Search criteria
25996 vulnerabilities found for linux_kernel by linux
CVE-2026-43284 (GCVE-0-2026-43284)
Vulnerability from nvd – Published: 2026-05-08 07:21 – Updated: 2026-05-09 03:55
VLAI?
Title
xfrm: esp: avoid in-place decrypt on shared skb frags
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Severity ?
7.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < a6cb440f274a22456ef3e86b457344f1678f38f9
(git)
Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < ab8b995323e5237041472d07e5055f5f7dcdf15b (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < fe785bb3a8096dffcc4048a85cd0c83337eeecad (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 5d55c7336f8032d434adcc5fab987ccc93a44aec (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 8253aab4659ca16116b522203c2a6b18dccacea7 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 50ed1e7873100f77abad20fd31c51029bc49cd03 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < b54edf1e9a3fd3491bdcb82a21f8d21315271e0d (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 71a1d9d985d26716f74d21f18ee8cac821b06e97 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 52646cbd00e765a6db9c3afe9535f26218276034 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-08T09:32:40.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:46.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6cb440f274a22456ef3e86b457344f1678f38f9",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "ab8b995323e5237041472d07e5055f5f7dcdf15b",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "fe785bb3a8096dffcc4048a85cd0c83337eeecad",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "5d55c7336f8032d434adcc5fab987ccc93a44aec",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "8253aab4659ca16116b522203c2a6b18dccacea7",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "50ed1e7873100f77abad20fd31c51029bc49cd03",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "b54edf1e9a3fd3491bdcb82a21f8d21315271e0d",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "71a1d9d985d26716f74d21f18ee8cac821b06e97",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "52646cbd00e765a6db9c3afe9535f26218276034",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.206",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.255",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.205",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.206",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.171",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.172",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.138",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.87",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.28",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.5",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:57:22.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9"
},
{
"url": "https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b"
},
{
"url": "https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad"
},
{
"url": "https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec"
},
{
"url": "https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7"
},
{
"url": "https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03"
},
{
"url": "https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d"
},
{
"url": "https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97"
},
{
"url": "https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034"
}
],
"title": "xfrm: esp: avoid in-place decrypt on shared skb frags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43284",
"datePublished": "2026-05-08T07:21:47.524Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-09T03:55:46.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43283 (GCVE-0-2026-43283)
Vulnerability from nvd – Published: 2026-05-06 11:29 – Updated: 2026-05-08 12:41
VLAI?
Title
net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
dma_free_coherent() in error path takes priv->rx_buf.alloc_len as
the dma handle. This would lead to improper unmapping of the buffer.
Change the dma handle to priv->rx_buf.alloc_phys.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6af55ff52b02d492d45db88df3e461fa51a6f753 , < 0f589ee54fd6d76d3f75e745f7f12c64cbd749e5
(git)
Affected: 6af55ff52b02d492d45db88df3e461fa51a6f753 , < accd0599bc8e73b962247c6c6c70ca7aa1f8e8d0 (git) Affected: 6af55ff52b02d492d45db88df3e461fa51a6f753 , < 8320727be7ff704e07c87624efc2a4a75f54b3ce (git) Affected: 6af55ff52b02d492d45db88df3e461fa51a6f753 , < 1e300c33ef3cc544c2b9c693778fe9490cfe9184 (git) Affected: 6af55ff52b02d492d45db88df3e461fa51a6f753 , < 1b1371cd4032ae859838ebc74215f569987bb197 (git) Affected: 6af55ff52b02d492d45db88df3e461fa51a6f753 , < 1b1d3c5d58a80a19d017a409aa2308162bab5bbf (git) Affected: 6af55ff52b02d492d45db88df3e461fa51a6f753 , < 7e54ff938bebb173822b4c38b33fc164c1cabf92 (git) Affected: 6af55ff52b02d492d45db88df3e461fa51a6f753 , < ffe68c3766997d82e9ccaf1cdbd47eba269c4aa2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ec_bhf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f589ee54fd6d76d3f75e745f7f12c64cbd749e5",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
},
{
"lessThan": "accd0599bc8e73b962247c6c6c70ca7aa1f8e8d0",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
},
{
"lessThan": "8320727be7ff704e07c87624efc2a4a75f54b3ce",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
},
{
"lessThan": "1e300c33ef3cc544c2b9c693778fe9490cfe9184",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
},
{
"lessThan": "1b1371cd4032ae859838ebc74215f569987bb197",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
},
{
"lessThan": "1b1d3c5d58a80a19d017a409aa2308162bab5bbf",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
},
{
"lessThan": "7e54ff938bebb173822b4c38b33fc164c1cabf92",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
},
{
"lessThan": "ffe68c3766997d82e9ccaf1cdbd47eba269c4aa2",
"status": "affected",
"version": "6af55ff52b02d492d45db88df3e461fa51a6f753",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ec_bhf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ec_bhf: Fix dma_free_coherent() dma handle\n\ndma_free_coherent() in error path takes priv-\u003erx_buf.alloc_len as\nthe dma handle. This would lead to improper unmapping of the buffer.\n\nChange the dma handle to priv-\u003erx_buf.alloc_phys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:41:46.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f589ee54fd6d76d3f75e745f7f12c64cbd749e5"
},
{
"url": "https://git.kernel.org/stable/c/accd0599bc8e73b962247c6c6c70ca7aa1f8e8d0"
},
{
"url": "https://git.kernel.org/stable/c/8320727be7ff704e07c87624efc2a4a75f54b3ce"
},
{
"url": "https://git.kernel.org/stable/c/1e300c33ef3cc544c2b9c693778fe9490cfe9184"
},
{
"url": "https://git.kernel.org/stable/c/1b1371cd4032ae859838ebc74215f569987bb197"
},
{
"url": "https://git.kernel.org/stable/c/1b1d3c5d58a80a19d017a409aa2308162bab5bbf"
},
{
"url": "https://git.kernel.org/stable/c/7e54ff938bebb173822b4c38b33fc164c1cabf92"
},
{
"url": "https://git.kernel.org/stable/c/ffe68c3766997d82e9ccaf1cdbd47eba269c4aa2"
}
],
"title": "net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43283",
"datePublished": "2026-05-06T11:29:03.726Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-08T12:41:46.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43282 (GCVE-0-2026-43282)
Vulnerability from nvd – Published: 2026-05-06 11:29 – Updated: 2026-05-06 11:29
VLAI?
Title
RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port
The function ionic_query_port() calls ib_device_get_netdev() without
checking the return value which could lead to NULL pointer dereference,
Fix it by checking the return value and return -ENODEV if the 'ndev' is
NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2075bbe8ef03914aa2211035eec45d1d3a5c4ff2 , < 2b96156c927cd83c109e2e3946e6111dce73231f
(git)
Affected: 2075bbe8ef03914aa2211035eec45d1d3a5c4ff2 , < 81932a46dfd0db10a03f46f0b1c7ef946ac4552f (git) Affected: 2075bbe8ef03914aa2211035eec45d1d3a5c4ff2 , < fd80bd7105f88189f47d465ca8cb7d115570de30 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/ionic/ionic_ibdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b96156c927cd83c109e2e3946e6111dce73231f",
"status": "affected",
"version": "2075bbe8ef03914aa2211035eec45d1d3a5c4ff2",
"versionType": "git"
},
{
"lessThan": "81932a46dfd0db10a03f46f0b1c7ef946ac4552f",
"status": "affected",
"version": "2075bbe8ef03914aa2211035eec45d1d3a5c4ff2",
"versionType": "git"
},
{
"lessThan": "fd80bd7105f88189f47d465ca8cb7d115570de30",
"status": "affected",
"version": "2075bbe8ef03914aa2211035eec45d1d3a5c4ff2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/ionic/ionic_ibdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port\n\nThe function ionic_query_port() calls ib_device_get_netdev() without\nchecking the return value which could lead to NULL pointer dereference,\nFix it by checking the return value and return -ENODEV if the \u0027ndev\u0027 is\nNULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:29:03.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b96156c927cd83c109e2e3946e6111dce73231f"
},
{
"url": "https://git.kernel.org/stable/c/81932a46dfd0db10a03f46f0b1c7ef946ac4552f"
},
{
"url": "https://git.kernel.org/stable/c/fd80bd7105f88189f47d465ca8cb7d115570de30"
}
],
"title": "RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43282",
"datePublished": "2026-05-06T11:29:03.000Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-06T11:29:03.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43281 (GCVE-0-2026-43281)
Vulnerability from nvd – Published: 2026-05-06 11:29 – Updated: 2026-05-07 17:15
VLAI?
Title
mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
Although it is guided that `#mbox-cells` must be at least 1, there are
many instances of `#mbox-cells = <0>;` in the device tree. If that is
the case and the corresponding mailbox controller does not provide
`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will
be used by default and out-of-bounds accesses could occur due to lack of
bounds check in that function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2b6d83e2b8b7de82331a6a1dcd64b51020a6031c , < 2662ed331a69c0b551f78af58f12eb629a89a36f
(git)
Affected: 2b6d83e2b8b7de82331a6a1dcd64b51020a6031c , < 31c4c67dec3362094a6747a171a4848e98542265 (git) Affected: 2b6d83e2b8b7de82331a6a1dcd64b51020a6031c , < 01d9a8c2615d436b2b30c19c1afe9fcd5726ff6d (git) Affected: 2b6d83e2b8b7de82331a6a1dcd64b51020a6031c , < 4caae8168d1b808c7d4ff481295292e3f97f90fb (git) Affected: 2b6d83e2b8b7de82331a6a1dcd64b51020a6031c , < f50b39fd7c72a8734153644ee945ca0d8b2e65ab (git) Affected: 2b6d83e2b8b7de82331a6a1dcd64b51020a6031c , < fcd7f96c783626c07ee3ed75fa3739a8a2052310 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2662ed331a69c0b551f78af58f12eb629a89a36f",
"status": "affected",
"version": "2b6d83e2b8b7de82331a6a1dcd64b51020a6031c",
"versionType": "git"
},
{
"lessThan": "31c4c67dec3362094a6747a171a4848e98542265",
"status": "affected",
"version": "2b6d83e2b8b7de82331a6a1dcd64b51020a6031c",
"versionType": "git"
},
{
"lessThan": "01d9a8c2615d436b2b30c19c1afe9fcd5726ff6d",
"status": "affected",
"version": "2b6d83e2b8b7de82331a6a1dcd64b51020a6031c",
"versionType": "git"
},
{
"lessThan": "4caae8168d1b808c7d4ff481295292e3f97f90fb",
"status": "affected",
"version": "2b6d83e2b8b7de82331a6a1dcd64b51020a6031c",
"versionType": "git"
},
{
"lessThan": "f50b39fd7c72a8734153644ee945ca0d8b2e65ab",
"status": "affected",
"version": "2b6d83e2b8b7de82331a6a1dcd64b51020a6031c",
"versionType": "git"
},
{
"lessThan": "fcd7f96c783626c07ee3ed75fa3739a8a2052310",
"status": "affected",
"version": "2b6d83e2b8b7de82331a6a1dcd64b51020a6031c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()\n\nAlthough it is guided that `#mbox-cells` must be at least 1, there are\nmany instances of `#mbox-cells = \u003c0\u003e;` in the device tree. If that is\nthe case and the corresponding mailbox controller does not provide\n`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will\nbe used by default and out-of-bounds accesses could occur due to lack of\nbounds check in that function."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:22.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2662ed331a69c0b551f78af58f12eb629a89a36f"
},
{
"url": "https://git.kernel.org/stable/c/31c4c67dec3362094a6747a171a4848e98542265"
},
{
"url": "https://git.kernel.org/stable/c/01d9a8c2615d436b2b30c19c1afe9fcd5726ff6d"
},
{
"url": "https://git.kernel.org/stable/c/4caae8168d1b808c7d4ff481295292e3f97f90fb"
},
{
"url": "https://git.kernel.org/stable/c/f50b39fd7c72a8734153644ee945ca0d8b2e65ab"
},
{
"url": "https://git.kernel.org/stable/c/fcd7f96c783626c07ee3ed75fa3739a8a2052310"
}
],
"title": "mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43281",
"datePublished": "2026-05-06T11:29:02.278Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-07T17:15:22.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43280 (GCVE-0-2026-43280)
Vulnerability from nvd – Published: 2026-05-06 11:29 – Updated: 2026-05-08 12:41
VLAI?
Title
drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise
When user provides a bogus pat_index value through the madvise IOCTL, the
xe_pat_index_get_coh_mode() function performs an array access without
validating bounds. This allows a malicious user to trigger an out-of-bounds
kernel read from the xe->pat.table array.
The vulnerability exists because the validation in madvise_args_are_sane()
directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without
first checking if pat_index is within [0, xe->pat.n_entries).
Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug
builds, it still performs the unsafe array access in production kernels.
v2(Matthew Auld)
- Using array_index_nospec() to mitigate spectre attacks when the value
is used
v3(Matthew Auld)
- Put the declarations at the start of the block
(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ada7486c5668db542a7d361268df931aca5b726a , < ffba51100ff61792fefbae11ca38ac1987a818dd
(git)
Affected: ada7486c5668db542a7d361268df931aca5b726a , < 79f52655567a6471ff3d0d6325ede91bb14461f4 (git) Affected: ada7486c5668db542a7d361268df931aca5b726a , < fbbe32618e97eff81577a01eb7d9adcd64a216d7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm_madvise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffba51100ff61792fefbae11ca38ac1987a818dd",
"status": "affected",
"version": "ada7486c5668db542a7d361268df931aca5b726a",
"versionType": "git"
},
{
"lessThan": "79f52655567a6471ff3d0d6325ede91bb14461f4",
"status": "affected",
"version": "ada7486c5668db542a7d361268df931aca5b726a",
"versionType": "git"
},
{
"lessThan": "fbbe32618e97eff81577a01eb7d9adcd64a216d7",
"status": "affected",
"version": "ada7486c5668db542a7d361268df931aca5b726a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm_madvise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise\n\nWhen user provides a bogus pat_index value through the madvise IOCTL, the\nxe_pat_index_get_coh_mode() function performs an array access without\nvalidating bounds. This allows a malicious user to trigger an out-of-bounds\nkernel read from the xe-\u003epat.table array.\n\nThe vulnerability exists because the validation in madvise_args_are_sane()\ndirectly calls xe_pat_index_get_coh_mode(xe, args-\u003epat_index.val) without\nfirst checking if pat_index is within [0, xe-\u003epat.n_entries).\n\nAlthough xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug\nbuilds, it still performs the unsafe array access in production kernels.\n\nv2(Matthew Auld)\n- Using array_index_nospec() to mitigate spectre attacks when the value\nis used\n\nv3(Matthew Auld)\n- Put the declarations at the start of the block\n\n(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:41:45.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd"
},
{
"url": "https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4"
},
{
"url": "https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7"
}
],
"title": "drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43280",
"datePublished": "2026-05-06T11:29:01.562Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-08T12:41:45.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43279 (GCVE-0-2026-43279)
Vulnerability from nvd – Published: 2026-05-06 11:29 – Updated: 2026-05-08 12:41
VLAI?
Title
ALSA: usb-audio: Add sanity check for OOB writes at silencing
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Add sanity check for OOB writes at silencing
At silencing the playback URB packets in the implicit fb mode before
the actual playback, we blindly assume that the received packets fit
with the buffer size. But when the setup in the capture stream
differs from the playback stream (e.g. due to the USB core limitation
of max packet size), such an inconsistency may lead to OOB writes to
the buffer, resulting in a crash.
For addressing it, add a sanity check of the transfer buffer size at
prepare_silent_urb(), and stop the data copy if the received data
overflows. Also, report back the transfer error properly from there,
too.
Note that this doesn't fix the root cause of the playback error
itself, but this merely covers the kernel Oops.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f
(git)
Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < 780dc57794a217b49994fa1d0b42465fb10a00aa (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < 8995fc0e00b3fee9bf7ecb3d836b635b730c1049 (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < fc9e5af60dc199051dc202ae78e1fe76a9977a5e (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < 6af16f1b8649df4c00d6ced924bdd8b72c885b6a (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < ccaf9296763be4f76b59e2cac377006016c34435 (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < fba2105a157fffcf19825e4eea498346738c9948 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "780dc57794a217b49994fa1d0b42465fb10a00aa",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "8995fc0e00b3fee9bf7ecb3d836b635b730c1049",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "fc9e5af60dc199051dc202ae78e1fe76a9977a5e",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "6af16f1b8649df4c00d6ced924bdd8b72c885b6a",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "ccaf9296763be4f76b59e2cac377006016c34435",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "fba2105a157fffcf19825e4eea498346738c9948",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Add sanity check for OOB writes at silencing\n\nAt silencing the playback URB packets in the implicit fb mode before\nthe actual playback, we blindly assume that the received packets fit\nwith the buffer size. But when the setup in the capture stream\ndiffers from the playback stream (e.g. due to the USB core limitation\nof max packet size), such an inconsistency may lead to OOB writes to\nthe buffer, resulting in a crash.\n\nFor addressing it, add a sanity check of the transfer buffer size at\nprepare_silent_urb(), and stop the data copy if the received data\noverflows. Also, report back the transfer error properly from there,\ntoo.\n\nNote that this doesn\u0027t fix the root cause of the playback error\nitself, but this merely covers the kernel Oops."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:41:44.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f"
},
{
"url": "https://git.kernel.org/stable/c/780dc57794a217b49994fa1d0b42465fb10a00aa"
},
{
"url": "https://git.kernel.org/stable/c/8995fc0e00b3fee9bf7ecb3d836b635b730c1049"
},
{
"url": "https://git.kernel.org/stable/c/fc9e5af60dc199051dc202ae78e1fe76a9977a5e"
},
{
"url": "https://git.kernel.org/stable/c/6af16f1b8649df4c00d6ced924bdd8b72c885b6a"
},
{
"url": "https://git.kernel.org/stable/c/ccaf9296763be4f76b59e2cac377006016c34435"
},
{
"url": "https://git.kernel.org/stable/c/fba2105a157fffcf19825e4eea498346738c9948"
}
],
"title": "ALSA: usb-audio: Add sanity check for OOB writes at silencing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43279",
"datePublished": "2026-05-06T11:29:00.844Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-08T12:41:44.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43278 (GCVE-0-2026-43278)
Vulnerability from nvd – Published: 2026-05-06 11:29 – Updated: 2026-05-08 12:41
VLAI?
Title
dm: clear cloned request bio pointer when last clone bio completes
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: clear cloned request bio pointer when last clone bio completes
Stale rq->bio values have been observed to cause double-initialization of
cloned bios in request-based device-mapper targets, leading to
use-after-free and double-free scenarios.
One such case occurs when using dm-multipath on top of a PCIe NVMe
namespace, where cloned request bios are freed during
blk_complete_request(), but rq->bio is left intact. Subsequent clone
teardown then attempts to free the same bios again via
blk_rq_unprep_clone().
The resulting double-free path looks like:
nvme_pci_complete_batch()
nvme_complete_batch()
blk_mq_end_request_batch()
blk_complete_request() // called on a DM clone request
bio_endio() // first free of all clone bios
...
rq->end_io() // end_clone_request()
dm_complete_request(tio->orig)
dm_softirq_done()
dm_done()
dm_end_request()
blk_rq_unprep_clone() // second free of clone bios
Fix this by clearing the clone request's bio pointer when the last cloned
bio completes, ensuring that later teardown paths do not attempt to free
already-released bios.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ab3e1d3bbab9e973aeb4dd4603251578658a47ff , < 8d9ddad561136f7e6a9346767bf97b4d79e38e67
(git)
Affected: ab3e1d3bbab9e973aeb4dd4603251578658a47ff , < 7daf279c674d515fb22a727a7bbc92aeb35c5442 (git) Affected: ab3e1d3bbab9e973aeb4dd4603251578658a47ff , < e2e738e8dfbbf83bd2bae0467ec4420cc52da42a (git) Affected: ab3e1d3bbab9e973aeb4dd4603251578658a47ff , < b1c1a2637ebd675aa2d71fee8c70da8791d73850 (git) Affected: ab3e1d3bbab9e973aeb4dd4603251578658a47ff , < 83d72091804600ead96dc9e9f518ea56cb4942f6 (git) Affected: ab3e1d3bbab9e973aeb4dd4603251578658a47ff , < fb8a6c18fb9a6561f7a15b58b272442b77a242dd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-rq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d9ddad561136f7e6a9346767bf97b4d79e38e67",
"status": "affected",
"version": "ab3e1d3bbab9e973aeb4dd4603251578658a47ff",
"versionType": "git"
},
{
"lessThan": "7daf279c674d515fb22a727a7bbc92aeb35c5442",
"status": "affected",
"version": "ab3e1d3bbab9e973aeb4dd4603251578658a47ff",
"versionType": "git"
},
{
"lessThan": "e2e738e8dfbbf83bd2bae0467ec4420cc52da42a",
"status": "affected",
"version": "ab3e1d3bbab9e973aeb4dd4603251578658a47ff",
"versionType": "git"
},
{
"lessThan": "b1c1a2637ebd675aa2d71fee8c70da8791d73850",
"status": "affected",
"version": "ab3e1d3bbab9e973aeb4dd4603251578658a47ff",
"versionType": "git"
},
{
"lessThan": "83d72091804600ead96dc9e9f518ea56cb4942f6",
"status": "affected",
"version": "ab3e1d3bbab9e973aeb4dd4603251578658a47ff",
"versionType": "git"
},
{
"lessThan": "fb8a6c18fb9a6561f7a15b58b272442b77a242dd",
"status": "affected",
"version": "ab3e1d3bbab9e973aeb4dd4603251578658a47ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-rq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: clear cloned request bio pointer when last clone bio completes\n\nStale rq-\u003ebio values have been observed to cause double-initialization of\ncloned bios in request-based device-mapper targets, leading to\nuse-after-free and double-free scenarios.\n\nOne such case occurs when using dm-multipath on top of a PCIe NVMe\nnamespace, where cloned request bios are freed during\nblk_complete_request(), but rq-\u003ebio is left intact. Subsequent clone\nteardown then attempts to free the same bios again via\nblk_rq_unprep_clone().\n\nThe resulting double-free path looks like:\n\n nvme_pci_complete_batch()\n nvme_complete_batch()\n blk_mq_end_request_batch()\n blk_complete_request() // called on a DM clone request\n bio_endio() // first free of all clone bios\n ...\n rq-\u003eend_io() // end_clone_request()\n dm_complete_request(tio-\u003eorig)\n dm_softirq_done()\n dm_done()\n dm_end_request()\n blk_rq_unprep_clone() // second free of clone bios\n\nFix this by clearing the clone request\u0027s bio pointer when the last cloned\nbio completes, ensuring that later teardown paths do not attempt to free\nalready-released bios."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:41:43.313Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d9ddad561136f7e6a9346767bf97b4d79e38e67"
},
{
"url": "https://git.kernel.org/stable/c/7daf279c674d515fb22a727a7bbc92aeb35c5442"
},
{
"url": "https://git.kernel.org/stable/c/e2e738e8dfbbf83bd2bae0467ec4420cc52da42a"
},
{
"url": "https://git.kernel.org/stable/c/b1c1a2637ebd675aa2d71fee8c70da8791d73850"
},
{
"url": "https://git.kernel.org/stable/c/83d72091804600ead96dc9e9f518ea56cb4942f6"
},
{
"url": "https://git.kernel.org/stable/c/fb8a6c18fb9a6561f7a15b58b272442b77a242dd"
}
],
"title": "dm: clear cloned request bio pointer when last clone bio completes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43278",
"datePublished": "2026-05-06T11:29:00.193Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-08T12:41:43.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43277 (GCVE-0-2026-43277)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
APEI/GHES: ensure that won't go past CPER allocated record
Summary
In the Linux kernel, the following vulnerability has been resolved:
APEI/GHES: ensure that won't go past CPER allocated record
The logic at ghes_new() prevents allocating too large records, by
checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).
Yet, the allocation is done with the actual number of pages from the
CPER bios table location, which can be smaller.
Yet, a bad firmware could send data with a different size, which might
be bigger than the allocated memory, causing an OOPS:
Unable to handle kernel paging request at virtual address fff00000f9b40000
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000
[fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000
Internal error: Oops: 0000000096000007 [#1] SMP
Modules linked in:
CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT
Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022
Workqueue: kacpi_notify acpi_os_execute_deferred
pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : hex_dump_to_buffer+0x30c/0x4a0
lr : hex_dump_to_buffer+0x328/0x4a0
sp : ffff800080e13880
x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083
x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004
x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083
x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010
x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020
x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008
x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020
x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000
x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008
Call trace:
hex_dump_to_buffer+0x30c/0x4a0 (P)
print_hex_dump+0xac/0x170
cper_estatus_print_section+0x90c/0x968
cper_estatus_print+0xf0/0x158
__ghes_print_estatus+0xa0/0x148
ghes_proc+0x1bc/0x220
ghes_notify_hed+0x5c/0xb8
notifier_call_chain+0x78/0x148
blocking_notifier_call_chain+0x4c/0x80
acpi_hed_notify+0x28/0x40
acpi_ev_notify_dispatch+0x50/0x80
acpi_os_execute_deferred+0x24/0x48
process_one_work+0x15c/0x3b0
worker_thread+0x2d0/0x400
kthread+0x148/0x228
ret_from_fork+0x10/0x20
Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44)
---[ end trace 0000000000000000 ]---
Prevent that by taking the actual allocated are into account when
checking for CPER length.
