"
},
{
"url": "https://git.kernel.org/stable/c/afd0f17ca46258cec3a5cc48b8df9327fe772490"
}
],
"title": "hsr: Remove WARN_ONCE() in hsr_addr_is_self().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53353",
"datePublished": "2026-07-01T13:32:29.699Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:29.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53352 (GCVE-0-2026-53352)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
Summary
In the Linux kernel, the following vulnerability has been resolved:
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
threads and sets signal->group_stop_count to the number of threads. If
one of the threads concurrently calls execve(), de_thread() invokes
zap_other_threads() to kill all other threads. zap_other_threads()
aborts the pending group stop by resetting signal->group_stop_count to 0
and clears the JOBCTL_PENDING_MASK for all other threads. However, it
fails to clear the job control flags for the calling thread.
When execve() completes, the calling thread returns to user mode and
checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
it calls do_signal_stop(), which invokes task_participate_group_stop().
Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
already-zero signal->group_stop_count, triggering a warning:
sig->group_stop_count == 0
WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
task_participate_group_stop+0x215/0x2d0
Call Trace:
<TASK>
do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
get_signal+0xa8c/0x1330 kernel/signal.c:2884
arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
calling thread in zap_other_threads(), ensuring it does not retain any
stale job control state after the thread group is destroyed. This aligns
with other functions that tear down a thread group and abort group
stops, such as zap_process() and complete_signal(), which correctly
clear these flags for all threads including the current one.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
39efa3ef3a376a4e53de2f82fc91182459d34200 , < 2b32b2fb241435145ea199efac024540759d2495
(git)
Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 391ebe74456a0f1d60b3ba4a8a64d9f44c1728fe (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < f8d720bc2e35d568c18be0644e92a468de428370 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < f4aae11abb449dc536269705d0419ec69480faa9 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 76aebd9ef20078719dfd6282d3b06c27e900a65a (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 8c046f36222c6ce1e0daef2c45c891c72602f8a1 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < dfcd0ba14769d94d76ac9d9814b85e7fcacd4e29 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 90918794a4e2c3b440f8fcf3847765a8b1d81b25 (git) |
|
| Linux | Linux |
Affected:
3.0
Unaffected: 0 , < 3.0 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b32b2fb241435145ea199efac024540759d2495",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "391ebe74456a0f1d60b3ba4a8a64d9f44c1728fe",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "f8d720bc2e35d568c18be0644e92a468de428370",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "f4aae11abb449dc536269705d0419ec69480faa9",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "76aebd9ef20078719dfd6282d3b06c27e900a65a",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "8c046f36222c6ce1e0daef2c45c891c72602f8a1",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "dfcd0ba14769d94d76ac9d9814b85e7fcacd4e29",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "90918794a4e2c3b440f8fcf3847765a8b1d81b25",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsignal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()\n\nWhen a multi-threaded process receives a stop signal (e.g., SIGSTOP),\ndo_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all\nthreads and sets signal-\u003egroup_stop_count to the number of threads. If\none of the threads concurrently calls execve(), de_thread() invokes\nzap_other_threads() to kill all other threads. zap_other_threads()\naborts the pending group stop by resetting signal-\u003egroup_stop_count to 0\nand clears the JOBCTL_PENDING_MASK for all other threads. However, it\nfails to clear the job control flags for the calling thread.\n\nWhen execve() completes, the calling thread returns to user mode and\nchecks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,\nit calls do_signal_stop(), which invokes task_participate_group_stop().\nSince JOBCTL_STOP_CONSUME is still set, it attempts to decrement the\nalready-zero signal-\u003egroup_stop_count, triggering a warning:\n\nsig-\u003egroup_stop_count == 0\nWARNING: CPU: 1 PID: 6475 at kernel/signal.c:373\ntask_participate_group_stop+0x215/0x2d0\nCall Trace:\n \u003cTASK\u003e\n do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619\n get_signal+0xa8c/0x1330 kernel/signal.c:2884\n arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98\n do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nFix this race condition by clearing the JOBCTL_PENDING_MASK for the\ncalling thread in zap_other_threads(), ensuring it does not retain any\nstale job control state after the thread group is destroyed. This aligns\nwith other functions that tear down a thread group and abort group\nstops, such as zap_process() and complete_signal(), which correctly\nclear these flags for all threads including the current one."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:29.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b32b2fb241435145ea199efac024540759d2495"
},
{
"url": "https://git.kernel.org/stable/c/391ebe74456a0f1d60b3ba4a8a64d9f44c1728fe"
},
{
"url": "https://git.kernel.org/stable/c/f8d720bc2e35d568c18be0644e92a468de428370"
},
{
"url": "https://git.kernel.org/stable/c/f4aae11abb449dc536269705d0419ec69480faa9"
},
{
"url": "https://git.kernel.org/stable/c/76aebd9ef20078719dfd6282d3b06c27e900a65a"
},
{
"url": "https://git.kernel.org/stable/c/8c046f36222c6ce1e0daef2c45c891c72602f8a1"
},
{
"url": "https://git.kernel.org/stable/c/dfcd0ba14769d94d76ac9d9814b85e7fcacd4e29"
},
{
"url": "https://git.kernel.org/stable/c/90918794a4e2c3b440f8fcf3847765a8b1d81b25"
}
],
"title": "signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53352",
"datePublished": "2026-07-01T13:32:29.105Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:29.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53351 (GCVE-0-2026-53351)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
Fixes a warning while dumping core:
[54983.546369][ C7] WARNING: [!note_name] fs/binfmt_elf.c:1771 at elf_core_dump+0x910/0xf68, CPU#7: abort01/31982
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2af7c9cf021c5dabe880b68e5cc22c618060d954 , < 08200bef0983ffed039ab399df0cba8d900ce5fc
(git)
Affected: 2af7c9cf021c5dabe880b68e5cc22c618060d954 , < e3573f739e3dadab57ec80488d07e05c8f6e82d3 (git) |
|
| Linux | Linux |
Affected:
7.0
Unaffected: 0 , < 7.0 (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08200bef0983ffed039ab399df0cba8d900ce5fc",
"status": "affected",
"version": "2af7c9cf021c5dabe880b68e5cc22c618060d954",
"versionType": "git"
},
{
"lessThan": "e3573f739e3dadab57ec80488d07e05c8f6e82d3",
"status": "affected",
"version": "2af7c9cf021c5dabe880b68e5cc22c618060d954",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI\n\nFixes a warning while dumping core:\n\n[54983.546369][ C7] WARNING: [!note_name] fs/binfmt_elf.c:1771 at elf_core_dump+0x910/0xf68, CPU#7: abort01/31982"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:28.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08200bef0983ffed039ab399df0cba8d900ce5fc"
},
{
"url": "https://git.kernel.org/stable/c/e3573f739e3dadab57ec80488d07e05c8f6e82d3"
}
],
"title": "riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53351",
"datePublished": "2026-07-01T13:32:28.548Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:28.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53350 (GCVE-0-2026-53350)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
In wm_adsp_control_remove() check that the priv pointer is not NULL
before attempting to cleanup what it points to.
When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that
wm_adsp can create its own private control data. There are two cases
where private data is not created:
1. The control is a SYSTEM control, so an ALSA control is not created.
2. The codec driver has registered a control_add() callback that
hides the control, so wm_adsp_control_add() is not called.
