Vulnerability-Lookup

alsa-2026:21706

Vulnerability from osv_almalinux

Published

2026-05-28 00:00

Modified

2026-05-28 12:35

Summary

Important: kernel security update

Details

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

kernel: Bluetooth: MGMT: Fix possible UAFs (CVE-2025-39981)
kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr (CVE-2025-68183)
kernel: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events (CVE-2025-68347)
kernel: libceph: make decode_pool() more resilient against corrupted osdmaps (CVE-2025-71116)
kernel: Linux kernel: Denial of service and memory corruption in RDMA umad (CVE-2026-23243)
kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270)
kernel: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CVE-2026-23455)
kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (CVE-2026-31408)
kernel: can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
kernel: net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
kernel: netfilter: ip6t_eui64: reject invalid MAC header for all packets (CVE-2026-31685)
kernel: netfilter: nf_conntrack_helper: pass helper to expect cleanup (CVE-2026-43027)
kernel: Bluetooth: MGMT: validate LTK enc_size on load (CVE-2026-43020)
kernel: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (CVE-2026-43051)
kernel: smb: client: validate the whole DACL before rewriting it in cifsacl (CVE-2026-31709)
kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163)
kernel: netfilter: xt_tcpmss: check remaining length before reading optlen (CVE-2026-43190)
kernel: xfs: fix freemap adjustments when adding xattrs to leaf blocks (CVE-2026-43158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:21706	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-39981	REPORT
	https://access.redhat.com/security/cve/CVE-2025-68183	REPORT
	https://access.redhat.com/security/cve/CVE-2025-68347	REPORT
	https://access.redhat.com/security/cve/CVE-2025-71116	REPORT
	https://access.redhat.com/security/cve/CVE-2026-23243	REPORT
	https://access.redhat.com/security/cve/CVE-2026-23270	REPORT
	https://access.redhat.com/security/cve/CVE-2026-23455	REPORT
	https://access.redhat.com/security/cve/CVE-2026-31408	REPORT
	https://access.redhat.com/security/cve/CVE-2026-31532	REPORT
	https://access.redhat.com/security/cve/CVE-2026-31684	REPORT
	https://access.redhat.com/security/cve/CVE-2026-31685	REPORT
	https://access.redhat.com/security/cve/CVE-2026-31709	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43020	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43027	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43051	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43158	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43163	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43190	REPORT
	https://bugzilla.redhat.com/2404105	REPORT
	https://bugzilla.redhat.com/2422699	REPORT
	https://bugzilla.redhat.com/2424879	REPORT
	https://bugzilla.redhat.com/2429602	REPORT
	https://bugzilla.redhat.com/2448594	REPORT
	https://bugzilla.redhat.com/2448745	REPORT
	https://bugzilla.redhat.com/2454810	REPORT
	https://bugzilla.redhat.com/2455334	REPORT
	https://bugzilla.redhat.com/2461107	REPORT
	https://bugzilla.redhat.com/2461757	REPORT
	https://bugzilla.redhat.com/2461759	REPORT
	https://bugzilla.redhat.com/2464369	REPORT
	https://bugzilla.redhat.com/2464455	REPORT
	https://bugzilla.redhat.com/2464462	REPORT
	https://bugzilla.redhat.com/2464476	REPORT
	https://bugzilla.redhat.com/2467059	REPORT
	https://bugzilla.redhat.com/2467064	REPORT
	https://bugzilla.redhat.com/2467210	REPORT
	https://errata.almalinux.org/8/ALSA-2026-21706.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "bpftool"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-abi-stablelists"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-cross-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-doc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.126.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel packages contain the Linux kernel, the core of any Linux operating system.  \n\nSecurity Fix(es):  \n\n  * kernel: Bluetooth: MGMT: Fix possible UAFs (CVE-2025-39981)\n  * kernel: ima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr (CVE-2025-68183)\n  * kernel: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events (CVE-2025-68347)\n  * kernel: libceph: make decode_pool() more resilient against corrupted osdmaps (CVE-2025-71116)\n  * kernel: Linux kernel: Denial of service and memory corruption in RDMA umad (CVE-2026-23243)\n  * kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270)\n  * kernel: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CVE-2026-23455)\n  * kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (CVE-2026-31408)\n  * kernel: can: raw: fix ro-\u003euniq use-after-free in raw_rcv() (CVE-2026-31532)\n  * kernel: net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)\n  * kernel: netfilter: ip6t_eui64: reject invalid MAC header for all packets (CVE-2026-31685)\n  * kernel: netfilter: nf_conntrack_helper: pass helper to expect cleanup (CVE-2026-43027)\n  * kernel: Bluetooth: MGMT: validate LTK enc_size on load (CVE-2026-43020)\n  * kernel: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (CVE-2026-43051)\n  * kernel: smb: client: validate the whole DACL before rewriting it in cifsacl (CVE-2026-31709)\n  * kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163)\n  * kernel: netfilter: xt_tcpmss: check remaining length before reading optlen (CVE-2026-43190)\n  * kernel: xfs: fix freemap adjustments when adding xattrs to leaf blocks (CVE-2026-43158)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:21706",
  "modified": "2026-05-28T12:35:24Z",
  "published": "2026-05-28T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:21706"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-39981"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-68183"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-68347"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-71116"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-23243"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-23270"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-23455"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31408"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31532"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31684"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31685"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31709"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43020"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43027"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43051"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43158"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43163"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43190"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2404105"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2422699"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2424879"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2429602"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448594"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448745"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2454810"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2455334"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2461107"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2461757"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2461759"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2464369"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2464455"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2464462"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2464476"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2467059"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2467064"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2467210"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-21706.html"
    }
  ],
  "related": [
    "CVE-2025-39981",
    "CVE-2025-68183",
    "CVE-2025-68347",
    "CVE-2025-71116",
    "CVE-2026-23243",
    "CVE-2026-23270",
    "CVE-2026-23455",
    "CVE-2026-31408",
    "CVE-2026-31532",
    "CVE-2026-31684",
    "CVE-2026-31685",
    "CVE-2026-43027",
    "CVE-2026-43020",
    "CVE-2026-43051",
    "CVE-2026-31709",
    "CVE-2026-43163",
    "CVE-2026-43190",
    "CVE-2026-43158"
  ],
  "summary": "Important: kernel security update"
}