[ rjw: Subject tweaks ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d334a49113a4a33109fd24e46073280ecd1bea0d , < 92ba79074c58e65a6e32713758c5a9aecd33c2ea
(git)
Affected: d334a49113a4a33109fd24e46073280ecd1bea0d , < 616c120dcdf1ce96edcd818e38bce49667f80689 (git) Affected: d334a49113a4a33109fd24e46073280ecd1bea0d , < f3740a1562445f36f08afab8af59e37117b3acdc (git) Affected: d334a49113a4a33109fd24e46073280ecd1bea0d , < e0ec99115e135dbb58e11a0df007c7d4771d4a17 (git) Affected: d334a49113a4a33109fd24e46073280ecd1bea0d , < b6be51a12441136fdf8c49b2525689fbea1856e1 (git) Affected: d334a49113a4a33109fd24e46073280ecd1bea0d , < 6f5d41984ad896736c23e2fff7c80e15c1319132 (git) Affected: d334a49113a4a33109fd24e46073280ecd1bea0d , < 98bd9b28d4d11e6739ad86524b4be4ada9025e60 (git) Affected: d334a49113a4a33109fd24e46073280ecd1bea0d , < fa2408a24f8f0db14d9cfc613ef162dc267d7ad4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/apei/ghes.c",
"include/acpi/ghes.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92ba79074c58e65a6e32713758c5a9aecd33c2ea",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
},
{
"lessThan": "616c120dcdf1ce96edcd818e38bce49667f80689",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
},
{
"lessThan": "f3740a1562445f36f08afab8af59e37117b3acdc",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
},
{
"lessThan": "e0ec99115e135dbb58e11a0df007c7d4771d4a17",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
},
{
"lessThan": "b6be51a12441136fdf8c49b2525689fbea1856e1",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
},
{
"lessThan": "6f5d41984ad896736c23e2fff7c80e15c1319132",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
},
{
"lessThan": "98bd9b28d4d11e6739ad86524b4be4ada9025e60",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
},
{
"lessThan": "fa2408a24f8f0db14d9cfc613ef162dc267d7ad4",
"status": "affected",
"version": "d334a49113a4a33109fd24e46073280ecd1bea0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/apei/ghes.c",
"include/acpi/ghes.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nAPEI/GHES: ensure that won\u0027t go past CPER allocated record\n\nThe logic at ghes_new() prevents allocating too large records, by\nchecking if they\u0027re bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).\nYet, the allocation is done with the actual number of pages from the\nCPER bios table location, which can be smaller.\n\nYet, a bad firmware could send data with a different size, which might\nbe bigger than the allocated memory, causing an OOPS:\n\n Unable to handle kernel paging request at virtual address fff00000f9b40000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000\n [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in:\n CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022\n Workqueue: kacpi_notify acpi_os_execute_deferred\n pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : hex_dump_to_buffer+0x30c/0x4a0\n lr : hex_dump_to_buffer+0x328/0x4a0\n sp : ffff800080e13880\n x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083\n x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004\n x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083\n x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010\n x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020\n x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008\n x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020\n x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000\n x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008\n Call trace:\n hex_dump_to_buffer+0x30c/0x4a0 (P)\n print_hex_dump+0xac/0x170\n cper_estatus_print_section+0x90c/0x968\n cper_estatus_print+0xf0/0x158\n __ghes_print_estatus+0xa0/0x148\n ghes_proc+0x1bc/0x220\n ghes_notify_hed+0x5c/0xb8\n notifier_call_chain+0x78/0x148\n blocking_notifier_call_chain+0x4c/0x80\n acpi_hed_notify+0x28/0x40\n acpi_ev_notify_dispatch+0x50/0x80\n acpi_os_execute_deferred+0x24/0x48\n process_one_work+0x15c/0x3b0\n worker_thread+0x2d0/0x400\n kthread+0x148/0x228\n ret_from_fork+0x10/0x20\n Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44)\n ---[ end trace 0000000000000000 ]---\n\nPrevent that by taking the actual allocated are into account when\nchecking for CPER length.\n\n[ rjw: Subject tweaks ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:20.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92ba79074c58e65a6e32713758c5a9aecd33c2ea"
},
{
"url": "https://git.kernel.org/stable/c/616c120dcdf1ce96edcd818e38bce49667f80689"
},
{
"url": "https://git.kernel.org/stable/c/f3740a1562445f36f08afab8af59e37117b3acdc"
},
{
"url": "https://git.kernel.org/stable/c/e0ec99115e135dbb58e11a0df007c7d4771d4a17"
},
{
"url": "https://git.kernel.org/stable/c/b6be51a12441136fdf8c49b2525689fbea1856e1"
},
{
"url": "https://git.kernel.org/stable/c/6f5d41984ad896736c23e2fff7c80e15c1319132"
},
{
"url": "https://git.kernel.org/stable/c/98bd9b28d4d11e6739ad86524b4be4ada9025e60"
},
{
"url": "https://git.kernel.org/stable/c/fa2408a24f8f0db14d9cfc613ef162dc267d7ad4"
}
],
"title": "APEI/GHES: ensure that won\u0027t go past CPER allocated record",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43277",
"datePublished": "2026-05-06T11:28:59.486Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-07T17:15:20.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43276 (GCVE-0-2026-43276)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
net: mana: Fix double destroy_workqueue on service rescan PCI path
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mana: Fix double destroy_workqueue on service rescan PCI path
While testing corner cases in the driver, a use-after-free crash
was found on the service rescan PCI path.
When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()
destroys gc->service_wq. If the subsequent mana_gd_resume() fails
with -ETIMEDOUT or -EPROTO, the code falls through to
mana_serv_rescan() which triggers pci_stop_and_remove_bus_device().
This invokes the PCI .remove callback (mana_gd_remove), which calls
mana_gd_cleanup() a second time, attempting to destroy the already-
freed workqueue. Fix this by NULL-checking gc->service_wq in
mana_gd_cleanup() and setting it to NULL after destruction.
Call stack of issue for reference:
[Sat Feb 21 18:53:48 2026] Call Trace:
[Sat Feb 21 18:53:48 2026] <TASK>
[Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana]
[Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana]
[Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0
[Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70
[Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250
[Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20
[Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90
[Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30
[Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana]
[Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana]
[Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0
[Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0
[Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130
[Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10
[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10
[Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350
[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10
[Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30
[Sat Feb 21 18:53:48 2026] </TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
505cc26bcae00699bacaee66cd50ede7a9cc89cb , < fa3c2f8d9152344a478abb847081c1b5f84a94f5
(git)
Affected: 505cc26bcae00699bacaee66cd50ede7a9cc89cb , < a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e (git) Affected: 505cc26bcae00699bacaee66cd50ede7a9cc89cb , < f975a0955276579e2176a134366ed586071c7c6a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microsoft/mana/gdma_main.c",
"drivers/net/ethernet/microsoft/mana/mana_en.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa3c2f8d9152344a478abb847081c1b5f84a94f5",
"status": "affected",
"version": "505cc26bcae00699bacaee66cd50ede7a9cc89cb",
"versionType": "git"
},
{
"lessThan": "a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e",
"status": "affected",
"version": "505cc26bcae00699bacaee66cd50ede7a9cc89cb",
"versionType": "git"
},
{
"lessThan": "f975a0955276579e2176a134366ed586071c7c6a",
"status": "affected",
"version": "505cc26bcae00699bacaee66cd50ede7a9cc89cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microsoft/mana/gdma_main.c",
"drivers/net/ethernet/microsoft/mana/mana_en.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix double destroy_workqueue on service rescan PCI path\n\nWhile testing corner cases in the driver, a use-after-free crash\nwas found on the service rescan PCI path.\n\nWhen mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()\ndestroys gc-\u003eservice_wq. If the subsequent mana_gd_resume() fails\nwith -ETIMEDOUT or -EPROTO, the code falls through to\nmana_serv_rescan() which triggers pci_stop_and_remove_bus_device().\nThis invokes the PCI .remove callback (mana_gd_remove), which calls\nmana_gd_cleanup() a second time, attempting to destroy the already-\nfreed workqueue. Fix this by NULL-checking gc-\u003eservice_wq in\nmana_gd_cleanup() and setting it to NULL after destruction.\n\nCall stack of issue for reference:\n[Sat Feb 21 18:53:48 2026] Call Trace:\n[Sat Feb 21 18:53:48 2026] \u003cTASK\u003e\n[Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana]\n[Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana]\n[Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0\n[Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70\n[Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250\n[Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20\n[Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90\n[Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30\n[Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana]\n[Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana]\n[Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0\n[Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0\n[Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130\n[Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350\n[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30\n[Sat Feb 21 18:53:48 2026] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:58.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa3c2f8d9152344a478abb847081c1b5f84a94f5"
},
{
"url": "https://git.kernel.org/stable/c/a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e"
},
{
"url": "https://git.kernel.org/stable/c/f975a0955276579e2176a134366ed586071c7c6a"
}
],
"title": "net: mana: Fix double destroy_workqueue on service rescan PCI path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43276",
"datePublished": "2026-05-06T11:28:58.840Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-06T11:28:58.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43275 (GCVE-0-2026-43275)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
scsi: ufs: core: Flush exception handling work when RPM level is zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Flush exception handling work when RPM level is zero
Ensure that the exception event handling work is explicitly flushed during
suspend when the runtime power management level is set to UFS_PM_LVL_0.
When the RPM level is zero, the device power mode and link state both
remain active. Previously, the UFS core driver bypassed flushing exception
event handling jobs in this configuration. This created a race condition
where the driver could attempt to access the host controller to handle an
exception after the system had already entered a deep power-down state,
resulting in a system crash.
Explicitly flush this work and disable auto BKOPs before the suspend
callback proceeds. This guarantees that pending exception tasks complete
and prevents illegal hardware access during the power-down sequence.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
57d104c153d3d6d7bea60089e80f37501851ed2c , < d5c3a1a13f97355c397f9439d79cb04b182958a3
(git)
Affected: 57d104c153d3d6d7bea60089e80f37501851ed2c , < 5d186731bc335cc049d4e57ab9f563cfab95593e (git) Affected: 57d104c153d3d6d7bea60089e80f37501851ed2c , < aa8d68d97c7f0ef966e51afc17fdbdc372700edf (git) Affected: 57d104c153d3d6d7bea60089e80f37501851ed2c , < aac2fee7513dd25042a616f86a1469b4858d2c5c (git) Affected: 57d104c153d3d6d7bea60089e80f37501851ed2c , < 78d8e2d6352e8317686ee3a44811ac14c415a57d (git) Affected: 57d104c153d3d6d7bea60089e80f37501851ed2c , < ab71c146c135f9af1614ef0fc29a0a3b84f1a373 (git) Affected: 57d104c153d3d6d7bea60089e80f37501851ed2c , < f8ef441811ec413717f188f63d99182f30f0f08e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5c3a1a13f97355c397f9439d79cb04b182958a3",
"status": "affected",
"version": "57d104c153d3d6d7bea60089e80f37501851ed2c",
"versionType": "git"
},
{
"lessThan": "5d186731bc335cc049d4e57ab9f563cfab95593e",
"status": "affected",
"version": "57d104c153d3d6d7bea60089e80f37501851ed2c",
"versionType": "git"
},
{
"lessThan": "aa8d68d97c7f0ef966e51afc17fdbdc372700edf",
"status": "affected",
"version": "57d104c153d3d6d7bea60089e80f37501851ed2c",
"versionType": "git"
},
{
"lessThan": "aac2fee7513dd25042a616f86a1469b4858d2c5c",
"status": "affected",
"version": "57d104c153d3d6d7bea60089e80f37501851ed2c",
"versionType": "git"
},
{
"lessThan": "78d8e2d6352e8317686ee3a44811ac14c415a57d",
"status": "affected",
"version": "57d104c153d3d6d7bea60089e80f37501851ed2c",
"versionType": "git"
},
{
"lessThan": "ab71c146c135f9af1614ef0fc29a0a3b84f1a373",
"status": "affected",
"version": "57d104c153d3d6d7bea60089e80f37501851ed2c",
"versionType": "git"
},
{
"lessThan": "f8ef441811ec413717f188f63d99182f30f0f08e",
"status": "affected",
"version": "57d104c153d3d6d7bea60089e80f37501851ed2c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Flush exception handling work when RPM level is zero\n\nEnsure that the exception event handling work is explicitly flushed during\nsuspend when the runtime power management level is set to UFS_PM_LVL_0.\n\nWhen the RPM level is zero, the device power mode and link state both\nremain active. Previously, the UFS core driver bypassed flushing exception\nevent handling jobs in this configuration. This created a race condition\nwhere the driver could attempt to access the host controller to handle an\nexception after the system had already entered a deep power-down state,\nresulting in a system crash.\n\nExplicitly flush this work and disable auto BKOPs before the suspend\ncallback proceeds. This guarantees that pending exception tasks complete\nand prevents illegal hardware access during the power-down sequence."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:58.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5c3a1a13f97355c397f9439d79cb04b182958a3"
},
{
"url": "https://git.kernel.org/stable/c/5d186731bc335cc049d4e57ab9f563cfab95593e"
},
{
"url": "https://git.kernel.org/stable/c/aa8d68d97c7f0ef966e51afc17fdbdc372700edf"
},
{
"url": "https://git.kernel.org/stable/c/aac2fee7513dd25042a616f86a1469b4858d2c5c"
},
{
"url": "https://git.kernel.org/stable/c/78d8e2d6352e8317686ee3a44811ac14c415a57d"
},
{
"url": "https://git.kernel.org/stable/c/ab71c146c135f9af1614ef0fc29a0a3b84f1a373"
},
{
"url": "https://git.kernel.org/stable/c/f8ef441811ec413717f188f63d99182f30f0f08e"
}
],
"title": "scsi: ufs: core: Flush exception handling work when RPM level is zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43275",
"datePublished": "2026-05-06T11:28:58.174Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-06T11:28:58.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43274 (GCVE-0-2026-43274)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-08 12:41
VLAI?
Title
mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()
The cluster_cfg array is dynamically allocated to hold per-CPU
configuration structures, with its size based on the number of online
CPUs. Previously, this array was indexed using hartid, which may be
non-contiguous or exceed the bounds of the array, leading to
out-of-bounds access.
Switch to using cpuid as the index, as it is guaranteed to be within
the valid range provided by for_each_online_cpu().
Severity ?