When cs_dsp_remove destroys its control list it calls
wm_adsp_control_remove() for each control. But wm_adsp_control_remove()
was attempting to cleanup the private data pointed to by cs_ctl->priv
without checking the pointer for NULL.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3
(git)
Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 10def23b67b42679d5b1a356e1a6f3498bd188c3 (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 2f1be283aa777d655525d000d16474b7e7d015ea (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 12e579b889624ec54a201d98fdff975de556c731 (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7 (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 7d3fb78b550301e43fdc60312aed733069694426 (git) |
|
| Linux | Linux |
Affected:
5.16
Unaffected: 0 , < 5.16 (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wm_adsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "10def23b67b42679d5b1a356e1a6f3498bd188c3",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "2f1be283aa777d655525d000d16474b7e7d015ea",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "12e579b889624ec54a201d98fdff975de556c731",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "7d3fb78b550301e43fdc60312aed733069694426",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wm_adsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: wm_adsp: Fix NULL dereference when removing firmware controls\n\nIn wm_adsp_control_remove() check that the priv pointer is not NULL\nbefore attempting to cleanup what it points to.\n\nWhen cs_dsp creates a control it calls wm_adsp_control_add_cb() so that\nwm_adsp can create its own private control data. There are two cases\nwhere private data is not created:\n\n1. The control is a SYSTEM control, so an ALSA control is not created.\n\n2. The codec driver has registered a control_add() callback that\n hides the control, so wm_adsp_control_add() is not called.\n\nWhen cs_dsp_remove destroys its control list it calls\nwm_adsp_control_remove() for each control. But wm_adsp_control_remove()\nwas attempting to cleanup the private data pointed to by cs_ctl-\u003epriv\nwithout checking the pointer for NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:27.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3"
},
{
"url": "https://git.kernel.org/stable/c/10def23b67b42679d5b1a356e1a6f3498bd188c3"
},
{
"url": "https://git.kernel.org/stable/c/2f1be283aa777d655525d000d16474b7e7d015ea"
},
{
"url": "https://git.kernel.org/stable/c/12e579b889624ec54a201d98fdff975de556c731"
},
{
"url": "https://git.kernel.org/stable/c/6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7"
},
{
"url": "https://git.kernel.org/stable/c/7d3fb78b550301e43fdc60312aed733069694426"
}
],
"title": "ASoC: wm_adsp: Fix NULL dereference when removing firmware controls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53350",
"datePublished": "2026-07-01T13:32:27.975Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:27.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53349 (GCVE-0-2026-53349)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
NAT helpers such as nf_nat_h323 store a raw pointer to module text in
exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()
only unlinks the callback descriptor and never walks the expectation table,
so an expectation pending at module removal survives with a dangling
exp->expectfn into freed module text.
When the expected connection arrives, init_conntrack() invokes
exp->expectfn(), now a stale pointer into the unloaded module. Reproduced
on a KASAN build by loading the H.323 helpers, creating a Q.931
expectation, unloading nf_nat_h323, then connecting to the expected port:
Oops: int3: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:0xffffffffa06102d1
init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)
ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)
nf_hook_slow (net/netfilter/core.c:619)
__ip_local_out (net/ipv4/ip_output.c:120)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1715)
tcp_connect (net/ipv4/tcp_output.c:4374)
tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)
__sys_connect (net/socket.c:2167)
Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]
Reaching the dangling state requires CAP_SYS_MODULE in the initial user
namespace to remove a NAT helper that still has live expectations, so this
is a robustness fix; leaving an expectation pointing at freed text is wrong
regardless.
Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and
drops every expectation whose ->expectfn matches the descriptor being torn
down. Call it from each NAT helper's exit path after the existing RCU grace
period, so no expectation outlives the code it points at and no extra
synchronize_rcu() is introduced. With the fix, the same reproducer runs to
completion without the Oops.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < fbfde85308b99938a6092c48753214d190ece48d
(git)
Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < 29d8cc44bbdf7b83a1929912214afe6643c1b4f1 (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < f92c90a2a3e6ff6f9f7fe88fde9004b4ca8f956d (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < 9d017671dcfcec23321fb7962dea624f9e71ddb1 (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < bf8c0b5dd203be94c2ad50e264cec19267c6bd39 (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < c3009418f9fa1dcb3eb86f4d8c92583537b5faa3 (git) |
|
| Linux | Linux |
Affected:
2.6.20
Unaffected: 0 , < 2.6.20 (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_helper.h",
"net/ipv4/netfilter/nf_nat_h323.c",
"net/netfilter/nf_conntrack_helper.c",
"net/netfilter/nf_nat_core.c",
"net/netfilter/nf_nat_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbfde85308b99938a6092c48753214d190ece48d",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "29d8cc44bbdf7b83a1929912214afe6643c1b4f1",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "f92c90a2a3e6ff6f9f7fe88fde9004b4ca8f956d",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "9d017671dcfcec23321fb7962dea624f9e71ddb1",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "bf8c0b5dd203be94c2ad50e264cec19267c6bd39",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "c3009418f9fa1dcb3eb86f4d8c92583537b5faa3",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_helper.h",
"net/ipv4/netfilter/nf_nat_h323.c",
"net/netfilter/nf_conntrack_helper.c",
"net/netfilter/nf_nat_core.c",
"net/netfilter/nf_nat_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: destroy stale expectfn expectations on unregister\n\nNAT helpers such as nf_nat_h323 store a raw pointer to module text in\nexp-\u003eexpectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()\nonly unlinks the callback descriptor and never walks the expectation table,\nso an expectation pending at module removal survives with a dangling\nexp-\u003eexpectfn into freed module text.\n\nWhen the expected connection arrives, init_conntrack() invokes\nexp-\u003eexpectfn(), now a stale pointer into the unloaded module. Reproduced\non a KASAN build by loading the H.323 helpers, creating a Q.931\nexpectation, unloading nf_nat_h323, then connecting to the expected port:\n\n Oops: int3: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:0xffffffffa06102d1\n init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)\n nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)\n ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)\n nf_hook_slow (net/netfilter/core.c:619)\n __ip_local_out (net/ipv4/ip_output.c:120)\n __tcp_transmit_skb (net/ipv4/tcp_output.c:1715)\n tcp_connect (net/ipv4/tcp_output.c:4374)\n tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)\n __sys_connect (net/socket.c:2167)\n Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]\n\nReaching the dangling state requires CAP_SYS_MODULE in the initial user\nnamespace to remove a NAT helper that still has live expectations, so this\nis a robustness fix; leaving an expectation pointing at freed text is wrong\nregardless.\n\nAdd nf_ct_helper_expectfn_destroy(), which walks the expectation table and\ndrops every expectation whose -\u003eexpectfn matches the descriptor being torn\ndown. Call it from each NAT helper\u0027s exit path after the existing RCU grace\nperiod, so no expectation outlives the code it points at and no extra\nsynchronize_rcu() is introduced. With the fix, the same reproducer runs to\ncompletion without the Oops."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:27.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbfde85308b99938a6092c48753214d190ece48d"
},
{
"url": "https://git.kernel.org/stable/c/29d8cc44bbdf7b83a1929912214afe6643c1b4f1"
},
{
"url": "https://git.kernel.org/stable/c/f92c90a2a3e6ff6f9f7fe88fde9004b4ca8f956d"
},
{
"url": "https://git.kernel.org/stable/c/9d017671dcfcec23321fb7962dea624f9e71ddb1"
},
{
"url": "https://git.kernel.org/stable/c/bf8c0b5dd203be94c2ad50e264cec19267c6bd39"
},
{
"url": "https://git.kernel.org/stable/c/c3009418f9fa1dcb3eb86f4d8c92583537b5faa3"
}
],
"title": "netfilter: nf_conntrack: destroy stale expectfn expectations on unregister",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53349",
"datePublished": "2026-07-01T13:32:27.412Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:27.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53348 (GCVE-0-2026-53348)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
sdca_dev_unregister_functions() iterates over all SDCA function
descriptors and calls sdca_dev_unregister() on each func_dev without
checking for NULL. When a function registration has failed partway
through, or the device cleanup races with probe deferral, func_dev
entries may be NULL, leading to a kernel oops:
BUG: kernel NULL pointer dereference, address: 0000000000000040
RIP: 0010:device_del+0x1e/0x3e0
Call Trace:
sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]
release_nodes+0x35/0xb0
devres_release_all+0x90/0x100
device_unbind_cleanup+0xe/0x80
device_release_driver_internal+0x1c1/0x200
bus_remove_device+0xc6/0x130
device_del+0x161/0x3e0
device_unregister+0x17/0x60
sdw_delete_slave+0xb6/0xd0 [soundwire_bus]
sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]
...
sof_probe_work+0x19/0x30 [snd_sof]
This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)
with the SOF audio driver probe failing due to missing Panther Lake
firmware, causing the subsequent cleanup of SoundWire devices to
trigger the crash.
Fix this with three changes:
1) Add a NULL guard in sdca_dev_unregister() so that callers do not
need to pre-validate the pointer (defense in depth).
2) In sdca_dev_unregister_functions(), skip NULL func_dev entries
and clear func_dev to NULL after unregistration, making the
function idempotent and safe against double-invocation.