CVE-2026-31685 (GCVE-0-2026-31685)

Vulnerability from cvelistv5 – Published: 2026-04-25 08:47 – Updated: 2026-05-11 22:13

Title

netfilter: ip6t_eui64: reject invalid MAC header for all packets

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.

Severity

9.4 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/288138418bef956f8…
https://git.kernel.org/stable/c/9eda5478746ef7dc0…
https://git.kernel.org/stable/c/807d6ee15804df6f0…
https://git.kernel.org/stable/c/309ae3e9a51a69699…
https://git.kernel.org/stable/c/fdce0b3590f724540…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 288138418bef956f8b295751a4536c60f0e89f4a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9eda5478746ef7dc0e4e537b5a5e4b0ca1027091 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 807d6ee15804df6f01a35c910f09612e858739a6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 309ae3e9a51a69699ca94eac5fac5688fa562d55 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fdce0b3590f724540795b874b4c8850c90e6b0a8 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.6.136 , ≤ 6.6.* (semver) Unaffected: 6.12.83 , ≤ 6.12.* (semver) Unaffected: 6.18.24 , ≤ 6.18.* (semver) Unaffected: 6.19.14 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/netfilter/ip6t_eui64.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "288138418bef956f8b295751a4536c60f0e89f4a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9eda5478746ef7dc0e4e537b5a5e4b0ca1027091",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "807d6ee15804df6f01a35c910f09612e858739a6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "309ae3e9a51a69699ca94eac5fac5688fa562d55",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fdce0b3590f724540795b874b4c8850c90e6b0a8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/netfilter/ip6t_eui64.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.136",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.83",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.24",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par-\u003efragoff != 0`. For packets with `par-\u003efragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par-\u003efragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:13:39.681Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091"
        },
        {
          "url": "https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8"
        }
      ],
      "title": "netfilter: ip6t_eui64: reject invalid MAC header for all packets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31685",
    "datePublished": "2026-04-25T08:47:02.857Z",
    "dateReserved": "2026-03-09T15:48:24.131Z",
    "dateUpdated": "2026-05-11T22:13:39.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31709 (GCVE-0-2026-31709)

Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-17 15:21

Title

smb: client: validate the whole DACL before rewriting it in cifsacl

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/8e47d297e7cf9a602…
https://git.kernel.org/stable/c/d92f3f0b22414e751…
https://git.kernel.org/stable/c/b78db9bddc84136f6…
https://git.kernel.org/stable/c/0a8cf165566ba55a3…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4 , < 8e47d297e7cf9a6029a0d38e7b22faba7d7aaf12 (git) Affected: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4 , < d92f3f0b22414e7515696a02224d0af55e3004a3 (git) Affected: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4 , < b78db9bddc84136f6a0bb49e8883cf200dfb87a8 (git) Affected: bc3e9dd9d104ca1b75644eab87b38ce8a924aef4 , < 0a8cf165566ba55a39fd0f4de172119dd646d39a (git)
Linux	Linux	Affected: 5.12 Unaffected: 0 , < 5.12 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 7.0.2 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifsacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8e47d297e7cf9a6029a0d38e7b22faba7d7aaf12",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            },
            {
              "lessThan": "d92f3f0b22414e7515696a02224d0af55e3004a3",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            },
            {
              "lessThan": "b78db9bddc84136f6a0bb49e8883cf200dfb87a8",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            },
            {
              "lessThan": "0a8cf165566ba55a39fd0f4de172119dd646d39a",
              "status": "affected",
              "version": "bc3e9dd9d104ca1b75644eab87b38ce8a924aef4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifsacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: validate the whole DACL before rewriting it in cifsacl\n\nbuild_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a\nserver-supplied dacloffset and then use the incoming ACL to rebuild the\nchmod/chown security descriptor.\n\nThe original fix only checked that the struct smb_acl header fits before\nreading dacl_ptr-\u003esize or dacl_ptr-\u003enum_aces.  That avoids the immediate\nheader-field OOB read, but the rewrite helpers still walk ACEs based on\npdacl-\u003enum_aces with no structural validation of the incoming DACL body.\n\nA malicious server can return a truncated DACL that still contains a\nheader, claims one or more ACEs, and then drive\nreplace_sids_and_copy_aces() or set_chmod_dacl() past the validated\nextent while they compare or copy attacker-controlled ACEs.\n\nFactor the DACL structural checks into validate_dacl(), extend them to\nvalidate each ACE against the DACL bounds, and use the shared validator\nbefore the chmod/chown rebuild paths.  parse_dacl() reuses the same\nvalidator so the read-side parser and write-side rewrite paths agree on\nwhat constitutes a well-formed incoming DACL."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-17T15:21:32.443Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8e47d297e7cf9a6029a0d38e7b22faba7d7aaf12"
        },
        {
          "url": "https://git.kernel.org/stable/c/d92f3f0b22414e7515696a02224d0af55e3004a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b78db9bddc84136f6a0bb49e8883cf200dfb87a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a8cf165566ba55a39fd0f4de172119dd646d39a"
        }
      ],
      "title": "smb: client: validate the whole DACL before rewriting it in cifsacl",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31709",
    "datePublished": "2026-05-01T13:56:06.522Z",
    "dateReserved": "2026-03-09T15:48:24.133Z",
    "dateUpdated": "2026-05-17T15:21:32.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43020 (GCVE-0-2026-43020)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16

Title

Bluetooth: MGMT: validate LTK enc_size on load

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger than the 16-byte key buffer can therefore overflow the reply stack buffer. Reject oversized enc_size values while validating the management LTK record so invalid keys never reach the stored key state.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/0f37d1e65c6d71ad9…
https://git.kernel.org/stable/c/257cdb960d8ff6d60…
https://git.kernel.org/stable/c/c34577f517b556fb6…
https://git.kernel.org/stable/c/f71695e81f4cb428f…
https://git.kernel.org/stable/c/82f342b3b006ca1d6…
https://git.kernel.org/stable/c/50fb64defa72a3fec…
https://git.kernel.org/stable/c/40ba329e8b4cd2fb1…
https://git.kernel.org/stable/c/b8dbe9648d69059cf…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 0f37d1e65c6d71ad94ccfb5c602163c525db789d (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 257cdb960d8ff6d60bb6461b03c814b6cf0c9e64 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < c34577f517b556fb6ca173d45bf7e766ae2564ce (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < f71695e81f4cb428f3c7e2138eae88199005b52c (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 82f342b3b006ca1d65f4890c05f2ec32fcb808b6 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 50fb64defa72a3fecd0af1ca7c6b47b5c5c2b257 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 40ba329e8b4cd2fb11b0caf5e6a543ceaebb6009 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < b8dbe9648d69059cfe3a28917bfbf7e61efd7f15 (git)
Linux	Linux	Affected: 3.4 Unaffected: 0 , < 3.4 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0f37d1e65c6d71ad94ccfb5c602163c525db789d",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            },
            {
              "lessThan": "257cdb960d8ff6d60bb6461b03c814b6cf0c9e64",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            },
            {
              "lessThan": "c34577f517b556fb6ca173d45bf7e766ae2564ce",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            },
            {
              "lessThan": "f71695e81f4cb428f3c7e2138eae88199005b52c",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            },
            {
              "lessThan": "82f342b3b006ca1d65f4890c05f2ec32fcb808b6",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            },
            {
              "lessThan": "50fb64defa72a3fecd0af1ca7c6b47b5c5c2b257",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            },
            {
              "lessThan": "40ba329e8b4cd2fb11b0caf5e6a543ceaebb6009",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            },
            {
              "lessThan": "b8dbe9648d69059cfe3a28917bfbf7e61efd7f15",
              "status": "affected",
              "version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "lessThan": "3.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate LTK enc_size on load\n\nLoad Long Term Keys stores the user-provided enc_size and later uses\nit to size fixed-size stack operations when replying to LE LTK\nrequests. An enc_size larger than the 16-byte key buffer can therefore\noverflow the reply stack buffer.\n\nReject oversized enc_size values while validating the management LTK\nrecord so invalid keys never reach the stored key state."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:16:09.294Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0f37d1e65c6d71ad94ccfb5c602163c525db789d"
        },
        {
          "url": "https://git.kernel.org/stable/c/257cdb960d8ff6d60bb6461b03c814b6cf0c9e64"
        },
        {
          "url": "https://git.kernel.org/stable/c/c34577f517b556fb6ca173d45bf7e766ae2564ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/f71695e81f4cb428f3c7e2138eae88199005b52c"
        },
        {
          "url": "https://git.kernel.org/stable/c/82f342b3b006ca1d65f4890c05f2ec32fcb808b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/50fb64defa72a3fecd0af1ca7c6b47b5c5c2b257"
        },
        {
          "url": "https://git.kernel.org/stable/c/40ba329e8b4cd2fb11b0caf5e6a543ceaebb6009"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8dbe9648d69059cfe3a28917bfbf7e61efd7f15"
        }
      ],
      "title": "Bluetooth: MGMT: validate LTK enc_size on load",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43020",
    "datePublished": "2026-05-01T14:15:23.699Z",
    "dateReserved": "2026-05-01T14:12:55.975Z",
    "dateUpdated": "2026-05-11T22:16:09.294Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43027 (GCVE-0-2026-43027)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16