8.4 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e4b1d67e71419c4af581890ecea84b04920d4116 , < 95438699c92947155823dcd3918049a07f3cd867
(git)
Affected: e4b1d67e71419c4af581890ecea84b04920d4116 , < 0442b6229e2eedc95a6d3d18ce75dec7f5b5377c (git) Affected: e4b1d67e71419c4af581890ecea84b04920d4116 , < f7c330a8c83c9b0332fd524097eaf3e69148164d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/mailbox-mchp-ipc-sbi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95438699c92947155823dcd3918049a07f3cd867",
"status": "affected",
"version": "e4b1d67e71419c4af581890ecea84b04920d4116",
"versionType": "git"
},
{
"lessThan": "0442b6229e2eedc95a6d3d18ce75dec7f5b5377c",
"status": "affected",
"version": "e4b1d67e71419c4af581890ecea84b04920d4116",
"versionType": "git"
},
{
"lessThan": "f7c330a8c83c9b0332fd524097eaf3e69148164d",
"status": "affected",
"version": "e4b1d67e71419c4af581890ecea84b04920d4116",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/mailbox-mchp-ipc-sbi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()\n\nThe cluster_cfg array is dynamically allocated to hold per-CPU\nconfiguration structures, with its size based on the number of online\nCPUs. Previously, this array was indexed using hartid, which may be\nnon-contiguous or exceed the bounds of the array, leading to\nout-of-bounds access.\nSwitch to using cpuid as the index, as it is guaranteed to be within\nthe valid range provided by for_each_online_cpu()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:41:42.166Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867"
},
{
"url": "https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c"
},
{
"url": "https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d"
}
],
"title": "mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43274",
"datePublished": "2026-05-06T11:28:57.503Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-08T12:41:42.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43273 (GCVE-0-2026-43273)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
ceph: supply snapshot context in ceph_zero_partial_object()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: supply snapshot context in ceph_zero_partial_object()
The ceph_zero_partial_object function was missing proper snapshot
context for its OSD write operations, which could lead to data
inconsistencies in snapshots.
Reproducer:
../src/vstart.sh --new -x --localhost --bluestore
./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a'
mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf
dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1
mkdir /mnt/mycephfs/.snap/snap1
md5sum /mnt/mycephfs/.snap/snap1/foo
fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo
echo 3 > /proc/sys/vm/drop/caches
md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ad7a60de882aca31afb58721db166f7e77afcd92 , < 36673344b41c31fb502dd0d0113cec1aa96f581e
(git)
Affected: ad7a60de882aca31afb58721db166f7e77afcd92 , < 5788b742007f53406049bef917833a71ddd43f60 (git) Affected: ad7a60de882aca31afb58721db166f7e77afcd92 , < 757873abfc8ea38592582180aed0f57f0f0cb07a (git) Affected: ad7a60de882aca31afb58721db166f7e77afcd92 , < 9efa154609cdb658f51c7d76b30a09f7e6485250 (git) Affected: ad7a60de882aca31afb58721db166f7e77afcd92 , < 531a76c5a2e44264cee8a70121e63eb28c1ba728 (git) Affected: ad7a60de882aca31afb58721db166f7e77afcd92 , < 69e59a87bab0ea31ab2a584fc65e12dafacf8953 (git) Affected: ad7a60de882aca31afb58721db166f7e77afcd92 , < 4097e70fc543cca72982854108a32f6ae924e727 (git) Affected: ad7a60de882aca31afb58721db166f7e77afcd92 , < f16bd3fa74a2084ee7e16a8a2be7e7399b970907 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36673344b41c31fb502dd0d0113cec1aa96f581e",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
},
{
"lessThan": "5788b742007f53406049bef917833a71ddd43f60",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
},
{
"lessThan": "757873abfc8ea38592582180aed0f57f0f0cb07a",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
},
{
"lessThan": "9efa154609cdb658f51c7d76b30a09f7e6485250",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
},
{
"lessThan": "531a76c5a2e44264cee8a70121e63eb28c1ba728",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
},
{
"lessThan": "69e59a87bab0ea31ab2a584fc65e12dafacf8953",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
},
{
"lessThan": "4097e70fc543cca72982854108a32f6ae924e727",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
},
{
"lessThan": "f16bd3fa74a2084ee7e16a8a2be7e7399b970907",
"status": "affected",
"version": "ad7a60de882aca31afb58721db166f7e77afcd92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: supply snapshot context in ceph_zero_partial_object()\n\nThe ceph_zero_partial_object function was missing proper snapshot\ncontext for its OSD write operations, which could lead to data\ninconsistencies in snapshots.\n\nReproducer:\n../src/vstart.sh --new -x --localhost --bluestore\n./bin/ceph auth caps client.fs_a mds \u0027allow rwps fsname=a\u0027 mon \u0027allow r fsname=a\u0027 osd \u0027allow rw tag cephfs data=a\u0027\nmount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf\ndd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1\nmkdir /mnt/mycephfs/.snap/snap1\nmd5sum /mnt/mycephfs/.snap/snap1/foo\nfallocate -p -o 0 -l 4096 /mnt/mycephfs/foo\necho 3 \u003e /proc/sys/vm/drop/caches\nmd5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:56.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36673344b41c31fb502dd0d0113cec1aa96f581e"
},
{
"url": "https://git.kernel.org/stable/c/5788b742007f53406049bef917833a71ddd43f60"
},
{
"url": "https://git.kernel.org/stable/c/757873abfc8ea38592582180aed0f57f0f0cb07a"
},
{
"url": "https://git.kernel.org/stable/c/9efa154609cdb658f51c7d76b30a09f7e6485250"
},
{
"url": "https://git.kernel.org/stable/c/531a76c5a2e44264cee8a70121e63eb28c1ba728"
},
{
"url": "https://git.kernel.org/stable/c/69e59a87bab0ea31ab2a584fc65e12dafacf8953"
},
{
"url": "https://git.kernel.org/stable/c/4097e70fc543cca72982854108a32f6ae924e727"
},
{
"url": "https://git.kernel.org/stable/c/f16bd3fa74a2084ee7e16a8a2be7e7399b970907"
}
],
"title": "ceph: supply snapshot context in ceph_zero_partial_object()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43273",
"datePublished": "2026-05-06T11:28:56.851Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-06T11:28:56.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43272 (GCVE-0-2026-43272)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
ring-buffer: Fix possible dereference of uninitialized pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Fix possible dereference of uninitialized pointer
There is a pointer head_page in rb_meta_validate_events() which is not
initialized at the beginning of a function. This pointer can be dereferenced
if there is a failure during reader page validation. In this case the control
is passed to "invalid" label where the pointer is dereferenced in a loop.
To fix the issue initialize orig_head and head_page before calling
rb_validate_buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55 , < bc77986f3cb7476637052edf2d87137fa39f153d
(git)
Affected: 5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55 , < d9942396845fef2369478c157b26738fe07142f6 (git) Affected: 5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55 , < f1547779402c4cd67755c33616b7203baa88420b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc77986f3cb7476637052edf2d87137fa39f153d",
"status": "affected",
"version": "5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55",
"versionType": "git"
},
{
"lessThan": "d9942396845fef2369478c157b26738fe07142f6",
"status": "affected",
"version": "5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55",
"versionType": "git"
},
{
"lessThan": "f1547779402c4cd67755c33616b7203baa88420b",
"status": "affected",
"version": "5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix possible dereference of uninitialized pointer\n\nThere is a pointer head_page in rb_meta_validate_events() which is not\ninitialized at the beginning of a function. This pointer can be dereferenced\nif there is a failure during reader page validation. In this case the control\nis passed to \"invalid\" label where the pointer is dereferenced in a loop.\n\nTo fix the issue initialize orig_head and head_page before calling\nrb_validate_buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:56.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc77986f3cb7476637052edf2d87137fa39f153d"
},
{
"url": "https://git.kernel.org/stable/c/d9942396845fef2369478c157b26738fe07142f6"
},
{
"url": "https://git.kernel.org/stable/c/f1547779402c4cd67755c33616b7203baa88420b"
}
],
"title": "ring-buffer: Fix possible dereference of uninitialized pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43272",
"datePublished": "2026-05-06T11:28:56.162Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-06T11:28:56.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43271 (GCVE-0-2026-43271)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
md-cluster: fix NULL pointer dereference in process_metadata_update
Summary
In the Linux kernel, the following vulnerability has been resolved:
md-cluster: fix NULL pointer dereference in process_metadata_update
The function process_metadata_update() blindly dereferences the 'thread'
pointer (acquired via rcu_dereference_protected) within the wait_event()
macro.
While the code comment states "daemon thread must exist", there is a valid
race condition window during the MD array startup sequence (md_run):
1. bitmap_load() is called, which invokes md_cluster_ops->join().
2. join() starts the "cluster_recv" thread (recv_daemon).
3. At this point, recv_daemon is active and processing messages.
4. However, mddev->thread (the main MD thread) is not initialized until
later in md_run().
If a METADATA_UPDATED message is received from a remote node during this
specific window, process_metadata_update() will be called while
mddev->thread is still NULL, leading to a kernel panic.
To fix this, we must validate the 'thread' pointer. If it is NULL, we
release the held lock (no_new_dev_lockres) and return early, safely
ignoring the update request as the array is not yet fully ready to
process it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0ba959774e93911caff596de6391f085fb640ac4 , < a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1
(git)
Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < dec123825c1ed74d98fd5fc7571a851dea4f46ff (git) Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < 721599e837d3f4c0e6cc14da059612c017b6d3ec (git) Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < dceb5a843910004cb118148e267036104fc3ee43 (git) Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < f150e753cb8dd756085f46e86f2c35ce472e0a3c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md-cluster.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1",
"status": "affected",
"version": "0ba959774e93911caff596de6391f085fb640ac4",
"versionType": "git"
},
{
"lessThan": "dec123825c1ed74d98fd5fc7571a851dea4f46ff",
"status": "affected",
"version": "0ba959774e93911caff596de6391f085fb640ac4",
"versionType": "git"
},
{
"lessThan": "721599e837d3f4c0e6cc14da059612c017b6d3ec",
"status": "affected",
"version": "0ba959774e93911caff596de6391f085fb640ac4",
"versionType": "git"
},
{
"lessThan": "dceb5a843910004cb118148e267036104fc3ee43",
"status": "affected",
"version": "0ba959774e93911caff596de6391f085fb640ac4",
"versionType": "git"
},
{
"lessThan": "f150e753cb8dd756085f46e86f2c35ce472e0a3c",
"status": "affected",
"version": "0ba959774e93911caff596de6391f085fb640ac4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md-cluster.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-cluster: fix NULL pointer dereference in process_metadata_update\n\nThe function process_metadata_update() blindly dereferences the \u0027thread\u0027\npointer (acquired via rcu_dereference_protected) within the wait_event()\nmacro.\n\nWhile the code comment states \"daemon thread must exist\", there is a valid\nrace condition window during the MD array startup sequence (md_run):\n\n1. bitmap_load() is called, which invokes md_cluster_ops-\u003ejoin().\n2. join() starts the \"cluster_recv\" thread (recv_daemon).\n3. At this point, recv_daemon is active and processing messages.\n4. However, mddev-\u003ethread (the main MD thread) is not initialized until\n later in md_run().\n\nIf a METADATA_UPDATED message is received from a remote node during this\nspecific window, process_metadata_update() will be called while\nmddev-\u003ethread is still NULL, leading to a kernel panic.\n\nTo fix this, we must validate the \u0027thread\u0027 pointer. If it is NULL, we\nrelease the held lock (no_new_dev_lockres) and return early, safely\nignoring the update request as the array is not yet fully ready to\nprocess it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:17.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1"
},
{
"url": "https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff"
},
{
"url": "https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec"
},
{
"url": "https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43"
},
{
"url": "https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c"
}
],
"title": "md-cluster: fix NULL pointer dereference in process_metadata_update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43271",
"datePublished": "2026-05-06T11:28:55.507Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-07T17:15:17.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43270 (GCVE-0-2026-43270)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
In mtk_mdp_probe(), vpu_get_plat_device() increases the reference
count of the returned platform device. Add platform_device_put()
to prevent reference leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < 403b7c757ac9f6b2ffb7d00ff4795a245f5e8911
(git)
Affected: c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < dd530e29bd514d7187b3e2df8eb2107419c7988f (git) Affected: c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < c44beed2e5caf2cbbe651432baa3a129f18b0169 (git) Affected: c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < 564fd3a63efc3ebbdb5d0a8fc7c0d3f753fbbd5d (git) Affected: c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < 4f2a51433a3a65d16975d1e32052d80656da077d (git) Affected: c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < a62ba5aa9ee95fd953583e95e519badf0b76ecf3 (git) Affected: c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < 2d93758f42a57f3485534eab858b308e41653de4 (git) Affected: c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a , < f128bab57b8018e526b7eda854ca20069863af47 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/mdp/mtk_mdp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "403b7c757ac9f6b2ffb7d00ff4795a245f5e8911",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
},
{
"lessThan": "dd530e29bd514d7187b3e2df8eb2107419c7988f",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
},
{
"lessThan": "c44beed2e5caf2cbbe651432baa3a129f18b0169",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
},
{
"lessThan": "564fd3a63efc3ebbdb5d0a8fc7c0d3f753fbbd5d",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
},
{
"lessThan": "4f2a51433a3a65d16975d1e32052d80656da077d",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
},
{
"lessThan": "a62ba5aa9ee95fd953583e95e519badf0b76ecf3",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
},
{
"lessThan": "2d93758f42a57f3485534eab858b308e41653de4",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
},
{
"lessThan": "f128bab57b8018e526b7eda854ca20069863af47",
"status": "affected",
"version": "c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/mdp/mtk_mdp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()\n\nIn mtk_mdp_probe(), vpu_get_plat_device() increases the reference\ncount of the returned platform device. Add platform_device_put()\nto prevent reference leak."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:54.866Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/403b7c757ac9f6b2ffb7d00ff4795a245f5e8911"
},
{
"url": "https://git.kernel.org/stable/c/dd530e29bd514d7187b3e2df8eb2107419c7988f"
},
{
"url": "https://git.kernel.org/stable/c/c44beed2e5caf2cbbe651432baa3a129f18b0169"
},
{
"url": "https://git.kernel.org/stable/c/564fd3a63efc3ebbdb5d0a8fc7c0d3f753fbbd5d"
},
{
"url": "https://git.kernel.org/stable/c/4f2a51433a3a65d16975d1e32052d80656da077d"
},
{
"url": "https://git.kernel.org/stable/c/a62ba5aa9ee95fd953583e95e519badf0b76ecf3"
},
{
"url": "https://git.kernel.org/stable/c/2d93758f42a57f3485534eab858b308e41653de4"
},
{
"url": "https://git.kernel.org/stable/c/f128bab57b8018e526b7eda854ca20069863af47"
}
],
"title": "media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43270",
"datePublished": "2026-05-06T11:28:54.866Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-06T11:28:54.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43269 (GCVE-0-2026-43269)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
After several commits, the slab memory increases. Some drm_crtc_commit
objects are not freed. The atomic_destroy_state callback only put the
framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function
to put all the objects that are no longer needed.