3) In sdca_dev_register_functions(), roll back all previously
registered functions when a later one fails, so the function
array is never left in a partially-populated state.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4496d1c65bad7a3a32d2e09aaf3c54bc562c3fcc , < 9a4895059bb6a8505098a9f75de187fd15631fc8
(git)
Affected: 4496d1c65bad7a3a32d2e09aaf3c54bc562c3fcc , < e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sdca/sdca_function_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a4895059bb6a8505098a9f75de187fd15631fc8",
"status": "affected",
"version": "4496d1c65bad7a3a32d2e09aaf3c54bc562c3fcc",
"versionType": "git"
},
{
"lessThan": "e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd",
"status": "affected",
"version": "4496d1c65bad7a3a32d2e09aaf3c54bc562c3fcc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sdca/sdca_function_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions\n\nsdca_dev_unregister_functions() iterates over all SDCA function\ndescriptors and calls sdca_dev_unregister() on each func_dev without\nchecking for NULL. When a function registration has failed partway\nthrough, or the device cleanup races with probe deferral, func_dev\nentries may be NULL, leading to a kernel oops:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000040\n RIP: 0010:device_del+0x1e/0x3e0\n Call Trace:\n sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]\n release_nodes+0x35/0xb0\n devres_release_all+0x90/0x100\n device_unbind_cleanup+0xe/0x80\n device_release_driver_internal+0x1c1/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x161/0x3e0\n device_unregister+0x17/0x60\n sdw_delete_slave+0xb6/0xd0 [soundwire_bus]\n sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]\n ...\n sof_probe_work+0x19/0x30 [snd_sof]\n\nThis was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)\nwith the SOF audio driver probe failing due to missing Panther Lake\nfirmware, causing the subsequent cleanup of SoundWire devices to\ntrigger the crash.\n\nFix this with three changes:\n\n1) Add a NULL guard in sdca_dev_unregister() so that callers do not\n need to pre-validate the pointer (defense in depth).\n\n2) In sdca_dev_unregister_functions(), skip NULL func_dev entries\n and clear func_dev to NULL after unregistration, making the\n function idempotent and safe against double-invocation.\n\n3) In sdca_dev_register_functions(), roll back all previously\n registered functions when a later one fails, so the function\n array is never left in a partially-populated state."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:26.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a4895059bb6a8505098a9f75de187fd15631fc8"
},
{
"url": "https://git.kernel.org/stable/c/e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd"
}
],
"title": "ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53348",
"datePublished": "2026-07-01T13:32:26.850Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:26.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53347 (GCVE-0-2026-53347)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
drm/virtio: Fix driver removal with disabled KMS
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/virtio: Fix driver removal with disabled KMS
DRM atomic and modesetting aren't initialized if virtio-gpu driver built
with disabled KMS, leading to access of uninitialized data on driver
removal/unbinding and crashing kernel. Fix it by skipping shutting down
atomic core with unavailable KMS.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
72122c69d71784e390527819754ea456421c4501 , < ed3e134700a2e07caa99b9bc0683ebbe0327c562
(git)
Affected: 72122c69d71784e390527819754ea456421c4501 , < 38a5f891cda6d121c149c94cda89c31ec7024ee3 (git) Affected: 72122c69d71784e390527819754ea456421c4501 , < 19a6a00ff50c284f3a9818882ad2be58b33b790a (git) Affected: 72122c69d71784e390527819754ea456421c4501 , < 15e561869a8b4e4db69733be1d6f33770664f989 (git) Affected: 72122c69d71784e390527819754ea456421c4501 , < f329e8325e054bd6d84d10904f8dd51137281b92 (git) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed3e134700a2e07caa99b9bc0683ebbe0327c562",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "38a5f891cda6d121c149c94cda89c31ec7024ee3",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "19a6a00ff50c284f3a9818882ad2be58b33b790a",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "15e561869a8b4e4db69733be1d6f33770664f989",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "f329e8325e054bd6d84d10904f8dd51137281b92",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix driver removal with disabled KMS\n\nDRM atomic and modesetting aren\u0027t initialized if virtio-gpu driver built\nwith disabled KMS, leading to access of uninitialized data on driver\nremoval/unbinding and crashing kernel. Fix it by skipping shutting down\natomic core with unavailable KMS."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:26.262Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed3e134700a2e07caa99b9bc0683ebbe0327c562"
},
{
"url": "https://git.kernel.org/stable/c/38a5f891cda6d121c149c94cda89c31ec7024ee3"
},
{
"url": "https://git.kernel.org/stable/c/19a6a00ff50c284f3a9818882ad2be58b33b790a"
},
{
"url": "https://git.kernel.org/stable/c/15e561869a8b4e4db69733be1d6f33770664f989"
},
{
"url": "https://git.kernel.org/stable/c/f329e8325e054bd6d84d10904f8dd51137281b92"
}
],
"title": "drm/virtio: Fix driver removal with disabled KMS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53347",
"datePublished": "2026-07-01T13:32:26.262Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:26.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53346 (GCVE-0-2026-53346)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
Summary
In the Linux kernel, the following vulnerability has been resolved:
rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
uwtable annotation for functions, but not for the module. This means
that compiler-generated functions such as 'asan.module_ctor' do not
receive the uwtable annotation.
When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
failures because the dwarf information emitted for the kasan
constructors is wrong, which causes the SCS boot patching code to
patch the constructor in an illegal manner. Specifically, the paciasp
instruction is patched, but the autiasp instruction is not. This
mismatch leads to a crash when the constructor is called during boot.
==================================================================
BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1
Specifically the faulting instruction is the (*fn)() to invoke the
constructor in do_ctors() of the init/main.c file.
Once the fix lands in rustc, this flag can be made conditional on the
rustc version. Note that passing the flag on a rustc with the fix
present has no effect.
[ The fix [1] has landed for Rust 1.98.0 (expected release on
2026-08-20).
Thus add a version check as discussed.
- Miguel ]
[ Adjusted link and comment. - Miguel ]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d077242d68a31075ef5f5da041bf8f6fc19aa231 , < bde772ee239720af216fb0b14753971059e132dc
(git)
Affected: d077242d68a31075ef5f5da041bf8f6fc19aa231 , < d0f25a1755f2c15b1746379c8d9d7dfde85f58f5 (git) Affected: d077242d68a31075ef5f5da041bf8f6fc19aa231 , < 7de13410f59e59b21d3c268a6e22d40f5d9d8a54 (git) Affected: d077242d68a31075ef5f5da041bf8f6fc19aa231 , < ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/Makefile"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bde772ee239720af216fb0b14753971059e132dc",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
},
{
"lessThan": "d0f25a1755f2c15b1746379c8d9d7dfde85f58f5",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
},
{
"lessThan": "7de13410f59e59b21d3c268a6e22d40f5d9d8a54",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
},
{
"lessThan": "ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/Makefile"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES\n\nDue to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the\nuwtable annotation for functions, but not for the module. This means\nthat compiler-generated functions such as \u0027asan.module_ctor\u0027 do not\nreceive the uwtable annotation.\n\nWhen CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot\nfailures because the dwarf information emitted for the kasan\nconstructors is wrong, which causes the SCS boot patching code to\npatch the constructor in an illegal manner. Specifically, the paciasp\ninstruction is patched, but the autiasp instruction is not. This\nmismatch leads to a crash when the constructor is called during boot.\n\n\t==================================================================\n\tBUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90\n\tRead of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1\n\nSpecifically the faulting instruction is the (*fn)() to invoke the\nconstructor in do_ctors() of the init/main.c file.\n\nOnce the fix lands in rustc, this flag can be made conditional on the\nrustc version. Note that passing the flag on a rustc with the fix\npresent has no effect.\n\n[ The fix [1] has landed for Rust 1.98.0 (expected release on\n 2026-08-20).\n\n Thus add a version check as discussed.\n\n - Miguel ]\n\n[ Adjusted link and comment. - Miguel ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:25.668Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bde772ee239720af216fb0b14753971059e132dc"
},
{
"url": "https://git.kernel.org/stable/c/d0f25a1755f2c15b1746379c8d9d7dfde85f58f5"
},
{
"url": "https://git.kernel.org/stable/c/7de13410f59e59b21d3c268a6e22d40f5d9d8a54"
},
{
"url": "https://git.kernel.org/stable/c/ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c"
}
],
"title": "rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53346",
"datePublished": "2026-07-01T13:32:25.668Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:25.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53345 (GCVE-0-2026-53345)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
When marking a page dirty, complain about not having a running/loaded vCPU
if and only if the VM is still alive, i.e. its refcount is non-zero. This
will allow fixing a memory leak for x86 SEV-ES guests without hitting what
is effectively a false positive on the WARN.
