Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0329
Vulnerability from certfr_avis - Published: 2026-03-20 - Updated: 2026-03-20
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un déni de service et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Micro Extras 6.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro Extras 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-23198",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23198"
},
{
"name": "CVE-2026-23202",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23202"
},
{
"name": "CVE-2026-23167",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23167"
},
{
"name": "CVE-2025-68374",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68374"
},
{
"name": "CVE-2026-23129",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23129"
},
{
"name": "CVE-2025-68778",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68778"
},
{
"name": "CVE-2025-68736",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68736"
},
{
"name": "CVE-2025-68283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68283"
},
{
"name": "CVE-2026-23004",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23004"
},
{
"name": "CVE-2025-71071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71071"
},
{
"name": "CVE-2025-71191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71191"
},
{
"name": "CVE-2025-68295",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68295"
},
{
"name": "CVE-2025-40103",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40103"
},
{
"name": "CVE-2025-21738",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21738"
},
{
"name": "CVE-2026-23139",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23139"
},
{
"name": "CVE-2026-23208",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23208"
},
{
"name": "CVE-2026-23017",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23017"
},
{
"name": "CVE-2025-71189",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71189"
},
{
"name": "CVE-2026-23179",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23179"
},
{
"name": "CVE-2026-23090",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23090"
},
{
"name": "CVE-2026-23035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23035"
},
{
"name": "CVE-2025-38375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38375"
},
{
"name": "CVE-2026-23064",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23064"
},
{
"name": "CVE-2026-23061",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23061"
},
{
"name": "CVE-2026-23135",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23135"
},
{
"name": "CVE-2026-23119",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23119"
},
{
"name": "CVE-2026-23173",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23173"
},
{
"name": "CVE-2026-23222",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23222"
},
{
"name": "CVE-2026-23094",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23094"
},
{
"name": "CVE-2026-23049",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23049"
},
{
"name": "CVE-2026-23229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23229"
},
{
"name": "CVE-2026-23101",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23101"
},
{
"name": "CVE-2026-23099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23099"
},
{
"name": "CVE-2026-23085",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23085"
},
{
"name": "CVE-2026-23209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
},
{
"name": "CVE-2026-23150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23150"
},
{
"name": "CVE-2026-23163",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23163"
},
{
"name": "CVE-2025-71235",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71235"
},
{
"name": "CVE-2026-23057",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23057"
},
{
"name": "CVE-2026-23166",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23166"
},
{
"name": "CVE-2026-23116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23116"
},
{
"name": "CVE-2026-23207",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23207"
},
{
"name": "CVE-2025-71200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71200"
},
{
"name": "CVE-2026-23172",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23172"
},
{
"name": "CVE-2026-23133",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23133"
},
{
"name": "CVE-2026-23170",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23170"
},
{
"name": "CVE-2026-23204",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23204"
},
{
"name": "CVE-2025-71188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71188"
},
{
"name": "CVE-2026-23214",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23214"
},
{
"name": "CVE-2025-37861",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37861"
},
{
"name": "CVE-2026-23178",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23178"
},
{
"name": "CVE-2025-71196",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71196"
},
{
"name": "CVE-2026-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23191"
},
{
"name": "CVE-2026-23078",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23078"
},
{
"name": "CVE-2025-68785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68785"
},
{
"name": "CVE-2025-38224",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38224"
},
{
"name": "CVE-2026-23074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23074"
},
{
"name": "CVE-2025-71126",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71126"
},
{
"name": "CVE-2025-71199",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71199"
},
{
"name": "CVE-2025-71195",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71195"
},
{
"name": "CVE-2026-23083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23083"
},
{
"name": "CVE-2026-23108",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23108"
},
{
"name": "CVE-2025-71194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71194"
},
{
"name": "CVE-2026-23068",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23068"
},
{
"name": "CVE-2026-23089",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23089"
},
{
"name": "CVE-2025-71225",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71225"
},
{
"name": "CVE-2026-23071",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23071"
},
{
"name": "CVE-2026-23056",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23056"
},
{
"name": "CVE-2026-23063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23063"
},
{
"name": "CVE-2026-23073",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23073"
},
{
"name": "CVE-2026-23058",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23058"
},
{
"name": "CVE-2025-71182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71182"
},
{
"name": "CVE-2026-23176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23176"
},
{
"name": "CVE-2026-23026",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23026"
},
{
"name": "CVE-2025-71190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71190"
},
{
"name": "CVE-2026-23107",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23107"
},
{
"name": "CVE-2025-71104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71104"
},
{
"name": "CVE-2026-23146",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23146"
},
{
"name": "CVE-2025-38129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38129"
},
{
"name": "CVE-2026-23037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23037"
},
{
"name": "CVE-2025-71224",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71224"
},
{
"name": "CVE-2026-23221",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23221"
},
{
"name": "CVE-2026-23151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23151"
},
{
"name": "CVE-2026-23152",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23152"
},
{
"name": "CVE-2026-22982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22982"
},
{
"name": "CVE-2025-71222",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71222"
},
{
"name": "CVE-2025-71229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71229"
},
{
"name": "CVE-2026-23213",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23213"
},
{