Title

netfilter: nf_conntrack_helper: pass helper to expect cleanup

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it passes NULL instead of the helper pointer as the data argument, so expect_iter_me() never matches any expectation and all of them survive the cleanup. After unregister returns, nfnl_cthelper_del() frees the helper object immediately. Subsequent expectation dumps or packet-driven init_conntrack() calls then dereference the freed exp->helper, causing a use-after-free. Pass the actual helper pointer so expectations referencing it are properly destroyed before the helper object is freed. BUG: KASAN: slab-use-after-free in string+0x38f/0x430 Read of size 1 at addr ffff888003b14d20 by task poc/103 Call Trace: string+0x38f/0x430 vsnprintf+0x3cc/0x1170 seq_printf+0x17a/0x240 exp_seq_show+0x2e5/0x560 seq_read_iter+0x419/0x1280 proc_reg_read+0x1ac/0x270 vfs_read+0x179/0x930 ksys_read+0xef/0x1c0 Freed by task 103: The buggy address is located 32 bytes inside of freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/5cf28d5c8dcbbe8af…
https://git.kernel.org/stable/c/504ba4168466c9121…
https://git.kernel.org/stable/c/dc1739eff48e34cc7…
https://git.kernel.org/stable/c/2cf2737c85a2ba2b5…
https://git.kernel.org/stable/c/2c16e4d64dd912277…
https://git.kernel.org/stable/c/620f3d14c1ef51d42…
https://git.kernel.org/stable/c/90bd7e8501349db30…
https://git.kernel.org/stable/c/a242a9ae58aa46ff7…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: ac7b848390036dadd4351899d2a23748075916bd , < 5cf28d5c8dcbbe8af6d3b145babe491906d7bad1 (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 504ba4168466c91210c45acdc332479cfd5f2da6 (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < dc1739eff48e34cc71d4e2f03715493fbcebd8af (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 2cf2737c85a2ba2b52024dafe68ffad2676f97be (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 2c16e4d64dd91227742dfe196a3e7b0568bef65a (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 620f3d14c1ef51d425060a3056ad8dbae8f998a3 (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 90bd7e8501349db3006d21fbc09df9ffcb172965 (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < a242a9ae58aa46ff7dae51ce64150a93957abe65 (git)
Linux	Linux	Affected: 4.14 Unaffected: 0 , < 4.14 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_helper.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5cf28d5c8dcbbe8af6d3b145babe491906d7bad1",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            },
            {
              "lessThan": "504ba4168466c91210c45acdc332479cfd5f2da6",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            },
            {
              "lessThan": "dc1739eff48e34cc71d4e2f03715493fbcebd8af",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            },
            {
              "lessThan": "2cf2737c85a2ba2b52024dafe68ffad2676f97be",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            },
            {
              "lessThan": "2c16e4d64dd91227742dfe196a3e7b0568bef65a",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            },
            {
              "lessThan": "620f3d14c1ef51d425060a3056ad8dbae8f998a3",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            },
            {
              "lessThan": "90bd7e8501349db3006d21fbc09df9ffcb172965",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            },
            {
              "lessThan": "a242a9ae58aa46ff7dae51ce64150a93957abe65",
              "status": "affected",
              "version": "ac7b848390036dadd4351899d2a23748075916bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_helper.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_helper: pass helper to expect cleanup\n\nnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()\nto remove expectations belonging to the helper being unregistered.\nHowever, it passes NULL instead of the helper pointer as the data\nargument, so expect_iter_me() never matches any expectation and all\nof them survive the cleanup.\n\nAfter unregister returns, nfnl_cthelper_del() frees the helper\nobject immediately.  Subsequent expectation dumps or packet-driven\ninit_conntrack() calls then dereference the freed exp-\u003ehelper,\ncausing a use-after-free.\n\nPass the actual helper pointer so expectations referencing it are\nproperly destroyed before the helper object is freed.\n\n  BUG: KASAN: slab-use-after-free in string+0x38f/0x430\n  Read of size 1 at addr ffff888003b14d20 by task poc/103\n  Call Trace:\n   string+0x38f/0x430\n   vsnprintf+0x3cc/0x1170\n   seq_printf+0x17a/0x240\n   exp_seq_show+0x2e5/0x560\n   seq_read_iter+0x419/0x1280\n   proc_reg_read+0x1ac/0x270\n   vfs_read+0x179/0x930\n   ksys_read+0xef/0x1c0\n  Freed by task 103:\n  The buggy address is located 32 bytes inside of\n   freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:16:18.081Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5cf28d5c8dcbbe8af6d3b145babe491906d7bad1"
        },
        {
          "url": "https://git.kernel.org/stable/c/504ba4168466c91210c45acdc332479cfd5f2da6"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc1739eff48e34cc71d4e2f03715493fbcebd8af"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cf2737c85a2ba2b52024dafe68ffad2676f97be"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c16e4d64dd91227742dfe196a3e7b0568bef65a"
        },
        {
          "url": "https://git.kernel.org/stable/c/620f3d14c1ef51d425060a3056ad8dbae8f998a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/90bd7e8501349db3006d21fbc09df9ffcb172965"
        },
        {
          "url": "https://git.kernel.org/stable/c/a242a9ae58aa46ff7dae51ce64150a93957abe65"
        }
      ],
      "title": "netfilter: nf_conntrack_helper: pass helper to expect cleanup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43027",
    "datePublished": "2026-05-01T14:15:28.521Z",
    "dateReserved": "2026-05-01T14:12:55.976Z",
    "dateUpdated": "2026-05-11T22:16:18.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43051 (GCVE-0-2026-43051)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16