For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
across an exit to userspace, and typically unmaps the page on the next
KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM
needs to unmap the page when the vCPU is destroyed, which in turn triggers
the WARN about not having a running vCPU.
Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But
loading a vCPU during destruction is gross (ideally nVMX code would be
cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
the temporarily load()+put() only runs when the vCPU isn't already loaded),
and is ultimately pointless.
The motivation for the WARN is to guard against KVM dirtying guest memory
without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
to ensure userspace doesn't miss a dirty page. But for the VM's refcount
to reach zero, there can't be _any_ userspace mappings to the dirty ring,
as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if
userspace had a valid mapping for the dirty ring, then the vCPU file and
thus the owning VM would still be alive. And so since userspace can't
possibly reach the dirty ring, whether or not KVM technically "misses" a
push to the dirty ring is irrelevant.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 033d39e41fc30f484f4e4f37fb4cd76b12cbb18e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 66a8e7ddd901023c89a2733494d827eca3f9c1b0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 343e95c8ecc40e0738975ef4ee24c0c35e800e6b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 99d7d43784ae3235026581e9bf892c036e04c8e6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8618004d3e897c0f1b71d9a9ab860461289bb89a (git) Affected: 0 , < 6.6.143 (semver) Affected: 0 , < 6.12.94 (semver) Affected: 0 , < 6.18.36 (semver) Affected: 0 , < 7.0.13 (semver) |
|
| Linux | Linux |
Unaffected:
6.6.143 , ≤ 6.6.*
(semver)
Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "033d39e41fc30f484f4e4f37fb4cd76b12cbb18e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "66a8e7ddd901023c89a2733494d827eca3f9c1b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "343e95c8ecc40e0738975ef4ee24c0c35e800e6b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99d7d43784ae3235026581e9bf892c036e04c8e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8618004d3e897c0f1b71d9a9ab860461289bb89a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.36",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t WARN if memory is dirtied without a vCPU when the VM is dying\n\nWhen marking a page dirty, complain about not having a running/loaded vCPU\nif and only if the VM is still alive, i.e. its refcount is non-zero. This\nwill allow fixing a memory leak for x86 SEV-ES guests without hitting what\nis effectively a false positive on the WARN.\n\nFor some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page\nacross an exit to userspace, and typically unmaps the page on the next\nKVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM\nneeds to unmap the page when the vCPU is destroyed, which in turn triggers\nthe WARN about not having a running vCPU.\n\nAlternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,\nas is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;\nsuppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But\nloading a vCPU during destruction is gross (ideally nVMX code would be\ncleaned up), risks complicating the SEV-ES code (KVM would need to ensure\nthe temporarily load()+put() only runs when the vCPU isn\u0027t already loaded),\nand is ultimately pointless.\n\nThe motivation for the WARN is to guard against KVM dirtying guest memory\nwithout pushing the corresponding GFN to the active vCPU\u0027s dirty ring, e.g.\nto ensure userspace doesn\u0027t miss a dirty page. But for the VM\u0027s refcount\nto reach zero, there can\u0027t be _any_ userspace mappings to the dirty ring,\nas mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if\nuserspace had a valid mapping for the dirty ring, then the vCPU file and\nthus the owning VM would still be alive. And so since userspace can\u0027t\npossibly reach the dirty ring, whether or not KVM technically \"misses\" a\npush to the dirty ring is irrelevant."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:25.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/033d39e41fc30f484f4e4f37fb4cd76b12cbb18e"
},
{
"url": "https://git.kernel.org/stable/c/66a8e7ddd901023c89a2733494d827eca3f9c1b0"
},
{
"url": "https://git.kernel.org/stable/c/343e95c8ecc40e0738975ef4ee24c0c35e800e6b"
},
{
"url": "https://git.kernel.org/stable/c/99d7d43784ae3235026581e9bf892c036e04c8e6"
},
{
"url": "https://git.kernel.org/stable/c/8618004d3e897c0f1b71d9a9ab860461289bb89a"
}
],
"title": "KVM: Don\u0027t WARN if memory is dirtied without a vCPU when the VM is dying",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53345",
"datePublished": "2026-07-01T13:32:25.098Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:25.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53344 (GCVE-0-2026-53344)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
Regmap initialization triggers regcache_maple_populate() which attempts
SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to
be set, without them, NULL pointer dereference occurs during probe.
Move initialization before mcp23s08_spi_regmap_init() call.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f9f4fda15e720686f1b2b436591ab11255e4e85e , < 3a13bb9540dfd7014c5601608afcbbadbbcfd673
(git)
Affected: f9f4fda15e720686f1b2b436591ab11255e4e85e , < 8473c3a197b57ff01396f7a2ec6ddf65383820d4 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-mcp23s08_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a13bb9540dfd7014c5601608afcbbadbbcfd673",
"status": "affected",
"version": "f9f4fda15e720686f1b2b436591ab11255e4e85e",
"versionType": "git"
},
{
"lessThan": "8473c3a197b57ff01396f7a2ec6ddf65383820d4",
"status": "affected",
"version": "f9f4fda15e720686f1b2b436591ab11255e4e85e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-mcp23s08_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Initialize mcp-\u003edev and mcp-\u003eaddr before regmap init\n\nRegmap initialization triggers regcache_maple_populate() which attempts\nSPI read to populate cache. SPI read requires mcp-\u003edev and mcp-\u003eaddr to\nbe set, without them, NULL pointer dereference occurs during probe.\n\nMove initialization before mcp23s08_spi_regmap_init() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:24.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a13bb9540dfd7014c5601608afcbbadbbcfd673"
},
{
"url": "https://git.kernel.org/stable/c/8473c3a197b57ff01396f7a2ec6ddf65383820d4"
}
],
"title": "pinctrl: mcp23s08: Initialize mcp-\u003edev and mcp-\u003eaddr before regmap init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53344",
"datePublished": "2026-07-01T13:32:24.546Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:24.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53343 (GCVE-0-2026-53343)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from
VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in
__switch_to(). The read uses ldr, but the KASAN shadow address is
byte-granular and is not guaranteed to be word aligned.
ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and
CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()
with an alignment exception before reaching init.
Use ldrb for the dummy shadow access. The code only needs to fault in the
shadow mapping if the stack shadow is missing, so a byte load is sufficient
and matches the granularity of KASAN shadow memory.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8fe148d39c127de3fb78dfa6da95a3608dfda454 , < c0b8c148a7754826156993ed6442d31536ec86b4
(git)
Affected: ef21187c0672a2b2cbec44f33bab9ec47d5c277c , < c2e3aadc8fef7da068490597fc5582f8f362aeb2 (git) Affected: c86d26b4b089ca294b3b7d915a7da61edb77935f , < c74990828d3c486ee44aaa68240eb3abff289d1c (git) Affected: 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 , < 517720913bd3c17a52cd55a740064f68455ab88e (git) Affected: 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 , < 2a4dc9a0ac3326e79fb58fdaae724b92127709a9 (git) Affected: 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 , < 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 (git) Affected: 6.1.120 , < 6.1.176 (semver) Affected: 6.6.64 , < 6.6.143 (semver) Affected: 6.12.4 , < 6.12.94 (semver) |
|
| Linux | Linux |
Affected:
6.13
Unaffected: 0 , < 6.13 (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/kernel/entry-armv.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0b8c148a7754826156993ed6442d31536ec86b4",
"status": "affected",
"version": "8fe148d39c127de3fb78dfa6da95a3608dfda454",
"versionType": "git"
},
{
"lessThan": "c2e3aadc8fef7da068490597fc5582f8f362aeb2",
"status": "affected",
"version": "ef21187c0672a2b2cbec44f33bab9ec47d5c277c",
"versionType": "git"
},
{
"lessThan": "c74990828d3c486ee44aaa68240eb3abff289d1c",
"status": "affected",
"version": "c86d26b4b089ca294b3b7d915a7da61edb77935f",
"versionType": "git"
},
{
"lessThan": "517720913bd3c17a52cd55a740064f68455ab88e",
"status": "affected",
"version": "44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2",
"versionType": "git"
},
{
"lessThan": "2a4dc9a0ac3326e79fb58fdaae724b92127709a9",
"status": "affected",
"version": "44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2",
"versionType": "git"
},
{
"lessThan": "77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6",
"status": "affected",
"version": "44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2",
"versionType": "git"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "6.12.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/kernel/entry-armv.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow\n\nCommit 44e9a3bb76e5 (\"ARM: 9430/1: entry: Do a dummy read from\nVMAP shadow\") added a dummy read from the KASAN VMAP stack shadow in\n__switch_to(). The read uses ldr, but the KASAN shadow address is\nbyte-granular and is not guaranteed to be word aligned.\n\nARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and\nCONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()\nwith an alignment exception before reaching init.\n\nUse ldrb for the dummy shadow access. The code only needs to fault in the\nshadow mapping if the stack shadow is missing, so a byte load is sufficient\nand matches the granularity of KASAN shadow memory."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:23.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0b8c148a7754826156993ed6442d31536ec86b4"
},
{
"url": "https://git.kernel.org/stable/c/c2e3aadc8fef7da068490597fc5582f8f362aeb2"
},
{
"url": "https://git.kernel.org/stable/c/c74990828d3c486ee44aaa68240eb3abff289d1c"
},
{
"url": "https://git.kernel.org/stable/c/517720913bd3c17a52cd55a740064f68455ab88e"
},
{
"url": "https://git.kernel.org/stable/c/2a4dc9a0ac3326e79fb58fdaae724b92127709a9"
},
{
"url": "https://git.kernel.org/stable/c/77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6"
}
],
"title": "ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53343",
"datePublished": "2026-07-01T13:32:23.979Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:23.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53342 (GCVE-0-2026-53342)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
arm64: mm: call pagetable dtor when freeing hot-removed page tables
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: mm: call pagetable dtor when freeing hot-removed page tables
Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in
__create_pgd_mapping()") page-table allocation on ARM64 always calls
pagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to
PGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However
the matching pagetable_dtor() calls were never added.