It has been seen after hours of usage of a graphics application or using
kmemleak:
unreferenced object 0xc63a6580 (size 64):
comm "egt_basic", pid 171, jiffies 4294940784
hex dump (first 32 bytes):
40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:.
8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:.
backtrace (crc c25aa925):
kmemleak_alloc+0x34/0x3c
__kmalloc_cache_noprof+0x150/0x1a4
drm_atomic_helper_setup_commit+0x1e8/0x7bc
drm_atomic_helper_commit+0x3c/0x15c
drm_atomic_commit+0xc0/0xf4
drm_atomic_helper_set_config+0x84/0xb8
drm_mode_setcrtc+0x32c/0x810
drm_ioctl+0x20c/0x488
sys_ioctl+0x14c/0xc20
ret_fast_syscall+0x0/0x54
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < 6d4e91ab97fda64e8cf9c8881cc3b4da026bd849
(git)
Affected: 2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < 5718d98976ad6b9700e5a6afec67fc47a8a92580 (git) Affected: 2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < 57fa3487acfa3467405f8506b94682abd96e7393 (git) Affected: 2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < ec40702029b08ee8d5f5b03303d64a10e74a957b (git) Affected: 2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < 25e832a7830740e72103eb0b527680a4b64bbcb3 (git) Affected: 2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < 082271e364a3205598c2e4e6233a9f49ce7941cf (git) Affected: 2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < 3e64e78f4a70e3f6ac8fe5a7071f08ffd25a2489 (git) Affected: 2389fc1305fc1e2cf8b310a75463fefd3058bf48 , < f12352471061df83a36edf54bbb16284793284e4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d4e91ab97fda64e8cf9c8881cc3b4da026bd849",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
},
{
"lessThan": "5718d98976ad6b9700e5a6afec67fc47a8a92580",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
},
{
"lessThan": "57fa3487acfa3467405f8506b94682abd96e7393",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
},
{
"lessThan": "ec40702029b08ee8d5f5b03303d64a10e74a957b",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
},
{
"lessThan": "25e832a7830740e72103eb0b527680a4b64bbcb3",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
},
{
"lessThan": "082271e364a3205598c2e4e6233a9f49ce7941cf",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
},
{
"lessThan": "3e64e78f4a70e3f6ac8fe5a7071f08ffd25a2489",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
},
{
"lessThan": "f12352471061df83a36edf54bbb16284793284e4",
"status": "affected",
"version": "2389fc1305fc1e2cf8b310a75463fefd3058bf48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback\n\nAfter several commits, the slab memory increases. Some drm_crtc_commit\nobjects are not freed. The atomic_destroy_state callback only put the\nframebuffer. Use the __drm_atomic_helper_plane_destroy_state() function\nto put all the objects that are no longer needed.\n\nIt has been seen after hours of usage of a graphics application or using\nkmemleak:\n\nunreferenced object 0xc63a6580 (size 64):\n comm \"egt_basic\", pid 171, jiffies 4294940784\n hex dump (first 32 bytes):\n 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:.\n 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:.\n backtrace (crc c25aa925):\n kmemleak_alloc+0x34/0x3c\n __kmalloc_cache_noprof+0x150/0x1a4\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:16.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d4e91ab97fda64e8cf9c8881cc3b4da026bd849"
},
{
"url": "https://git.kernel.org/stable/c/5718d98976ad6b9700e5a6afec67fc47a8a92580"
},
{
"url": "https://git.kernel.org/stable/c/57fa3487acfa3467405f8506b94682abd96e7393"
},
{
"url": "https://git.kernel.org/stable/c/ec40702029b08ee8d5f5b03303d64a10e74a957b"
},
{
"url": "https://git.kernel.org/stable/c/25e832a7830740e72103eb0b527680a4b64bbcb3"
},
{
"url": "https://git.kernel.org/stable/c/082271e364a3205598c2e4e6233a9f49ce7941cf"
},
{
"url": "https://git.kernel.org/stable/c/3e64e78f4a70e3f6ac8fe5a7071f08ffd25a2489"
},
{
"url": "https://git.kernel.org/stable/c/f12352471061df83a36edf54bbb16284793284e4"
}
],
"title": "drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43269",
"datePublished": "2026-05-06T11:28:54.178Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-07T17:15:16.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43268 (GCVE-0-2026-43268)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
hfsplus: pretend special inodes as regular files
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: pretend special inodes as regular files
Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()")
requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/
S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dcac5582f90b55a267d89769073c5651990b2ec5
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 799c492a619a10322543d13e6d2a6d27335c868c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 676bc99d0b3e356cdfec5d8204518e1aac14ec84 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < de9affb698d5034888314880736925c39d6d048e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d209ebaee93fc5089101d34d1b38a91d7abb03fd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 67407d6abc9520a8a4661285b3ed294eb73ff6e7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9353d4ee26dc33f6ada1646e84660f4c59189763 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed8889ca21b6ab37bc1435c4009ce37a79acb9e6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dcac5582f90b55a267d89769073c5651990b2ec5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "799c492a619a10322543d13e6d2a6d27335c868c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "676bc99d0b3e356cdfec5d8204518e1aac14ec84",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de9affb698d5034888314880736925c39d6d048e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d209ebaee93fc5089101d34d1b38a91d7abb03fd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "67407d6abc9520a8a4661285b3ed294eb73ff6e7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9353d4ee26dc33f6ada1646e84660f4c59189763",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed8889ca21b6ab37bc1435c4009ce37a79acb9e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: pretend special inodes as regular files\n\nSince commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\")\nrequires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/\nS_IFIFO/S_IFSOCK type, use S_IFREG for special inodes."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:15.634Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dcac5582f90b55a267d89769073c5651990b2ec5"
},
{
"url": "https://git.kernel.org/stable/c/799c492a619a10322543d13e6d2a6d27335c868c"
},
{
"url": "https://git.kernel.org/stable/c/676bc99d0b3e356cdfec5d8204518e1aac14ec84"
},
{
"url": "https://git.kernel.org/stable/c/de9affb698d5034888314880736925c39d6d048e"
},
{
"url": "https://git.kernel.org/stable/c/d209ebaee93fc5089101d34d1b38a91d7abb03fd"
},
{
"url": "https://git.kernel.org/stable/c/67407d6abc9520a8a4661285b3ed294eb73ff6e7"
},
{
"url": "https://git.kernel.org/stable/c/9353d4ee26dc33f6ada1646e84660f4c59189763"
},
{
"url": "https://git.kernel.org/stable/c/ed8889ca21b6ab37bc1435c4009ce37a79acb9e6"
}
],
"title": "hfsplus: pretend special inodes as regular files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43268",
"datePublished": "2026-05-06T11:28:53.534Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-07T17:15:15.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43267 (GCVE-0-2026-43267)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
wifi: rtw89: fix potential zero beacon interval in beacon tracking
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: fix potential zero beacon interval in beacon tracking
During fuzz testing, it was discovered that bss_conf->beacon_int
might be zero, which could result in a division by zero error in
subsequent calculations. Set a default value of 100 TU if the
interval is zero to ensure stability.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d360551f265e3c942ce06cd6f4d2f7f67741bcbd , < 1260bee01493126cf9c872b6ca2af261173baa6d
(git)
Affected: d360551f265e3c942ce06cd6f4d2f7f67741bcbd , < e00c9a4ec84c0bb067833b34202f457badbbc1c1 (git) Affected: d360551f265e3c942ce06cd6f4d2f7f67741bcbd , < eb57be32f438c57c88d6ce756101c1dfbcc03bba (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1260bee01493126cf9c872b6ca2af261173baa6d",
"status": "affected",
"version": "d360551f265e3c942ce06cd6f4d2f7f67741bcbd",
"versionType": "git"
},
{
"lessThan": "e00c9a4ec84c0bb067833b34202f457badbbc1c1",
"status": "affected",
"version": "d360551f265e3c942ce06cd6f4d2f7f67741bcbd",
"versionType": "git"
},
{
"lessThan": "eb57be32f438c57c88d6ce756101c1dfbcc03bba",
"status": "affected",
"version": "d360551f265e3c942ce06cd6f4d2f7f67741bcbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix potential zero beacon interval in beacon tracking\n\nDuring fuzz testing, it was discovered that bss_conf-\u003ebeacon_int\nmight be zero, which could result in a division by zero error in\nsubsequent calculations. Set a default value of 100 TU if the\ninterval is zero to ensure stability."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:14.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1260bee01493126cf9c872b6ca2af261173baa6d"
},
{
"url": "https://git.kernel.org/stable/c/e00c9a4ec84c0bb067833b34202f457badbbc1c1"
},
{
"url": "https://git.kernel.org/stable/c/eb57be32f438c57c88d6ce756101c1dfbcc03bba"
}
],
"title": "wifi: rtw89: fix potential zero beacon interval in beacon tracking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43267",
"datePublished": "2026-05-06T11:28:52.887Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-07T17:15:14.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43266 (GCVE-0-2026-43266)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
EFI/CPER: don't go past the ARM processor CPER record buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
EFI/CPER: don't go past the ARM processor CPER record buffer
There's a logic inside GHES/CPER to detect if the section_length
is too small, but it doesn't detect if it is too big.
Currently, if the firmware receives an ARM processor CPER record
stating that a section length is big, kernel will blindly trust
section_length, producing a very long dump. For instance, a 67
bytes record with ERR_INFO_NUM set 46198 and section length
set to 854918320 would dump a lot of data going a way past the
firmware memory-mapped area.
Fix it by adding a logic to prevent it to go past the buffer
if ERR_INFO_NUM is too big, making it report instead:
[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
[Hardware Error]: event severity: recoverable
[Hardware Error]: Error 0, type: recoverable
[Hardware Error]: section_type: ARM processor error
[Hardware Error]: MIDR: 0xff304b2f8476870a
[Hardware Error]: section length: 854918320, CPER size: 67
[Hardware Error]: section length is too big
[Hardware Error]: firmware-generated error record is incorrect
[Hardware Error]: ERR_INFO_NUM is 46198
[ rjw: Subject and changelog tweaks ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2f74f09bce4f8d0236f20174a6daae63e10fe733 , < c80113dcfc807308f5ab33847fae77e07531aeb8
(git)
Affected: 2f74f09bce4f8d0236f20174a6daae63e10fe733 , < ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4 (git) Affected: 2f74f09bce4f8d0236f20174a6daae63e10fe733 , < a68d22902a6916e10ee235fee609239004e129d0 (git) Affected: 2f74f09bce4f8d0236f20174a6daae63e10fe733 , < 64eb63f573f497553e1a0c388bbcdd639e0f0704 (git) Affected: 2f74f09bce4f8d0236f20174a6daae63e10fe733 , < be10c1bdf64a39832998f54900aa309b3917abcf (git) Affected: 2f74f09bce4f8d0236f20174a6daae63e10fe733 , < 25b290624b0e3d2f0f90238709ee0b6009b9fde8 (git) Affected: 2f74f09bce4f8d0236f20174a6daae63e10fe733 , < 45766863baf899059e75595dd3cb1116467f2095 (git) Affected: 2f74f09bce4f8d0236f20174a6daae63e10fe733 , < eae21beecb95a3b69ee5c38a659f774e171d730e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/cper-arm.c",
"drivers/firmware/efi/cper.c",
"include/linux/cper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c80113dcfc807308f5ab33847fae77e07531aeb8",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
},
{
"lessThan": "ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
},
{
"lessThan": "a68d22902a6916e10ee235fee609239004e129d0",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
},
{
"lessThan": "64eb63f573f497553e1a0c388bbcdd639e0f0704",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
},
{
"lessThan": "be10c1bdf64a39832998f54900aa309b3917abcf",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
},
{
"lessThan": "25b290624b0e3d2f0f90238709ee0b6009b9fde8",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
},
{
"lessThan": "45766863baf899059e75595dd3cb1116467f2095",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
},
{
"lessThan": "eae21beecb95a3b69ee5c38a659f774e171d730e",
"status": "affected",
"version": "2f74f09bce4f8d0236f20174a6daae63e10fe733",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/cper-arm.c",
"drivers/firmware/efi/cper.c",
"include/linux/cper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEFI/CPER: don\u0027t go past the ARM processor CPER record buffer\n\nThere\u0027s a logic inside GHES/CPER to detect if the section_length\nis too small, but it doesn\u0027t detect if it is too big.\n\nCurrently, if the firmware receives an ARM processor CPER record\nstating that a section length is big, kernel will blindly trust\nsection_length, producing a very long dump. For instance, a 67\nbytes record with ERR_INFO_NUM set 46198 and section length\nset to 854918320 would dump a lot of data going a way past the\nfirmware memory-mapped area.\n\nFix it by adding a logic to prevent it to go past the buffer\nif ERR_INFO_NUM is too big, making it report instead:\n\n\t[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1\n\t[Hardware Error]: event severity: recoverable\n\t[Hardware Error]: Error 0, type: recoverable\n\t[Hardware Error]: section_type: ARM processor error\n\t[Hardware Error]: MIDR: 0xff304b2f8476870a\n\t[Hardware Error]: section length: 854918320, CPER size: 67\n\t[Hardware Error]: section length is too big\n\t[Hardware Error]: firmware-generated error record is incorrect\n\t[Hardware Error]: ERR_INFO_NUM is 46198\n\n[ rjw: Subject and changelog tweaks ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:13.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c80113dcfc807308f5ab33847fae77e07531aeb8"
},
{
"url": "https://git.kernel.org/stable/c/ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4"
},
{
"url": "https://git.kernel.org/stable/c/a68d22902a6916e10ee235fee609239004e129d0"
},
{
"url": "https://git.kernel.org/stable/c/64eb63f573f497553e1a0c388bbcdd639e0f0704"
},
{
"url": "https://git.kernel.org/stable/c/be10c1bdf64a39832998f54900aa309b3917abcf"
},
{
"url": "https://git.kernel.org/stable/c/25b290624b0e3d2f0f90238709ee0b6009b9fde8"
},
{
"url": "https://git.kernel.org/stable/c/45766863baf899059e75595dd3cb1116467f2095"
},
{
"url": "https://git.kernel.org/stable/c/eae21beecb95a3b69ee5c38a659f774e171d730e"
}
],
"title": "EFI/CPER: don\u0027t go past the ARM processor CPER record buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43266",
"datePublished": "2026-05-06T11:28:52.238Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-07T17:15:13.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43265 (GCVE-0-2026-43265)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
Ignore -EBUSY when checking nested events after exiting a blocking state
while L2 is active, as exiting to userspace will generate a spurious
userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's
demise. Continuing with the wakeup isn't perfect either, as *something*
has gone sideways if a vCPU is awakened in L2 with an injected event (or
worse, a nested run pending), but continuing on gives the VM a decent
chance of surviving without any major side effects.