Title

HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a5…
https://git.kernel.org/stable/c/5b5b9730111808410…
https://git.kernel.org/stable/c/fa8901cb1f0b2113a…
https://git.kernel.org/stable/c/8bd690ac1242332c7…
https://git.kernel.org/stable/c/41026bcc0fdf82605…
https://git.kernel.org/stable/c/c8dc23c97680eebef…
https://git.kernel.org/stable/c/3d78386b144453c47…
https://git.kernel.org/stable/c/2f1763f62909ccb63…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 5b5b9730111808410e404ceac2fabd32eef92fbd (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < fa8901cb1f0b2113a342db93bd5684b59fe99dcf (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 8bd690ac1242332c73cba10dacdad6c6642bbb94 (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 41026bcc0fdf82605205c27935ef719cbc07193b (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < c8dc23c97680eebefde06da5858aaef1b37cf75d (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 3d78386b144453c47e81bf62dc3601b757f02d99 (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 2f1763f62909ccb6386ac50350fa0abbf5bb16a9 (git)
Linux	Linux	Affected: 3.3 Unaffected: 0 , < 3.3 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/wacom_wac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            },
            {
              "lessThan": "5b5b9730111808410e404ceac2fabd32eef92fbd",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            },
            {
              "lessThan": "fa8901cb1f0b2113a342db93bd5684b59fe99dcf",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            },
            {
              "lessThan": "8bd690ac1242332c73cba10dacdad6c6642bbb94",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            },
            {
              "lessThan": "41026bcc0fdf82605205c27935ef719cbc07193b",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            },
            {
              "lessThan": "c8dc23c97680eebefde06da5858aaef1b37cf75d",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            },
            {
              "lessThan": "3d78386b144453c47e81bf62dc3601b757f02d99",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            },
            {
              "lessThan": "2f1763f62909ccb6386ac50350fa0abbf5bb16a9",
              "status": "affected",
              "version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/wacom_wac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\nwithout sufficient bounds checking. A maliciously crafted short report\ncan trigger an out-of-bounds read when copying data into the wacom\nstructure.\n\nSpecifically, report 0x03 requires at least 22 bytes to safely read\nthe processed data and battery status, while report 0x04 (which\nfalls through to 0x03) requires 32 bytes.\n\nAdd explicit length checks for these report IDs and log a warning if\na short report is received."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:16:45.927Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94"
        },
        {
          "url": "https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9"
        }
      ],
      "title": "HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43051",
    "datePublished": "2026-05-01T14:15:45.314Z",
    "dateReserved": "2026-05-01T14:12:55.980Z",
    "dateUpdated": "2026-05-11T22:16:45.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43158 (GCVE-0-2026-43158)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:18