With DEBUG_VM enabled on kernel versions prior to v6.17 without
2dfcd1608f3a9 ("mm/page_alloc: let page freeing clear any set page type")
this leads to the following warning when freeing these pages due to
page->page_type sharing page->_mapcount:
BUG: Bad page state in process ... pfn:284fbb
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb
flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)
page_type: f2(table)
page dumped because: nonzero mapcount
Call trace:
bad_page+0x13c/0x160
__free_frozen_pages+0x6cc/0x860
___free_pages+0xf4/0x180
free_pages+0x54/0x80
free_hotplug_page_range.part.0+0x58/0x90
free_empty_tables+0x438/0x500
__remove_pgd_mapping.constprop.0+0x60/0xa8
arch_remove_memory+0x48/0x80
try_remove_memory+0x158/0x1d8
offline_and_remove_memory+0x138/0x180
It can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is
defined and incorrect NR_PAGETABLE stats. Fix this by calling
pagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page
to undo the effects of calling pagetable_*_ctor().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f , < 95f27fcda681021ed3906d3cae7e68b6a57a1d8e
(git)
Affected: 5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f , < aaa688ac9f18207f7452c6472e647c1febaea6a3 (git) Affected: 5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f , < c594b83457ccdee76d458416fb3bc9348a37592f (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95f27fcda681021ed3906d3cae7e68b6a57a1d8e",
"status": "affected",
"version": "5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f",
"versionType": "git"
},
{
"lessThan": "aaa688ac9f18207f7452c6472e647c1febaea6a3",
"status": "affected",
"version": "5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f",
"versionType": "git"
},
{
"lessThan": "c594b83457ccdee76d458416fb3bc9348a37592f",
"status": "affected",
"version": "5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: call pagetable dtor when freeing hot-removed page tables\n\nSince 5e8eb9aeeda3 (\"arm64: mm: always call PTE/PMD ctor in\n__create_pgd_mapping()\") page-table allocation on ARM64 always calls\npagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to\nPGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However\nthe matching pagetable_dtor() calls were never added.\n\nWith DEBUG_VM enabled on kernel versions prior to v6.17 without\n2dfcd1608f3a9 (\"mm/page_alloc: let page freeing clear any set page type\")\nthis leads to the following warning when freeing these pages due to\npage-\u003epage_type sharing page-\u003e_mapcount:\n\n BUG: Bad page state in process ... pfn:284fbb\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb\n flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)\n page_type: f2(table)\n page dumped because: nonzero mapcount\n Call trace:\n bad_page+0x13c/0x160\n __free_frozen_pages+0x6cc/0x860\n ___free_pages+0xf4/0x180\n free_pages+0x54/0x80\n free_hotplug_page_range.part.0+0x58/0x90\n free_empty_tables+0x438/0x500\n __remove_pgd_mapping.constprop.0+0x60/0xa8\n arch_remove_memory+0x48/0x80\n try_remove_memory+0x158/0x1d8\n offline_and_remove_memory+0x138/0x180\n\nIt can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is\ndefined and incorrect NR_PAGETABLE stats. Fix this by calling\npagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page\nto undo the effects of calling pagetable_*_ctor()."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:23.449Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95f27fcda681021ed3906d3cae7e68b6a57a1d8e"
},
{
"url": "https://git.kernel.org/stable/c/aaa688ac9f18207f7452c6472e647c1febaea6a3"
},
{
"url": "https://git.kernel.org/stable/c/c594b83457ccdee76d458416fb3bc9348a37592f"
}
],
"title": "arm64: mm: call pagetable dtor when freeing hot-removed page tables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53342",
"datePublished": "2026-07-01T13:32:23.449Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:23.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53341 (GCVE-0-2026-53341)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-04 11:51
VLAI
Title
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
may_decode_fh() accesses mount::mnt_ns without holding any locks; that
means the mount can concurrently be unmounted, and the mnt_namespace can
concurrently be freed after an RCU grace period.
This race can happens as follows, assuming that the mount point was
created by open_tree(..., OPEN_TREE_CLONE):
thread 1 thread 2 RCU
__do_sys_open_by_handle_at
do_handle_open
handle_to_path
may_decode_fh
is_mounted
[mount::mnt_ns access]
[mount::mnt_ns access]
__do_sys_close
fput_close_sync
__fput
dissolve_on_fput
umount_tree
class_namespace_excl_destructor
namespace_unlock
free_mnt_ns
mnt_ns_tree_remove
call_rcu(mnt_ns_release_rcu)
mnt_ns_release_rcu
mnt_ns_release
kfree
[mnt_namespace::user_ns access] **UAF**
Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
in __prepend_path().
Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()
for writers that can race with lockless readers.
This bug is unreachable unless one of the following is set:
- CONFIG_PREEMPTION
- CONFIG_RCU_STRICT_GRACE_PERIOD
because it requires an RCU grace period to happen during a syscall without
an explicit preemption.