As explained in the Fixes commits, it _should_ be impossible for a vCPU to
be put into a blocking state with an already-injected event (exception,
IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected
events, and thus put the vCPU into what should be an impossible state.
Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller
Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be
violating x86 architecture, e.g. by WARNing if KVM attempts to inject an
exception or interrupt while the vCPU isn't running.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26844fee6adee9b1557d2279b0506285de9ee82b , < 78265cd066d73a5cb41c088fcae4a2515e480d97
(git)
Affected: 26844fee6adee9b1557d2279b0506285de9ee82b , < ec3be7dc9391085a2d96700e159d66d1328b7ff6 (git) Affected: 26844fee6adee9b1557d2279b0506285de9ee82b , < 2657439265d34a911886b916ba8be97ecc117d51 (git) Affected: 26844fee6adee9b1557d2279b0506285de9ee82b , < 1e88b5f854bdb469424132e0bb44793ad7a7c20a (git) Affected: 26844fee6adee9b1557d2279b0506285de9ee82b , < 1c957773063ed3264953597e32990a748381caf6 (git) Affected: 26844fee6adee9b1557d2279b0506285de9ee82b , < ead63640d4e72e6f6d464f4e31f7fecb79af8869 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78265cd066d73a5cb41c088fcae4a2515e480d97",
"status": "affected",
"version": "26844fee6adee9b1557d2279b0506285de9ee82b",
"versionType": "git"
},
{
"lessThan": "ec3be7dc9391085a2d96700e159d66d1328b7ff6",
"status": "affected",
"version": "26844fee6adee9b1557d2279b0506285de9ee82b",
"versionType": "git"
},
{
"lessThan": "2657439265d34a911886b916ba8be97ecc117d51",
"status": "affected",
"version": "26844fee6adee9b1557d2279b0506285de9ee82b",
"versionType": "git"
},
{
"lessThan": "1e88b5f854bdb469424132e0bb44793ad7a7c20a",
"status": "affected",
"version": "26844fee6adee9b1557d2279b0506285de9ee82b",
"versionType": "git"
},
{
"lessThan": "1c957773063ed3264953597e32990a748381caf6",
"status": "affected",
"version": "26844fee6adee9b1557d2279b0506285de9ee82b",
"versionType": "git"
},
{
"lessThan": "ead63640d4e72e6f6d464f4e31f7fecb79af8869",
"status": "affected",
"version": "26844fee6adee9b1557d2279b0506285de9ee82b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()\n\nIgnore -EBUSY when checking nested events after exiting a blocking state\nwhile L2 is active, as exiting to userspace will generate a spurious\nuserspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM\u0027s\ndemise. Continuing with the wakeup isn\u0027t perfect either, as *something*\nhas gone sideways if a vCPU is awakened in L2 with an injected event (or\nworse, a nested run pending), but continuing on gives the VM a decent\nchance of surviving without any major side effects.\n\nAs explained in the Fixes commits, it _should_ be impossible for a vCPU to\nbe put into a blocking state with an already-injected event (exception,\nIRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected\nevents, and thus put the vCPU into what should be an impossible state.\n\nDon\u0027t bother trying to preserve the WARN, e.g. with an anti-syzkaller\nKconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be\nviolating x86 architecture, e.g. by WARNing if KVM attempts to inject an\nexception or interrupt while the vCPU isn\u0027t running."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:51.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97"
},
{
"url": "https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6"
},
{
"url": "https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51"
},
{
"url": "https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a"
},
{
"url": "https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6"
},
{
"url": "https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869"
}
],
"title": "KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43265",
"datePublished": "2026-05-06T11:28:51.552Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-06T11:28:51.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43264 (GCVE-0-2026-43264)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
of_parse_phandle() returns a device_node with refcount incremented,
which is stored in 'entry' and then copied to 'native_mode'. When the
error paths at lines 184 or 192 jump to 'entryfail', native_mode's
refcount is not decremented, causing a refcount leak.
Fix this by changing the goto target from 'entryfail' to 'timingfail',
which properly calls of_node_put(native_mode) before cleanup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cc3f414cf2e404130584b63d373161ba6fd24bc2 , < 20881ad42e651c69d89eb38a2042838187900fd6
(git)
Affected: cc3f414cf2e404130584b63d373161ba6fd24bc2 , < b5bdcc5afbff845834d04d651773cb6b47db5dd3 (git) Affected: cc3f414cf2e404130584b63d373161ba6fd24bc2 , < 2b22e4fe1273c24f405ed7903349c4bbd82b6368 (git) Affected: cc3f414cf2e404130584b63d373161ba6fd24bc2 , < 3ed019654234edb8625c05d05e15d40f74e64f70 (git) Affected: cc3f414cf2e404130584b63d373161ba6fd24bc2 , < d6f34bbff07476c6abb8672c89d217824871c5ed (git) Affected: cc3f414cf2e404130584b63d373161ba6fd24bc2 , < 69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64 (git) Affected: cc3f414cf2e404130584b63d373161ba6fd24bc2 , < c5734f9030a8b1e13868d1641b5163d8e659306e (git) Affected: cc3f414cf2e404130584b63d373161ba6fd24bc2 , < eacf9840ae1285a1ef47eb0ce16d786e542bd4d7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/of_display_timing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20881ad42e651c69d89eb38a2042838187900fd6",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "b5bdcc5afbff845834d04d651773cb6b47db5dd3",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "2b22e4fe1273c24f405ed7903349c4bbd82b6368",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "3ed019654234edb8625c05d05e15d40f74e64f70",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "d6f34bbff07476c6abb8672c89d217824871c5ed",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "c5734f9030a8b1e13868d1641b5163d8e659306e",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
},
{
"lessThan": "eacf9840ae1285a1ef47eb0ce16d786e542bd4d7",
"status": "affected",
"version": "cc3f414cf2e404130584b63d373161ba6fd24bc2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/of_display_timing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: of: display_timing: fix refcount leak in of_get_display_timings()\n\nof_parse_phandle() returns a device_node with refcount incremented,\nwhich is stored in \u0027entry\u0027 and then copied to \u0027native_mode\u0027. When the\nerror paths at lines 184 or 192 jump to \u0027entryfail\u0027, native_mode\u0027s\nrefcount is not decremented, causing a refcount leak.\n\nFix this by changing the goto target from \u0027entryfail\u0027 to \u0027timingfail\u0027,\nwhich properly calls of_node_put(native_mode) before cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:50.867Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20881ad42e651c69d89eb38a2042838187900fd6"
},
{
"url": "https://git.kernel.org/stable/c/b5bdcc5afbff845834d04d651773cb6b47db5dd3"
},
{
"url": "https://git.kernel.org/stable/c/2b22e4fe1273c24f405ed7903349c4bbd82b6368"
},
{
"url": "https://git.kernel.org/stable/c/3ed019654234edb8625c05d05e15d40f74e64f70"
},
{
"url": "https://git.kernel.org/stable/c/d6f34bbff07476c6abb8672c89d217824871c5ed"
},
{
"url": "https://git.kernel.org/stable/c/69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64"
},
{
"url": "https://git.kernel.org/stable/c/c5734f9030a8b1e13868d1641b5163d8e659306e"
},
{
"url": "https://git.kernel.org/stable/c/eacf9840ae1285a1ef47eb0ce16d786e542bd4d7"
}
],
"title": "fbdev: of: display_timing: fix refcount leak in of_get_display_timings()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43264",
"datePublished": "2026-05-06T11:28:50.867Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-06T11:28:50.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43263 (GCVE-0-2026-43263)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-08 12:41
VLAI?
Title
media: chips-media: wave5: Fix Null reference while testing fluster
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix Null reference while testing fluster
When multi instances are created/destroyed, many interrupts happens
and structures for decoder are removed.
"struct vpu_instance" this structure is shared for all flow in the decoder,
so if the structure is not protected by lock, Null dereference
could happens sometimes.
IRQ Handler was spilt to two phases and Lock was added as well.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9707a6254a8a6b978bde811a44fe07d86c229d1c , < ea316b784fe6a61b29131c98cddb24e651b1dcbc
(git)
Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < d12bcf183ec7da4305d848068d15f18044eaf62a (git) Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < e66ff2b08e4ee1c4d3b84f24818e5bcc178cc3a4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/wave5/wave5-helper.c",
"drivers/media/platform/chips-media/wave5/wave5-helper.h",
"drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c",
"drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c",
"drivers/media/platform/chips-media/wave5/wave5-vpu.c",
"drivers/media/platform/chips-media/wave5/wave5-vpuapi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea316b784fe6a61b29131c98cddb24e651b1dcbc",
"status": "affected",
"version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
"versionType": "git"
},
{
"lessThan": "d12bcf183ec7da4305d848068d15f18044eaf62a",
"status": "affected",
"version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
"versionType": "git"
},
{
"lessThan": "e66ff2b08e4ee1c4d3b84f24818e5bcc178cc3a4",
"status": "affected",
"version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/wave5/wave5-helper.c",
"drivers/media/platform/chips-media/wave5/wave5-helper.h",
"drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c",
"drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c",
"drivers/media/platform/chips-media/wave5/wave5-vpu.c",
"drivers/media/platform/chips-media/wave5/wave5-vpuapi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix Null reference while testing fluster\n\nWhen multi instances are created/destroyed, many interrupts happens\nand structures for decoder are removed.\n\"struct vpu_instance\" this structure is shared for all flow in the decoder,\nso if the structure is not protected by lock, Null dereference\ncould happens sometimes.\nIRQ Handler was spilt to two phases and Lock was added as well."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:41:40.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea316b784fe6a61b29131c98cddb24e651b1dcbc"
},
{
"url": "https://git.kernel.org/stable/c/d12bcf183ec7da4305d848068d15f18044eaf62a"
},
{
"url": "https://git.kernel.org/stable/c/e66ff2b08e4ee1c4d3b84f24818e5bcc178cc3a4"
}
],
"title": "media: chips-media: wave5: Fix Null reference while testing fluster",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43263",
"datePublished": "2026-05-06T11:28:50.188Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-08T12:41:40.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43262 (GCVE-0-2026-43262)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
gfs2: fiemap page fault fix
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: fiemap page fault fix
In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode
glock. This can lead to recursive glock taking if the fiemap buffer is
memory mapped to the same inode and accessing it triggers a page fault.
Fix by disabling page faults for iomap_fiemap() and faulting in the
buffer by hand if necessary.