Title

xfs: fix freemap adjustments when adding xattrs to leaf blocks

Summary

In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf)); Upon enabling quite a lot more debugging code, I narrowed this down to fsstress trying to set a local extended attribute with namelen=3 and valuelen=71. This results in an entry size of 80 bytes. At the start of xfs_attr3_leaf_add_work, the freemap looks like this: i 0 base 448 size 0 rhs 448 count 46 i 1 base 388 size 132 rhs 448 count 46 i 2 base 2120 size 4 rhs 448 count 46 firstused = 520 where "rhs" is the first byte past the end of the leaf entry array. This is inconsistent -- the entries array ends at byte 448, but freemap[1] says there's free space starting at byte 388! By the end of the function, the freemap is in worse shape: i 0 base 456 size 0 rhs 456 count 47 i 1 base 388 size 52 rhs 456 count 47 i 2 base 2120 size 4 rhs 456 count 47 firstused = 440 Important note: 388 is not aligned with the entries array element size of 8 bytes. Based on the incorrect freemap, the name area starts at byte 440, which is below the end of the entries array! That's why the assertion triggers and the filesystem shuts down. How did we end up here? First, recall from the previous patch that the freemap array in an xattr leaf block is not intended to be a comprehensive map of all free space in the leaf block. In other words, it's perfectly legal to have a leaf block with: * 376 bytes in use by the entries array * freemap[0] has [base = 376, size = 8] * freemap[1] has [base = 388, size = 1500] * the space between 376 and 388 is free, but the freemap stopped tracking that some time ago If we add one xattr, the entries array grows to 384 bytes, and freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we add a second xattr, the entries array grows to 392 bytes, and freemap[0] gets pushed up to [base = 392, size = 0]. This is bad, because freemap[1] hasn't been updated, and now the entries array and the free space claim the same space. The fix here is to adjust all freemap entries so that none of them collide with the entries array. Note that this fix relies on commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and the previous patch that resets zero length freemap entries to have base = 0.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/d08976725355b9d54…
https://git.kernel.org/stable/c/6a8737afbccc340e7…
https://git.kernel.org/stable/c/a396b3d73d51355e5…
https://git.kernel.org/stable/c/38613c01f69e1e77e…
https://git.kernel.org/stable/c/ef42a8766ff3fdf51…
https://git.kernel.org/stable/c/43f3b18679615a93b…
https://git.kernel.org/stable/c/24ce71852f2cee658…
https://git.kernel.org/stable/c/3eefc0c2b78444b64…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d08976725355b9d54d8332fce223fa281cc304a5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6a8737afbccc340e718e0b22577312826390be8b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a396b3d73d51355e50acdb403ba9c4cae4c1174e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38613c01f69e1e77e6b8acab1e8ac665d01c2f15 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ef42a8766ff3fdf51cf72fb36d0859c09d134478 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 43f3b18679615a93bd848afde3602ba160637a46 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 24ce71852f2cee6581e2cbebc15489ed52bf63b7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3eefc0c2b78444b64feeb3783c017d6adc3cd3ce (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/libxfs/xfs_attr_leaf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d08976725355b9d54d8332fce223fa281cc304a5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6a8737afbccc340e718e0b22577312826390be8b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a396b3d73d51355e50acdb403ba9c4cae4c1174e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "38613c01f69e1e77e6b8acab1e8ac665d01c2f15",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ef42a8766ff3fdf51cf72fb36d0859c09d134478",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "43f3b18679615a93bd848afde3602ba160637a46",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "24ce71852f2cee6581e2cbebc15489ed52bf63b7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3eefc0c2b78444b64feeb3783c017d6adc3cd3ce",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/libxfs/xfs_attr_leaf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix freemap adjustments when adding xattrs to leaf blocks\n\nxfs/592 and xfs/794 both trip this assertion in the leaf block freemap\nadjustment code after ~20 minutes of running on my test VMs:\n\n ASSERT(ichdr-\u003efirstused \u003e= ichdr-\u003ecount * sizeof(xfs_attr_leaf_entry_t)\n\t\t\t\t\t+ xfs_attr3_leaf_hdr_size(leaf));\n\nUpon enabling quite a lot more debugging code, I narrowed this down to\nfsstress trying to set a local extended attribute with namelen=3 and\nvaluelen=71.  This results in an entry size of 80 bytes.\n\nAt the start of xfs_attr3_leaf_add_work, the freemap looks like this:\n\ni 0 base 448 size 0 rhs 448 count 46\ni 1 base 388 size 132 rhs 448 count 46\ni 2 base 2120 size 4 rhs 448 count 46\nfirstused = 520\n\nwhere \"rhs\" is the first byte past the end of the leaf entry array.\nThis is inconsistent -- the entries array ends at byte 448, but\nfreemap[1] says there\u0027s free space starting at byte 388!\n\nBy the end of the function, the freemap is in worse shape:\n\ni 0 base 456 size 0 rhs 456 count 47\ni 1 base 388 size 52 rhs 456 count 47\ni 2 base 2120 size 4 rhs 456 count 47\nfirstused = 440\n\nImportant note: 388 is not aligned with the entries array element size\nof 8 bytes.\n\nBased on the incorrect freemap, the name area starts at byte 440, which\nis below the end of the entries array!  That\u0027s why the assertion\ntriggers and the filesystem shuts down.\n\nHow did we end up here?  First, recall from the previous patch that the\nfreemap array in an xattr leaf block is not intended to be a\ncomprehensive map of all free space in the leaf block.  In other words,\nit\u0027s perfectly legal to have a leaf block with:\n\n * 376 bytes in use by the entries array\n * freemap[0] has [base = 376, size = 8]\n * freemap[1] has [base = 388, size = 1500]\n * the space between 376 and 388 is free, but the freemap stopped\n   tracking that some time ago\n\nIf we add one xattr, the entries array grows to 384 bytes, and\nfreemap[0] becomes [base = 384, size = 0].  So far, so good.  But if we\nadd a second xattr, the entries array grows to 392 bytes, and freemap[0]\ngets pushed up to [base = 392, size = 0].  This is bad, because\nfreemap[1] hasn\u0027t been updated, and now the entries array and the free\nspace claim the same space.\n\nThe fix here is to adjust all freemap entries so that none of them\ncollide with the entries array.  Note that this fix relies on commit\n2a2b5932db6758 (\"xfs: fix attr leaf header freemap.size underflow\") and\nthe previous patch that resets zero length freemap entries to have\nbase = 0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:18:53.079Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d08976725355b9d54d8332fce223fa281cc304a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a8737afbccc340e718e0b22577312826390be8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a396b3d73d51355e50acdb403ba9c4cae4c1174e"
        },
        {
          "url": "https://git.kernel.org/stable/c/38613c01f69e1e77e6b8acab1e8ac665d01c2f15"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef42a8766ff3fdf51cf72fb36d0859c09d134478"
        },
        {
          "url": "https://git.kernel.org/stable/c/43f3b18679615a93bd848afde3602ba160637a46"
        },
        {
          "url": "https://git.kernel.org/stable/c/24ce71852f2cee6581e2cbebc15489ed52bf63b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/3eefc0c2b78444b64feeb3783c017d6adc3cd3ce"
        }
      ],
      "title": "xfs: fix freemap adjustments when adding xattrs to leaf blocks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43158",
    "datePublished": "2026-05-06T11:27:37.848Z",
    "dateReserved": "2026-05-01T14:12:55.990Z",
    "dateUpdated": "2026-05-11T22:18:53.079Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43163 (GCVE-0-2026-43163)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:18