This doesn't seem to have interesting security impact; worst-case, it could
leak the result of an integer comparison to userspace (from the level
check in cap_capable()), cause an endless loop, or crash the kernel by
dereferencing an invalid address.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
620c266f394932e5decc4b34683a75dfc59dc2f4 , < 15ea8dc42a02259d49dee38a658d40f60fcd75ed
(git)
Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < 32138633e51e6db59e474765cf93268c92b42888 (git) Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < a8ed2c29fcfdac78db96c9da4e659c8a513f2a94 (git) Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < 40ab6644b99685755f740b872c00ef40d9aa870e (git) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.12.95 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fhandle.c",
"fs/mount.h",
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15ea8dc42a02259d49dee38a658d40f60fcd75ed",
"status": "affected",
"version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
"versionType": "git"
},
{
"lessThan": "32138633e51e6db59e474765cf93268c92b42888",
"status": "affected",
"version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
"versionType": "git"
},
{
"lessThan": "a8ed2c29fcfdac78db96c9da4e659c8a513f2a94",
"status": "affected",
"version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
"versionType": "git"
},
{
"lessThan": "40ab6644b99685755f740b872c00ef40d9aa870e",
"status": "affected",
"version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fhandle.c",
"fs/mount.h",
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.95",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfhandle: fix UAF due to unlocked -\u003emnt_ns read in may_decode_fh()\n\nmay_decode_fh() accesses mount::mnt_ns without holding any locks; that\nmeans the mount can concurrently be unmounted, and the mnt_namespace can\nconcurrently be freed after an RCU grace period.\n\nThis race can happens as follows, assuming that the mount point was\ncreated by open_tree(..., OPEN_TREE_CLONE):\n\nthread 1 thread 2 RCU\n __do_sys_open_by_handle_at\n do_handle_open\n handle_to_path\n may_decode_fh\n is_mounted\n [mount::mnt_ns access]\n [mount::mnt_ns access]\n__do_sys_close\n fput_close_sync\n __fput\n dissolve_on_fput\n umount_tree\n class_namespace_excl_destructor\n namespace_unlock\n free_mnt_ns\n mnt_ns_tree_remove\n call_rcu(mnt_ns_release_rcu)\n mnt_ns_release_rcu\n mnt_ns_release\n kfree\n [mnt_namespace::user_ns access] **UAF**\n\nFix it by taking rcu_read_lock() around the mount::mnt_ns access, like\nin __prepend_path().\nAdditionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()\nfor writers that can race with lockless readers.\n\nThis bug is unreachable unless one of the following is set:\n\n - CONFIG_PREEMPTION\n - CONFIG_RCU_STRICT_GRACE_PERIOD\n\nbecause it requires an RCU grace period to happen during a syscall without\nan explicit preemption.\n\nThis doesn\u0027t seem to have interesting security impact; worst-case, it could\nleak the result of an integer comparison to userspace (from the level\ncheck in cap_capable()), cause an endless loop, or crash the kernel by\ndereferencing an invalid address."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T11:51:08.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15ea8dc42a02259d49dee38a658d40f60fcd75ed"
},
{
"url": "https://git.kernel.org/stable/c/32138633e51e6db59e474765cf93268c92b42888"
},
{
"url": "https://git.kernel.org/stable/c/a8ed2c29fcfdac78db96c9da4e659c8a513f2a94"
},
{
"url": "https://git.kernel.org/stable/c/40ab6644b99685755f740b872c00ef40d9aa870e"
}
],
"title": "fhandle: fix UAF due to unlocked -\u003emnt_ns read in may_decode_fh()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53341",
"datePublished": "2026-07-01T13:32:22.873Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-04T11:51:08.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53340 (GCVE-0-2026-53340)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
In i2c_imx_runtime_suspend(), the clock is disabled before switching
the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails,
the runtime suspend is aborted but the clock remains disabled, causing
a system crash when the hardware is subsequently accessed.
Fix this by switching the pinctrl state before disabling the clock so
that a pinctrl failure leaves the clock enabled and the hardware
accessible.
In i2c_imx_runtime_resume(), restore the pinctrl state back to sleep
if clk_enable() fails to keep the consistent.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
576eba03c99435380d155e5f71d5d7603b9178f6 , < 9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d
(git)
Affected: 576eba03c99435380d155e5f71d5d7603b9178f6 , < c8f5269c1bf505847bc7dbb92054594790114de6 (git) Affected: 576eba03c99435380d155e5f71d5d7603b9178f6 , < 8783fb8031799f1230997c16df8c8dce9fcd1841 (git) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d",
"status": "affected",
"version": "576eba03c99435380d155e5f71d5d7603b9178f6",
"versionType": "git"
},
{
"lessThan": "c8f5269c1bf505847bc7dbb92054594790114de6",
"status": "affected",
"version": "576eba03c99435380d155e5f71d5d7603b9178f6",
"versionType": "git"
},
{
"lessThan": "8783fb8031799f1230997c16df8c8dce9fcd1841",
"status": "affected",
"version": "576eba03c99435380d155e5f71d5d7603b9178f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx: fix clock and pinctrl state inconsistency in runtime PM\n\nIn i2c_imx_runtime_suspend(), the clock is disabled before switching\nthe pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails,\nthe runtime suspend is aborted but the clock remains disabled, causing\na system crash when the hardware is subsequently accessed.\n\nFix this by switching the pinctrl state before disabling the clock so\nthat a pinctrl failure leaves the clock enabled and the hardware\naccessible.\n\nIn i2c_imx_runtime_resume(), restore the pinctrl state back to sleep\nif clk_enable() fails to keep the consistent."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:22.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d"
},
{
"url": "https://git.kernel.org/stable/c/c8f5269c1bf505847bc7dbb92054594790114de6"
},
{
"url": "https://git.kernel.org/stable/c/8783fb8031799f1230997c16df8c8dce9fcd1841"
}
],
"title": "i2c: imx: fix clock and pinctrl state inconsistency in runtime PM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53340",
"datePublished": "2026-07-01T13:32:22.276Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:22.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53339 (GCVE-0-2026-53339)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
On all modern platforms Qualcomm CCI controller provides two I2C masters,
and on particular boards only one I2C master may be initialized, and in
such cases the device unbinding or driver removal causes a NULL pointer
dereference, because cci_halt() is called for all two I2C masters, but
a completion is initialized only for the single enabled master:
% rmmod i2c-qcom-cci
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
<snip>
Call trace:
__wait_for_common+0x194/0x1a8 (P)
wait_for_completion_timeout+0x20/0x2c
cci_remove+0xc4/0x138 [i2c_qcom_cci]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
platform_driver_unregister+0x14/0x20
qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
....
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e517526195de400158e05a08764d1fb61d579105 , < e8669d12da0ade52adfe0abe96cd99e708abc9bd
(git)
Affected: e517526195de400158e05a08764d1fb61d579105 , < 4d2b4a9cda6837e5ee1de1290f2e773a713b71e9 (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < a50b8adb9cdb9a495b0b45583956897b7411ed7a (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 7107627b8b35015027201e7a095a3f6e30b4a46f (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 4cd206c1d57a9370d5219f7b1fc45169d7bdf951 (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < a162a260c8c4db7501c65220e76913e8e351f823 (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 8ce7ff721a5e9d06d53ef65d01c89fce6d26d6ff (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 729ac5a4b966aac42e08a94dea966f4429008548 (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-qcom-cci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8669d12da0ade52adfe0abe96cd99e708abc9bd",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "4d2b4a9cda6837e5ee1de1290f2e773a713b71e9",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "a50b8adb9cdb9a495b0b45583956897b7411ed7a",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "7107627b8b35015027201e7a095a3f6e30b4a46f",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "4cd206c1d57a9370d5219f7b1fc45169d7bdf951",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "a162a260c8c4db7501c65220e76913e8e351f823",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "8ce7ff721a5e9d06d53ef65d01c89fce6d26d6ff",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "729ac5a4b966aac42e08a94dea966f4429008548",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-qcom-cci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qcom-cci: Fix NULL pointer dereference in cci_remove()\n\nOn all modern platforms Qualcomm CCI controller provides two I2C masters,\nand on particular boards only one I2C master may be initialized, and in\nsuch cases the device unbinding or driver removal causes a NULL pointer\ndereference, because cci_halt() is called for all two I2C masters, but\na completion is initialized only for the single enabled master:\n\n % rmmod i2c-qcom-cci\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n \u003csnip\u003e\n Call trace:\n __wait_for_common+0x194/0x1a8 (P)\n wait_for_completion_timeout+0x20/0x2c\n cci_remove+0xc4/0x138 [i2c_qcom_cci]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n driver_detach+0x50/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]\n ...."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:21.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8669d12da0ade52adfe0abe96cd99e708abc9bd"
},
{
"url": "https://git.kernel.org/stable/c/4d2b4a9cda6837e5ee1de1290f2e773a713b71e9"
},
{
"url": "https://git.kernel.org/stable/c/a50b8adb9cdb9a495b0b45583956897b7411ed7a"
},
{
"url": "https://git.kernel.org/stable/c/7107627b8b35015027201e7a095a3f6e30b4a46f"
},
{
"url": "https://git.kernel.org/stable/c/4cd206c1d57a9370d5219f7b1fc45169d7bdf951"
},
{
"url": "https://git.kernel.org/stable/c/a162a260c8c4db7501c65220e76913e8e351f823"
},
{
"url": "https://git.kernel.org/stable/c/8ce7ff721a5e9d06d53ef65d01c89fce6d26d6ff"
},
{
"url": "https://git.kernel.org/stable/c/729ac5a4b966aac42e08a94dea966f4429008548"
}
],
"title": "i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53339",
"datePublished": "2026-07-01T13:32:21.709Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:21.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53338 (GCVE-0-2026-53338)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
of_reserved_mem_lookup() may return NULL if the reserved memory region
referenced by the "memory-region" phandle is not found in the reserved
memory table (e.g. due to a misconfigured DTS or a removed
memory-region node). The current code dereferences the returned
pointer without checking for NULL, leading to a kernel NULL pointer
dereference at the following lines:
dma_addr = rmem->base; // line 1156
num_desc = div_u64(rmem->size, buf_size); // line 1160
Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if
the lookup fails, which is consistent with the existing error handling
for of_parse_phandle() failure in the same code block.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b , < 01f7d4b504580664d36faea5671cde5e3f0d8a5b
(git)
Affected: 3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b , < cdb96c42db7b256348f9b57718debfaa4bca6b39 (git) Affected: 3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b , < f9f25118faa4dd2b6e3d14a03d123bbdbd59925d (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/airoha/airoha_eth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01f7d4b504580664d36faea5671cde5e3f0d8a5b",
"status": "affected",
"version": "3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b",
"versionType": "git"
},
{
"lessThan": "cdb96c42db7b256348f9b57718debfaa4bca6b39",
"status": "affected",
"version": "3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b",
"versionType": "git"
},
{
"lessThan": "f9f25118faa4dd2b6e3d14a03d123bbdbd59925d",
"status": "affected",
"version": "3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/airoha/airoha_eth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()\n\nof_reserved_mem_lookup() may return NULL if the reserved memory region\nreferenced by the \"memory-region\" phandle is not found in the reserved\nmemory table (e.g. due to a misconfigured DTS or a removed\nmemory-region node). The current code dereferences the returned\npointer without checking for NULL, leading to a kernel NULL pointer\ndereference at the following lines:\n\n dma_addr = rmem-\u003ebase; // line 1156\n num_desc = div_u64(rmem-\u003esize, buf_size); // line 1160\n\nAdd a NULL check after of_reserved_mem_lookup() and return -ENODEV if\nthe lookup fails, which is consistent with the existing error handling\nfor of_parse_phandle() failure in the same code block."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:21.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01f7d4b504580664d36faea5671cde5e3f0d8a5b"
},
{
"url": "https://git.kernel.org/stable/c/cdb96c42db7b256348f9b57718debfaa4bca6b39"
},
{
"url": "https://git.kernel.org/stable/c/f9f25118faa4dd2b6e3d14a03d123bbdbd59925d"
}
],
"title": "net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53338",
"datePublished": "2026-07-01T13:32:21.147Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:21.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53337 (GCVE-0-2026-53337)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
if (!slave_dev)
return -ENODEV;
The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.