Fixes xfstest generic/742.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e9079cce201784632aed4b1a3121ee38c1ced0b6 , < 5d5d9ec957bfa1eb2b05861c19f5d701dd006db7
(git)
Affected: e9079cce201784632aed4b1a3121ee38c1ced0b6 , < cead3bebf3e318578b8a86a5472015d713d2a8a8 (git) Affected: e9079cce201784632aed4b1a3121ee38c1ced0b6 , < e428670cfb2993d8c224effd076242ca6b0950de (git) Affected: e9079cce201784632aed4b1a3121ee38c1ced0b6 , < 5d2c4f182ea8516de8682e2b60411c03df00e3ea (git) Affected: e9079cce201784632aed4b1a3121ee38c1ced0b6 , < 2e121c53b581e40397ae08090a7af4ed10781fbc (git) Affected: e9079cce201784632aed4b1a3121ee38c1ced0b6 , < 9d15fee888f0e8938c9aeed71ec9c2cbba0c88ab (git) Affected: e9079cce201784632aed4b1a3121ee38c1ced0b6 , < e411d74cc5ba290f85d0dd5e4d1df8f1d6d975d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d5d9ec957bfa1eb2b05861c19f5d701dd006db7",
"status": "affected",
"version": "e9079cce201784632aed4b1a3121ee38c1ced0b6",
"versionType": "git"
},
{
"lessThan": "cead3bebf3e318578b8a86a5472015d713d2a8a8",
"status": "affected",
"version": "e9079cce201784632aed4b1a3121ee38c1ced0b6",
"versionType": "git"
},
{
"lessThan": "e428670cfb2993d8c224effd076242ca6b0950de",
"status": "affected",
"version": "e9079cce201784632aed4b1a3121ee38c1ced0b6",
"versionType": "git"
},
{
"lessThan": "5d2c4f182ea8516de8682e2b60411c03df00e3ea",
"status": "affected",
"version": "e9079cce201784632aed4b1a3121ee38c1ced0b6",
"versionType": "git"
},
{
"lessThan": "2e121c53b581e40397ae08090a7af4ed10781fbc",
"status": "affected",
"version": "e9079cce201784632aed4b1a3121ee38c1ced0b6",
"versionType": "git"
},
{
"lessThan": "9d15fee888f0e8938c9aeed71ec9c2cbba0c88ab",
"status": "affected",
"version": "e9079cce201784632aed4b1a3121ee38c1ced0b6",
"versionType": "git"
},
{
"lessThan": "e411d74cc5ba290f85d0dd5e4d1df8f1d6d975d2",
"status": "affected",
"version": "e9079cce201784632aed4b1a3121ee38c1ced0b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fiemap page fault fix\n\nIn gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode\nglock. This can lead to recursive glock taking if the fiemap buffer is\nmemory mapped to the same inode and accessing it triggers a page fault.\n\nFix by disabling page faults for iomap_fiemap() and faulting in the\nbuffer by hand if necessary.\n\nFixes xfstest generic/742."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:11.973Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d5d9ec957bfa1eb2b05861c19f5d701dd006db7"
},
{
"url": "https://git.kernel.org/stable/c/cead3bebf3e318578b8a86a5472015d713d2a8a8"
},
{
"url": "https://git.kernel.org/stable/c/e428670cfb2993d8c224effd076242ca6b0950de"
},
{
"url": "https://git.kernel.org/stable/c/5d2c4f182ea8516de8682e2b60411c03df00e3ea"
},
{
"url": "https://git.kernel.org/stable/c/2e121c53b581e40397ae08090a7af4ed10781fbc"
},
{
"url": "https://git.kernel.org/stable/c/9d15fee888f0e8938c9aeed71ec9c2cbba0c88ab"
},
{
"url": "https://git.kernel.org/stable/c/e411d74cc5ba290f85d0dd5e4d1df8f1d6d975d2"
}
],
"title": "gfs2: fiemap page fault fix",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43262",
"datePublished": "2026-05-06T11:28:49.480Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-07T17:15:11.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43261 (GCVE-0-2026-43261)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-07 17:15
VLAI?
Title
arm64: Add support for TSV110 Spectre-BHB mitigation
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: Add support for TSV110 Spectre-BHB mitigation
The TSV110 processor is vulnerable to the Spectre-BHB (Branch History
Buffer) attack, which can be exploited to leak information through
branch prediction side channels. This commit adds the MIDR of TSV110
to the list for software mitigation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e192c8baa69ac8a5585d61ac535aa1e5eb795e80 , < 598c11dd4f4a9de31d854fcb9702f54c1c70f0d0
(git)
Affected: 4bbfd0c280254b273c564767021bb9b0f945148e , < a8d0ad5d990b050a6db74218a34b5529085e16b8 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < cccf96c49f61e47d9332d6a4d1c7fe9a2df44440 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < fd7e360845d331f542854d552469544182e61134 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < 5dbe1f14359735fa50ba0dd4a496125b5bc7f422 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < fd51d47fcacec3ca027eb65d8c44853d3b6cea95 (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < ad0c356cae164ed5dbd1f4cfd438e46faa5292cb (git) Affected: 558c303c9734af5a813739cd284879227f7297d2 , < e3baa5d4b361276efeb87b20d8beced451a7dbd5 (git) Affected: 4dd8aae585a51a1d276911fe19096ad90144e9fe (git) Affected: 3e3904125fccd042fda24294624e8f66699fd06d (git) Affected: c20d551744797000c4af993f7d59ef8c69732949 (git) Affected: 9013fd4bc958b33c3b4d5a2eaf4ded9857600395 (git) Affected: 0b2bf1b37b5ebd90e69e30d8c2d6e1cd0c1f37b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/proton-pack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "598c11dd4f4a9de31d854fcb9702f54c1c70f0d0",
"status": "affected",
"version": "e192c8baa69ac8a5585d61ac535aa1e5eb795e80",
"versionType": "git"
},
{
"lessThan": "a8d0ad5d990b050a6db74218a34b5529085e16b8",
"status": "affected",
"version": "4bbfd0c280254b273c564767021bb9b0f945148e",
"versionType": "git"
},
{
"lessThan": "cccf96c49f61e47d9332d6a4d1c7fe9a2df44440",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "fd7e360845d331f542854d552469544182e61134",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "5dbe1f14359735fa50ba0dd4a496125b5bc7f422",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "fd51d47fcacec3ca027eb65d8c44853d3b6cea95",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "ad0c356cae164ed5dbd1f4cfd438e46faa5292cb",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"lessThan": "e3baa5d4b361276efeb87b20d8beced451a7dbd5",
"status": "affected",
"version": "558c303c9734af5a813739cd284879227f7297d2",
"versionType": "git"
},
{
"status": "affected",
"version": "4dd8aae585a51a1d276911fe19096ad90144e9fe",
"versionType": "git"
},
{
"status": "affected",
"version": "3e3904125fccd042fda24294624e8f66699fd06d",
"versionType": "git"
},
{
"status": "affected",
"version": "c20d551744797000c4af993f7d59ef8c69732949",
"versionType": "git"
},
{
"status": "affected",
"version": "9013fd4bc958b33c3b4d5a2eaf4ded9857600395",
"versionType": "git"
},
{
"status": "affected",
"version": "0b2bf1b37b5ebd90e69e30d8c2d6e1cd0c1f37b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/proton-pack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.10.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.275",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.236",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Add support for TSV110 Spectre-BHB mitigation\n\nThe TSV110 processor is vulnerable to the Spectre-BHB (Branch History\nBuffer) attack, which can be exploited to leak information through\nbranch prediction side channels. This commit adds the MIDR of TSV110\nto the list for software mitigation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T17:15:10.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/598c11dd4f4a9de31d854fcb9702f54c1c70f0d0"
},
{
"url": "https://git.kernel.org/stable/c/a8d0ad5d990b050a6db74218a34b5529085e16b8"
},
{
"url": "https://git.kernel.org/stable/c/cccf96c49f61e47d9332d6a4d1c7fe9a2df44440"
},
{
"url": "https://git.kernel.org/stable/c/fd7e360845d331f542854d552469544182e61134"
},
{
"url": "https://git.kernel.org/stable/c/5dbe1f14359735fa50ba0dd4a496125b5bc7f422"
},
{
"url": "https://git.kernel.org/stable/c/fd51d47fcacec3ca027eb65d8c44853d3b6cea95"
},
{
"url": "https://git.kernel.org/stable/c/ad0c356cae164ed5dbd1f4cfd438e46faa5292cb"
},
{
"url": "https://git.kernel.org/stable/c/e3baa5d4b361276efeb87b20d8beced451a7dbd5"
}
],
"title": "arm64: Add support for TSV110 Spectre-BHB mitigation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43261",
"datePublished": "2026-05-06T11:28:48.823Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-07T17:15:10.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43260 (GCVE-0-2026-43260)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
bnxt_en: Fix RSS context delete logic
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix RSS context delete logic
We need to free the corresponding RSS context VNIC
in FW everytime an RSS context is deleted in driver.
Commit 667ac333dbb7 added a check to delete the VNIC
in FW only when netif_running() is true to help delete
RSS contexts with interface down.
Having that condition will make the driver leak VNICs
in FW whenever close() happens with active RSS contexts.
On the subsequent open(), as part of RSS context restoration,
we will end up trying to create extra VNICs for which we
did not make any reservation. FW can fail this request,
thereby making us lose active RSS contexts.
Suppose an RSS context is deleted already and we try to
process a delete request again, then the HWRM functions
will check for validity of the request and they simply
return if the resource is already freed. So, even for
delete-when-down cases, netif_running() check is not
necessary.
Remove the netif_running() condition check when deleting
an RSS context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < 348a5f8d06c7bdf954e13c17ad5f80b59a075604
(git)
Affected: 667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < 079986d6db1f8e3d50c55f400cf998ac9690d2c8 (git) Affected: 667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < 9a9b89eea4a9cc7726702946ff688d716962fabd (git) Affected: 667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < e123d9302d223767bd910bfbcfe607bae909f8ac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "348a5f8d06c7bdf954e13c17ad5f80b59a075604",
"status": "affected",
"version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
"versionType": "git"
},
{
"lessThan": "079986d6db1f8e3d50c55f400cf998ac9690d2c8",
"status": "affected",
"version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
"versionType": "git"
},
{
"lessThan": "9a9b89eea4a9cc7726702946ff688d716962fabd",
"status": "affected",
"version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
"versionType": "git"
},
{
"lessThan": "e123d9302d223767bd910bfbcfe607bae909f8ac",
"status": "affected",
"version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix RSS context delete logic\n\nWe need to free the corresponding RSS context VNIC\nin FW everytime an RSS context is deleted in driver.\nCommit 667ac333dbb7 added a check to delete the VNIC\nin FW only when netif_running() is true to help delete\nRSS contexts with interface down.\n\nHaving that condition will make the driver leak VNICs\nin FW whenever close() happens with active RSS contexts.\nOn the subsequent open(), as part of RSS context restoration,\nwe will end up trying to create extra VNICs for which we\ndid not make any reservation. FW can fail this request,\nthereby making us lose active RSS contexts.\n\nSuppose an RSS context is deleted already and we try to\nprocess a delete request again, then the HWRM functions\nwill check for validity of the request and they simply\nreturn if the resource is already freed. So, even for\ndelete-when-down cases, netif_running() check is not\nnecessary.\n\nRemove the netif_running() condition check when deleting\nan RSS context."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:48.113Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604"
},
{
"url": "https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8"
},
{
"url": "https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd"
},
{
"url": "https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac"
}
],
"title": "bnxt_en: Fix RSS context delete logic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43260",
"datePublished": "2026-05-06T11:28:48.113Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-06T11:28:48.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43259 (GCVE-0-2026-43259)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
phy: fsl-imx8mq-usb: set platform driver data
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: fsl-imx8mq-usb: set platform driver data
Add missing platform_set_drvdata() as the data will be used in remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b58f0f86fd6156d7b084257f5c91ceaf7d760927 , < 42d9509161d0539767ba875f3ef6b4b3c0b425ed
(git)
Affected: b58f0f86fd6156d7b084257f5c91ceaf7d760927 , < 06db8c06d94858cda4b3870f421a1aeeef617690 (git) Affected: b58f0f86fd6156d7b084257f5c91ceaf7d760927 , < debf8326a435ac746f48173e4742a574810f1ff4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/freescale/phy-fsl-imx8mq-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "42d9509161d0539767ba875f3ef6b4b3c0b425ed",
"status": "affected",
"version": "b58f0f86fd6156d7b084257f5c91ceaf7d760927",
"versionType": "git"
},
{
"lessThan": "06db8c06d94858cda4b3870f421a1aeeef617690",
"status": "affected",
"version": "b58f0f86fd6156d7b084257f5c91ceaf7d760927",
"versionType": "git"
},
{
"lessThan": "debf8326a435ac746f48173e4742a574810f1ff4",
"status": "affected",
"version": "b58f0f86fd6156d7b084257f5c91ceaf7d760927",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/freescale/phy-fsl-imx8mq-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: fsl-imx8mq-usb: set platform driver data\n\nAdd missing platform_set_drvdata() as the data will be used in remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:47.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/42d9509161d0539767ba875f3ef6b4b3c0b425ed"
},
{
"url": "https://git.kernel.org/stable/c/06db8c06d94858cda4b3870f421a1aeeef617690"
},
{
"url": "https://git.kernel.org/stable/c/debf8326a435ac746f48173e4742a574810f1ff4"
}
],
"title": "phy: fsl-imx8mq-usb: set platform driver data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43259",
"datePublished": "2026-05-06T11:28:47.370Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-06T11:28:47.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43231 (GCVE-0-2026-43231)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
media: radio-keene: fix memory leak in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: radio-keene: fix memory leak in error path
Fix a memory leak in usb_keene_probe(). The v4l2 control handler is
initialized and controls are added, but if v4l2_device_register() or
video_register_device() fails afterward, the handler was never freed,
leaking memory.
Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure
the control handler is properly freed for all error paths after it is
initialized.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1bf20c3a0c616f44359c573b533d06bae960ee45 , < ad85bb5623079a35bd400f51de2e2fbc2170bdb2
(git)
Affected: 1bf20c3a0c616f44359c573b533d06bae960ee45 , < 242b0aabb1866024a7995a767ac330c158b39aa4 (git) Affected: 1bf20c3a0c616f44359c573b533d06bae960ee45 , < 2fe28a63d598235595a9601e0d8fdc7c8f4fd575 (git) Affected: 1bf20c3a0c616f44359c573b533d06bae960ee45 , < 27c508f61963013fdf29097578284099ee7a85a4 (git) Affected: 1bf20c3a0c616f44359c573b533d06bae960ee45 , < 7fa9754f48cb8eefa566156be341e63d313247e5 (git) Affected: 1bf20c3a0c616f44359c573b533d06bae960ee45 , < 1d8558a232ecb187e8e0328d6347a125f437a0fc (git) Affected: 1bf20c3a0c616f44359c573b533d06bae960ee45 , < de204d87e7d61859937272fe30cbdd46a4cfb10a (git) Affected: 1bf20c3a0c616f44359c573b533d06bae960ee45 , < b8bf939d77c0cd01118e953bbf554e0fa15e9006 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/radio-keene.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad85bb5623079a35bd400f51de2e2fbc2170bdb2",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
},
{
"lessThan": "242b0aabb1866024a7995a767ac330c158b39aa4",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
},
{
"lessThan": "2fe28a63d598235595a9601e0d8fdc7c8f4fd575",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
},
{
"lessThan": "27c508f61963013fdf29097578284099ee7a85a4",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
},
{
"lessThan": "7fa9754f48cb8eefa566156be341e63d313247e5",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
},
{
"lessThan": "1d8558a232ecb187e8e0328d6347a125f437a0fc",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
},
{
"lessThan": "de204d87e7d61859937272fe30cbdd46a4cfb10a",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
},
{
"lessThan": "b8bf939d77c0cd01118e953bbf554e0fa15e9006",
"status": "affected",
"version": "1bf20c3a0c616f44359c573b533d06bae960ee45",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/radio-keene.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: radio-keene: fix memory leak in error path\n\nFix a memory leak in usb_keene_probe(). The v4l2 control handler is\ninitialized and controls are added, but if v4l2_device_register() or\nvideo_register_device() fails afterward, the handler was never freed,\nleaking memory.\n\nAdd v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure\nthe control handler is properly freed for all error paths after it is\ninitialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:28.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad85bb5623079a35bd400f51de2e2fbc2170bdb2"
},
{
"url": "https://git.kernel.org/stable/c/242b0aabb1866024a7995a767ac330c158b39aa4"
},
{
"url": "https://git.kernel.org/stable/c/2fe28a63d598235595a9601e0d8fdc7c8f4fd575"
},
{
"url": "https://git.kernel.org/stable/c/27c508f61963013fdf29097578284099ee7a85a4"
},
{
"url": "https://git.kernel.org/stable/c/7fa9754f48cb8eefa566156be341e63d313247e5"
},
{
"url": "https://git.kernel.org/stable/c/1d8558a232ecb187e8e0328d6347a125f437a0fc"
},
{
"url": "https://git.kernel.org/stable/c/de204d87e7d61859937272fe30cbdd46a4cfb10a"
},
{
"url": "https://git.kernel.org/stable/c/b8bf939d77c0cd01118e953bbf554e0fa15e9006"
}
],
"title": "media: radio-keene: fix memory leak in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43231",
"datePublished": "2026-05-06T11:28:28.268Z",
"dateReserved": "2026-05-01T14:12:55.995Z",
"dateUpdated": "2026-05-06T11:28:28.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43230 (GCVE-0-2026-43230)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-08 12:41
VLAI?
Title
net/rds: Clear reconnect pending bit
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rds: Clear reconnect pending bit
When canceling the reconnect worker, care must be taken to reset the
reconnect-pending bit. If the reconnect worker has not yet been
scheduled before it is canceled, the reconnect-pending bit will stay
on forever.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00e0f34c616603ba6500f41943cbf89eb4a8a5be , < 3cf001aff71b1db1b4732a5381b012a114720664
(git)
Affected: 00e0f34c616603ba6500f41943cbf89eb4a8a5be , < 60b347333ec259ac7352f62cbbc365b04c065ff8 (git) Affected: 00e0f34c616603ba6500f41943cbf89eb4a8a5be , < 597c46a42930c963f448720aaf5001dd4ed98af4 (git) Affected: 00e0f34c616603ba6500f41943cbf89eb4a8a5be , < 391200c274e90c34071b909ba12e3390b81b767f (git) Affected: 00e0f34c616603ba6500f41943cbf89eb4a8a5be , < ba2e3472022f44baddf000621fed150d7a599ea3 (git) Affected: 00e0f34c616603ba6500f41943cbf89eb4a8a5be , < 14eae5564053ac3973b9369dc674638f22f4765e (git) Affected: 00e0f34c616603ba6500f41943cbf89eb4a8a5be , < bcf034fa5f66b6a3e787f765a917934a2045cf7a (git) Affected: 00e0f34c616603ba6500f41943cbf89eb4a8a5be , < b89fc7c2523b2b0750d91840f4e52521270d70ed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/connection.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3cf001aff71b1db1b4732a5381b012a114720664",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
},
{
"lessThan": "60b347333ec259ac7352f62cbbc365b04c065ff8",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
},
{
"lessThan": "597c46a42930c963f448720aaf5001dd4ed98af4",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
},
{
"lessThan": "391200c274e90c34071b909ba12e3390b81b767f",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
},
{
"lessThan": "ba2e3472022f44baddf000621fed150d7a599ea3",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
},
{
"lessThan": "14eae5564053ac3973b9369dc674638f22f4765e",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
},
{
"lessThan": "bcf034fa5f66b6a3e787f765a917934a2045cf7a",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
},
{
"lessThan": "b89fc7c2523b2b0750d91840f4e52521270d70ed",
"status": "affected",
"version": "00e0f34c616603ba6500f41943cbf89eb4a8a5be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/connection.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: Clear reconnect pending bit\n\nWhen canceling the reconnect worker, care must be taken to reset the\nreconnect-pending bit. If the reconnect worker has not yet been\nscheduled before it is canceled, the reconnect-pending bit will stay\non forever."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:41:25.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3cf001aff71b1db1b4732a5381b012a114720664"
},
{
"url": "https://git.kernel.org/stable/c/60b347333ec259ac7352f62cbbc365b04c065ff8"
},
{
"url": "https://git.kernel.org/stable/c/597c46a42930c963f448720aaf5001dd4ed98af4"
},
{
"url": "https://git.kernel.org/stable/c/391200c274e90c34071b909ba12e3390b81b767f"
},
{
"url": "https://git.kernel.org/stable/c/ba2e3472022f44baddf000621fed150d7a599ea3"
},
{
"url": "https://git.kernel.org/stable/c/14eae5564053ac3973b9369dc674638f22f4765e"
},
{
"url": "https://git.kernel.org/stable/c/bcf034fa5f66b6a3e787f765a917934a2045cf7a"
},
{
"url": "https://git.kernel.org/stable/c/b89fc7c2523b2b0750d91840f4e52521270d70ed"
}
],
"title": "net/rds: Clear reconnect pending bit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43230",
"datePublished": "2026-05-06T11:28:27.620Z",
"dateReserved": "2026-05-01T14:12:55.994Z",
"dateUpdated": "2026-05-08T12:41:25.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43229 (GCVE-0-2026-43229)
Vulnerability from nvd – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
media: chips-media: wave5: Fix device cleanup order to prevent kernel panic
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix device cleanup order to prevent kernel panic
Move video device unregistration to the beginning of the remove function
to ensure all video operations are stopped before cleaning up the worker
thread and disabling PM runtime. This prevents hardware register access
after the device has been powered down.
In polling mode, the hrtimer periodically triggers
wave5_vpu_timer_callback() which queues work to the kthread worker.
The worker executes wave5_vpu_irq_work_fn() which reads hardware
registers via wave5_vdi_read_register().
The original cleanup order disabled PM runtime and powered down hardware
before unregistering video devices. When autosuspend triggers and powers
off the hardware, the video devices are still registered and the worker
thread can still be triggered by the hrtimer, causing it to attempt
reading registers from powered-off hardware. This results in a bus error
(synchronous external abort) and kernel panic.
This causes random kernel panics during encoding operations:
Internal error: synchronous external abort: 0000000096000010
[#1] PREEMPT SMP
Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...
CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread
Tainted: G M W
pc : wave5_vdi_read_register+0x10/0x38 [wave5]
lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]
Call trace:
wave5_vdi_read_register+0x10/0x38 [wave5]
kthread_worker_fn+0xd8/0x238
kthread+0x104/0x120
ret_from_fork+0x10/0x20
Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: synchronous external abort:
Fatal exception
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9707a6254a8a6b978bde811a44fe07d86c229d1c , < b73d85231d5b1400a4fa5046cdac6c4d7cc6d969
(git)
Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < 526816f2e331954d80fed8b37fa94efbbdde2b8d (git) Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f (git) Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < b74cedac643b02aefa7da881b58a3792859d9748 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/wave5/wave5-vpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b73d85231d5b1400a4fa5046cdac6c4d7cc6d969",
"status": "affected",
"version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
"versionType": "git"
},
{
"lessThan": "526816f2e331954d80fed8b37fa94efbbdde2b8d",
"status": "affected",
"version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
"versionType": "git"
},
{
"lessThan": "dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f",
"status": "affected",
"version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
"versionType": "git"
},
{
"lessThan": "b74cedac643b02aefa7da881b58a3792859d9748",
"status": "affected",
"version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/wave5/wave5-vpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix device cleanup order to prevent kernel panic\n\nMove video device unregistration to the beginning of the remove function\nto ensure all video operations are stopped before cleaning up the worker\nthread and disabling PM runtime. This prevents hardware register access\nafter the device has been powered down.\n\nIn polling mode, the hrtimer periodically triggers\nwave5_vpu_timer_callback() which queues work to the kthread worker.\nThe worker executes wave5_vpu_irq_work_fn() which reads hardware\nregisters via wave5_vdi_read_register().\n\nThe original cleanup order disabled PM runtime and powered down hardware\nbefore unregistering video devices. When autosuspend triggers and powers\noff the hardware, the video devices are still registered and the worker\nthread can still be triggered by the hrtimer, causing it to attempt\nreading registers from powered-off hardware. This results in a bus error\n(synchronous external abort) and kernel panic.\n\nThis causes random kernel panics during encoding operations:\n\n Internal error: synchronous external abort: 0000000096000010\n [#1] PREEMPT SMP\n Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...\n CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread\n Tainted: G M W\n pc : wave5_vdi_read_register+0x10/0x38 [wave5]\n lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]\n Call trace:\n wave5_vdi_read_register+0x10/0x38 [wave5]\n kthread_worker_fn+0xd8/0x238\n kthread+0x104/0x120\n ret_from_fork+0x10/0x20\n Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: synchronous external abort:\n Fatal exception"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:28:26.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969"
},
{
"url": "https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d"
},
{
"url": "https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f"
},
{
"url": "https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748"
}
],
"title": "media: chips-media: wave5: Fix device cleanup order to prevent kernel panic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43229",
"datePublished": "2026-05-06T11:28:26.951Z",
"dateReserved": "2026-05-01T14:12:55.994Z",
"dateUpdated": "2026-05-06T11:28:26.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43284 (GCVE-0-2026-43284)
Vulnerability from cvelistv5 – Published: 2026-05-08 07:21 – Updated: 2026-05-09 03:55
VLAI?
Title
xfrm: esp: avoid in-place decrypt on shared skb frags
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Severity ?
7.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < a6cb440f274a22456ef3e86b457344f1678f38f9
(git)
Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < ab8b995323e5237041472d07e5055f5f7dcdf15b (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < fe785bb3a8096dffcc4048a85cd0c83337eeecad (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 5d55c7336f8032d434adcc5fab987ccc93a44aec (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 8253aab4659ca16116b522203c2a6b18dccacea7 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 50ed1e7873100f77abad20fd31c51029bc49cd03 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < b54edf1e9a3fd3491bdcb82a21f8d21315271e0d (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 71a1d9d985d26716f74d21f18ee8cac821b06e97 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 52646cbd00e765a6db9c3afe9535f26218276034 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-08T09:32:40.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:46.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6cb440f274a22456ef3e86b457344f1678f38f9",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "ab8b995323e5237041472d07e5055f5f7dcdf15b",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "fe785bb3a8096dffcc4048a85cd0c83337eeecad",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "5d55c7336f8032d434adcc5fab987ccc93a44aec",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "8253aab4659ca16116b522203c2a6b18dccacea7",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "50ed1e7873100f77abad20fd31c51029bc49cd03",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "b54edf1e9a3fd3491bdcb82a21f8d21315271e0d",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "71a1d9d985d26716f74d21f18ee8cac821b06e97",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "52646cbd00e765a6db9c3afe9535f26218276034",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.206",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.255",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.205",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.206",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.171",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.172",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.138",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.87",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.28",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.5",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:57:22.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9"
},
{
"url": "https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b"
},
{
"url": "https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad"
},
{
"url": "https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec"
},
{
"url": "https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7"
},
{
"url": "https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03"
},
{
"url": "https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d"
},
{
"url": "https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97"
},
{
"url": "https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034"
}
],
"title": "xfrm: esp: avoid in-place decrypt on shared skb frags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43284",
"datePublished": "2026-05-08T07:21:47.524Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-09T03:55:46.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}