Title

md/bitmap: fix GPF in write_page caused by resize race

Summary

In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over `bitmap->storage.filemap` without locking, while the resize path frees that storage via md_bitmap_file_unmap(). `quiesce()` does not stop the md thread, allowing concurrent access to freed pages. Fix by holding `mddev->bitmap_info.mutex` during the bitmap update.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/140cc839fbeb1ddb3…
https://git.kernel.org/stable/c/ebcacc7ca22d5e8a0…
https://git.kernel.org/stable/c/d3af62411e19752c6…
https://git.kernel.org/stable/c/d92b8fac294b5f915…
https://git.kernel.org/stable/c/a437e3bf30e328460…
https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed…
https://git.kernel.org/stable/c/5f73c8b33df9a605a…
https://git.kernel.org/stable/c/46ef85f854dfa9d52…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 140cc839fbeb1ddb33a8da8811b716d88d3905b7 (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8 (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < d3af62411e19752c663fe4f424dbf49d95a4cc7c (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < d92b8fac294b5f915c50e65ce4ae2262e53614ec (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < a437e3bf30e32846079e470c1ba5ee790bccdf89 (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 5f73c8b33df9a605a591eab72d43a969600c1f8c (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 46ef85f854dfa9d5226b3c1c46493d79556c9589 (git)
Linux	Linux	Affected: 3.5 Unaffected: 0 , < 3.5 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md-bitmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "140cc839fbeb1ddb33a8da8811b716d88d3905b7",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            },
            {
              "lessThan": "ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            },
            {
              "lessThan": "d3af62411e19752c663fe4f424dbf49d95a4cc7c",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            },
            {
              "lessThan": "d92b8fac294b5f915c50e65ce4ae2262e53614ec",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            },
            {
              "lessThan": "a437e3bf30e32846079e470c1ba5ee790bccdf89",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            },
            {
              "lessThan": "9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            },
            {
              "lessThan": "5f73c8b33df9a605a591eab72d43a969600c1f8c",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            },
            {
              "lessThan": "46ef85f854dfa9d5226b3c1c46493d79556c9589",
              "status": "affected",
              "version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md-bitmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: fix GPF in write_page caused by resize race\n\nA General Protection Fault occurs in write_page() during array resize:\nRIP: 0010:write_page+0x22b/0x3c0 [md_mod]\n\nThis is a use-after-free race between bitmap_daemon_work() and\n__bitmap_resize(). The daemon iterates over `bitmap-\u003estorage.filemap`\nwithout locking, while the resize path frees that storage via\nmd_bitmap_file_unmap(). `quiesce()` does not stop the md thread,\nallowing concurrent access to freed pages.\n\nFix by holding `mddev-\u003ebitmap_info.mutex` during the bitmap update."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:18:58.873Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589"
        }
      ],
      "title": "md/bitmap: fix GPF in write_page caused by resize race",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43163",
    "datePublished": "2026-05-06T11:27:41.265Z",
    "dateReserved": "2026-05-01T14:12:55.990Z",
    "dateUpdated": "2026-05-11T22:18:58.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43190 (GCVE-0-2026-43190)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:19