This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.
Fix by moving the slave_dbg() call after the NULL check.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < 1b7558c85493467b2ea20738866b822db6442034
(git)
Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < b02b2e3e876c18733b868a29064abd11cdbf8feb (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < 66693957bacd1c9dae6188a7312d6be69a221f2d (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < a629418d463fb50d132a1aa063b0105857311e5f (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < c2cfe290fdb1c32a4f4eb2b8ca3f363b305d21ba (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < bcb8fad90f27300add583a8371db504b766d95c7 (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < b0878106ddc486375084145848ff255dedfff46a (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < a764b0e8317a863006e05732e1aefe821b9d8c2d (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b7558c85493467b2ea20738866b822db6442034",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "b02b2e3e876c18733b868a29064abd11cdbf8feb",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "66693957bacd1c9dae6188a7312d6be69a221f2d",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "a629418d463fb50d132a1aa063b0105857311e5f",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "c2cfe290fdb1c32a4f4eb2b8ca3f363b305d21ba",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "bcb8fad90f27300add583a8371db504b766d95c7",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "b0878106ddc486375084145848ff255dedfff46a",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "a764b0e8317a863006e05732e1aefe821b9d8c2d",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL pointer dereference in bond_do_ioctl()\n\nIn bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which\ncan return NULL if the requested interface name does not exist. However,\nthe subsequent slave_dbg() call is placed before the NULL check:\n\n slave_dev = __dev_get_by_name(net, ifr-\u003eifr_slave);\n slave_dbg(bond_dev, slave_dev, \"slave_dev=%p:\\n\", slave_dev); //here\n if (!slave_dev)\n return -ENODEV;\n\nThe slave_dbg() macro expands to netdev_dbg(bond_dev, \"(slave %s): \" fmt,\n(slave_dev)-\u003ename, ...) which unconditionally dereferences slave_dev-\u003ename\nbefore the NULL check is performed. This results in a NULL pointer\ndereference kernel oops when a user calls bonding ioctl (e.g.\nSIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave\ninterface name.\n\nThis is reachable from userspace via the bonding ioctl interface with\nCAP_NET_ADMIN capability, making it a potential local denial-of-service\nvector.\n\nFix by moving the slave_dbg() call after the NULL check."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:19.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b7558c85493467b2ea20738866b822db6442034"
},
{
"url": "https://git.kernel.org/stable/c/b02b2e3e876c18733b868a29064abd11cdbf8feb"
},
{
"url": "https://git.kernel.org/stable/c/66693957bacd1c9dae6188a7312d6be69a221f2d"
},
{
"url": "https://git.kernel.org/stable/c/a629418d463fb50d132a1aa063b0105857311e5f"
},
{
"url": "https://git.kernel.org/stable/c/c2cfe290fdb1c32a4f4eb2b8ca3f363b305d21ba"
},
{
"url": "https://git.kernel.org/stable/c/bcb8fad90f27300add583a8371db504b766d95c7"
},
{
"url": "https://git.kernel.org/stable/c/b0878106ddc486375084145848ff255dedfff46a"
},
{
"url": "https://git.kernel.org/stable/c/a764b0e8317a863006e05732e1aefe821b9d8c2d"
}
],
"title": "net: bonding: fix NULL pointer dereference in bond_do_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53337",
"datePublished": "2026-07-01T13:32:19.046Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:19.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53336 (GCVE-0-2026-53336)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
nvmem: layouts: onie-tlv: fix hang on unknown types
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmem: layouts: onie-tlv: fix hang on unknown types
The EEPROM on my board has a vendor specific entry of type 0x41. When
stumbling upon that, this driver hangs in an endless loop.
Fix it by keep incrementing the offset on unknown entries, so the loop
will eventually stop.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d3c0d12f6474216bf386101e2449cc73e5c5b61d , < 033d498b0f473c6456be5f885be172024ad84972
(git)
Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < fd47edeabadfaa75422009dc5894e92c4c697517 (git) Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < 4a4d21f531ccf5bb333d99b620e0d66551f3652c (git) Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < 4f27eb01619c36cc8e3ce9a2a9af97f145f5d1c6 (git) Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < ea41020b9018e31c2ea7e9d89021e3e6d7470883 (git) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvmem/layouts/onie-tlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "033d498b0f473c6456be5f885be172024ad84972",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "fd47edeabadfaa75422009dc5894e92c4c697517",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "4a4d21f531ccf5bb333d99b620e0d66551f3652c",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "4f27eb01619c36cc8e3ce9a2a9af97f145f5d1c6",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "ea41020b9018e31c2ea7e9d89021e3e6d7470883",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvmem/layouts/onie-tlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: layouts: onie-tlv: fix hang on unknown types\n\nThe EEPROM on my board has a vendor specific entry of type 0x41. When\nstumbling upon that, this driver hangs in an endless loop.\n\nFix it by keep incrementing the offset on unknown entries, so the loop\nwill eventually stop."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:18.489Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/033d498b0f473c6456be5f885be172024ad84972"
},
{
"url": "https://git.kernel.org/stable/c/fd47edeabadfaa75422009dc5894e92c4c697517"
},
{
"url": "https://git.kernel.org/stable/c/4a4d21f531ccf5bb333d99b620e0d66551f3652c"
},
{
"url": "https://git.kernel.org/stable/c/4f27eb01619c36cc8e3ce9a2a9af97f145f5d1c6"
},
{
"url": "https://git.kernel.org/stable/c/ea41020b9018e31c2ea7e9d89021e3e6d7470883"
}
],
"title": "nvmem: layouts: onie-tlv: fix hang on unknown types",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53336",
"datePublished": "2026-07-01T13:32:18.489Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:18.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53335 (GCVE-0-2026-53335)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
mm/damon/lru_sort: handle ctx allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/lru_sort: handle ctx allocation failure
DAMON_LRU_SORT allocates the damon_ctx object for its kdamond in its init
function. damon_lru_sort_enabled_store() wrongly assumes the allocation
will always succeed once tried. If the damon_ctx allocation was failed,
therefore, code execution reaches to damon_commit_ctx() while 'ctx' is
NULL. As a result, it dereferences the NULL 'ctx' pointer. Avoid the
NULL dereference by returning -ENOMEM if 'ctx' is NULL.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c4a8e662c839ac0003e4781aa324cb2d68ed9cb1 , < 6d48f15659395bf1381114f01be91bc68e0be46a
(git)
Affected: c4a8e662c839ac0003e4781aa324cb2d68ed9cb1 , < daab1996431a71f43219dcac48ecc9ad2aad3f1c (git) Affected: c4a8e662c839ac0003e4781aa324cb2d68ed9cb1 , < ab04340b5ae5d52c1d46b750538febcde9d889e7 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d48f15659395bf1381114f01be91bc68e0be46a",
"status": "affected",
"version": "c4a8e662c839ac0003e4781aa324cb2d68ed9cb1",
"versionType": "git"
},
{
"lessThan": "daab1996431a71f43219dcac48ecc9ad2aad3f1c",
"status": "affected",
"version": "c4a8e662c839ac0003e4781aa324cb2d68ed9cb1",
"versionType": "git"
},
{
"lessThan": "ab04340b5ae5d52c1d46b750538febcde9d889e7",
"status": "affected",
"version": "c4a8e662c839ac0003e4781aa324cb2d68ed9cb1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/lru_sort: handle ctx allocation failure\n\nDAMON_LRU_SORT allocates the damon_ctx object for its kdamond in its init\nfunction. damon_lru_sort_enabled_store() wrongly assumes the allocation\nwill always succeed once tried. If the damon_ctx allocation was failed,\ntherefore, code execution reaches to damon_commit_ctx() while \u0027ctx\u0027 is\nNULL. As a result, it dereferences the NULL \u0027ctx\u0027 pointer. Avoid the\nNULL dereference by returning -ENOMEM if \u0027ctx\u0027 is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:17.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d48f15659395bf1381114f01be91bc68e0be46a"
},
{
"url": "https://git.kernel.org/stable/c/daab1996431a71f43219dcac48ecc9ad2aad3f1c"
},
{
"url": "https://git.kernel.org/stable/c/ab04340b5ae5d52c1d46b750538febcde9d889e7"
}
],
"title": "mm/damon/lru_sort: handle ctx allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53335",
"datePublished": "2026-07-01T13:32:17.953Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:17.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53334 (GCVE-0-2026-53334)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
mm/damon/reclaim: handle ctx allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/reclaim: handle ctx allocation failure
Patch series "mm/damon/{reclaim,lru_sort}: handle ctx allocation failures".
DAMON_RECLAIM and DAMON_LRU_SORT could dereference NULL pointers if their
damon_ctx object allocations fail. The bugs are expected to happen
infrequently because the allocations are arguably too small to fail on
common setups. But theoretically they are possible and the consequences
are bad. Fix those.
The issues were discovered [1] by Sashiko.
This patch (of 2):
DAMON_RECLAIM allocates the damon_ctx object for its kdamond in its init
function. damon_reclaim_enabled_store() wrongly assumes the allocation
will always succeed once tried. If the damon_ctx allocation was failed,
therefore, code execution reaches to damon_commit_ctx() while 'ctx' is
NULL. As a result, it dereferences the NULL 'ctx' pointer. Avoid the
NULL dereference by returning -ENOMEM if 'ctx' is NULL.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3f7a914ab9a5e46cf8aac7de270f02aa3f63de04 , < 66bc00ea37fa8ec14be5a3909d067a5967ef234b
(git)
Affected: 3f7a914ab9a5e46cf8aac7de270f02aa3f63de04 , < 635b45ce61de53a9357e28ac97461428cdb650f0 (git) Affected: 3f7a914ab9a5e46cf8aac7de270f02aa3f63de04 , < 7e2ed8a29427af534bf2cb9b8bc51762b8b6e654 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66bc00ea37fa8ec14be5a3909d067a5967ef234b",
"status": "affected",
"version": "3f7a914ab9a5e46cf8aac7de270f02aa3f63de04",
"versionType": "git"
},
{
"lessThan": "635b45ce61de53a9357e28ac97461428cdb650f0",
"status": "affected",
"version": "3f7a914ab9a5e46cf8aac7de270f02aa3f63de04",
"versionType": "git"
},
{
"lessThan": "7e2ed8a29427af534bf2cb9b8bc51762b8b6e654",
"status": "affected",
"version": "3f7a914ab9a5e46cf8aac7de270f02aa3f63de04",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: handle ctx allocation failure\n\nPatch series \"mm/damon/{reclaim,lru_sort}: handle ctx allocation failures\".\n\nDAMON_RECLAIM and DAMON_LRU_SORT could dereference NULL pointers if their\ndamon_ctx object allocations fail. The bugs are expected to happen\ninfrequently because the allocations are arguably too small to fail on\ncommon setups. But theoretically they are possible and the consequences\nare bad. Fix those.\n\nThe issues were discovered [1] by Sashiko.\n\n\nThis patch (of 2):\n\nDAMON_RECLAIM allocates the damon_ctx object for its kdamond in its init\nfunction. damon_reclaim_enabled_store() wrongly assumes the allocation\nwill always succeed once tried. If the damon_ctx allocation was failed,\ntherefore, code execution reaches to damon_commit_ctx() while \u0027ctx\u0027 is\nNULL. As a result, it dereferences the NULL \u0027ctx\u0027 pointer. Avoid the\nNULL dereference by returning -ENOMEM if \u0027ctx\u0027 is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:17.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66bc00ea37fa8ec14be5a3909d067a5967ef234b"
},
{
"url": "https://git.kernel.org/stable/c/635b45ce61de53a9357e28ac97461428cdb650f0"
},
{
"url": "https://git.kernel.org/stable/c/7e2ed8a29427af534bf2cb9b8bc51762b8b6e654"
}
],
"title": "mm/damon/reclaim: handle ctx allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53334",
"datePublished": "2026-07-01T13:32:17.419Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:17.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53333 (GCVE-0-2026-53333)
Vulnerability from nvd – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI
Title
mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
mincore_swap() also fields migration/hwpoison entries (and shmem
swapin-error entries), which can exist on !CONFIG_SWAP builds when
CONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled. The
!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return,
so mincore_pte_range() can spuriously WARN and report these pages
nonresident on !CONFIG_SWAP kernels.
Move the guard below the non-swap-entry check so only true swap entries
trip the WARN, and migration/hwpoison entries take the existing "uptodate
/ non-shmem" path.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f2052755c152940c336918bd73d13d5468f548b , < a8f91ddf67f669f547bb9fb559738da6f8ee2cf3
(git)
Affected: 1f2052755c152940c336918bd73d13d5468f548b , < 3481d4372ae34243f7025925314385b852c50f7e (git) Affected: 1f2052755c152940c336918bd73d13d5468f548b , < 0c25b8734367574e21aeb8468c2e522713134da7 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/mincore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8f91ddf67f669f547bb9fb559738da6f8ee2cf3",
"status": "affected",
"version": "1f2052755c152940c336918bd73d13d5468f548b",
"versionType": "git"
},
{
"lessThan": "3481d4372ae34243f7025925314385b852c50f7e",
"status": "affected",
"version": "1f2052755c152940c336918bd73d13d5468f548b",
"versionType": "git"
},
{
"lessThan": "0c25b8734367574e21aeb8468c2e522713134da7",
"status": "affected",
"version": "1f2052755c152940c336918bd73d13d5468f548b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/mincore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mincore: handle non-swap entries before !CONFIG_SWAP guard\n\nmincore_swap() also fields migration/hwpoison entries (and shmem\nswapin-error entries), which can exist on !CONFIG_SWAP builds when\nCONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled. The\n!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return,\nso mincore_pte_range() can spuriously WARN and report these pages\nnonresident on !CONFIG_SWAP kernels.\n\nMove the guard below the non-swap-entry check so only true swap entries\ntrip the WARN, and migration/hwpoison entries take the existing \"uptodate\n/ non-shmem\" path."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:16.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8f91ddf67f669f547bb9fb559738da6f8ee2cf3"
},
{
"url": "https://git.kernel.org/stable/c/3481d4372ae34243f7025925314385b852c50f7e"
},
{
"url": "https://git.kernel.org/stable/c/0c25b8734367574e21aeb8468c2e522713134da7"
}
],
"title": "mm/mincore: handle non-swap entries before !CONFIG_SWAP guard",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53333",
"datePublished": "2026-07-01T13:32:16.852Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:16.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}