Title

netfilter: xt_tcpmss: check remaining length before reading optlen

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).

Severity

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/f895191dc32c53eaf…
https://git.kernel.org/stable/c/cd5beda7e0e32865e…
https://git.kernel.org/stable/c/eaedc0bc18be46fe7…
https://git.kernel.org/stable/c/07a9b32eaae792ff7…
https://git.kernel.org/stable/c/8b300f726640c48c3…
https://git.kernel.org/stable/c/5e13d0a37666955b6…
https://git.kernel.org/stable/c/f6c412dcfd76b0516…
https://git.kernel.org/stable/c/735ee8582da3d239e…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f895191dc32c53eaf443b6443fe40945b2f92287 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cd5beda7e0e32865e214f28034bb92c1cecff885 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eaedc0bc18be46fe7f58170e967959a932c4f824 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 07a9b32eaae792ff7d0fcac14d8920c937c0a9c3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8b300f726640c48c3edfe9c453334dd801f4b74e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5e13d0a37666955b6cfddc0f73cb40ed645b8a05 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6c412dcfd76b0516d51aa847d8f4c7b70381b09 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 735ee8582da3d239eb0c7a53adca61b79fb228b3 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_tcpmss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f895191dc32c53eaf443b6443fe40945b2f92287",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cd5beda7e0e32865e214f28034bb92c1cecff885",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "eaedc0bc18be46fe7f58170e967959a932c4f824",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "07a9b32eaae792ff7d0fcac14d8920c937c0a9c3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8b300f726640c48c3edfe9c453334dd801f4b74e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5e13d0a37666955b6cfddc0f73cb40ed645b8a05",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f6c412dcfd76b0516d51aa847d8f4c7b70381b09",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "735ee8582da3d239eb0c7a53adca61b79fb228b3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_tcpmss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_tcpmss: check remaining length before reading optlen\n\nQuoting reporter:\n  In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads\n op[i+1] directly without validating the remaining option length.\n\n  If the last byte of the option field is not EOL/NOP (0/1), the code attempts\n  to index op[i+1]. In the case where i + 1 == optlen, this causes an\n  out-of-bounds read, accessing memory past the optlen boundary\n  (either reading beyond the stack buffer _opt or the\n  following payload)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:19:35.257Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885"
        },
        {
          "url": "https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824"
        },
        {
          "url": "https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09"
        },
        {
          "url": "https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3"
        }
      ],
      "title": "netfilter: xt_tcpmss: check remaining length before reading optlen",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43190",
    "datePublished": "2026-05-06T11:27:59.798Z",
    "dateReserved": "2026-05-01T14:12:55.992Z",
    "dateUpdated": "2026-05-11T22:19:35.257Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:21706

Vulnerability from osv_almalinux

CVE-2026-31685 (GCVE-0-2026-31685)

CVE-2026-31709 (GCVE-0-2026-31709)

CVE-2026-43020 (GCVE-0-2026-43020)

CVE-2026-43027 (GCVE-0-2026-43027)

CVE-2026-43051 (GCVE-0-2026-43051)

CVE-2026-43158 (GCVE-0-2026-43158)

CVE-2026-43163 (GCVE-0-2026-43163)

CVE-2026-43190 (GCVE-0-2026-43190)

Tags

Sightings

Nomenclature