"name": "CVE-2026-23091",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23091"
},
{
"name": "CVE-2023-53817",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53817"
},
{
"name": "CVE-2025-71192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71192"
},
{
"name": "CVE-2026-23121",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23121"
},
{
"name": "CVE-2025-39964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39964"
},
{
"name": "CVE-2025-71066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71066"
},
{
"name": "CVE-2025-71236",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71236"
},
{
"name": "CVE-2025-71234",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71234"
},
{
"name": "CVE-2025-71185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71185"
},
{
"name": "CVE-2026-23096",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23096"
},
{
"name": "CVE-2025-71232",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71232"
},
{
"name": "CVE-2025-40099",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40099"
},
{
"name": "CVE-2026-23105",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23105"
},
{
"name": "CVE-2026-23141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23141"
},
{
"name": "CVE-2026-23182",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23182"
},
{
"name": "CVE-2026-23086",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23086"
},
{
"name": "CVE-2025-71148",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71148"
},
{
"name": "CVE-2026-23156",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23156"
},
{
"name": "CVE-2026-23095",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23095"
},
{
"name": "CVE-2025-39748",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39748"
},
{
"name": "CVE-2023-53827",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53827"
},
{
"name": "CVE-2026-23033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23033"
},
{
"name": "CVE-2026-23145",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23145"
},
{
"name": "CVE-2026-23104",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23104"
},
{
"name": "CVE-2026-23003",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23003"
},
{
"name": "CVE-2026-23076",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23076"
},
{
"name": "CVE-2026-23171",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23171"
},
{
"name": "CVE-2026-23112",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23112"
},
{
"name": "CVE-2026-23084",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23084"
},
{
"name": "CVE-2026-23190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23190"
},
{
"name": "CVE-2026-22979",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22979"
},
{
"name": "CVE-2026-23110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23110"
},
{
"name": "CVE-2026-23060",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23060"
},
{
"name": "CVE-2025-71197",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71197"
},
{
"name": "CVE-2025-71113",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71113"
},
{
"name": "CVE-2026-23102",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23102"
},
{
"name": "CVE-2026-22998",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22998"
},
{
"name": "CVE-2026-23082",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23082"
},
{
"name": "CVE-2026-23155",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23155"
},
{
"name": "CVE-2026-23111",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23111"
},
{
"name": "CVE-2026-23113",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23113"
},
{
"name": "CVE-2025-71231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71231"
},
{
"name": "CVE-2023-53794",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53794"
},
{
"name": "CVE-2025-68810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68810"
},
{
"name": "CVE-2025-71198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71198"
},
{
"name": "CVE-2026-23021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23021"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2026-23053",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23053"
},
{
"name": "CVE-2025-71184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71184"
},
{
"name": "CVE-2026-23080",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23080"
}
],
"initial_release_date": "2026-03-20T00:00:00",
"last_revision_date": "2026-03-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0329",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un d\u00e9ni de service et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20674-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620674-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20672-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620672-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20680-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620680-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20699-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620699-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20678-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620678-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20679-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620679-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20702-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620702-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20704-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620704-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20681-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620681-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20700-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620700-1"
},
{
"published_at": "2026-03-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0928-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1"
},
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20719-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620719-1"
},
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20711-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620711-1"
},
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20720-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620720-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20701-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620701-1"
},
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20713-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620713-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20703-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620703-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20705-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620705-1"
},
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20667-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1"
},
{
"published_at": "2026-03-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20673-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620673-1"
},
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20676-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620676-1"
}
]
}
CVE-2026-23119 (GCVE-0-2026-23119)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 18:44
VLAI
EPSS
Title
bonding: provide a net pointer to __skb_flow_dissect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: provide a net pointer to __skb_flow_dissect()
After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect")
we have to provide a net pointer to __skb_flow_dissect(),
either via skb->dev, skb->sk, or a user provided pointer.
In the following case, syzbot was able to cook a bare skb.
WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053
Call Trace:
<TASK>
bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]
__bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157
bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]
bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]
bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515
xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388
bpf_prog_run_xdp include/net/xdp.h:700 [inline]
bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421
bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390
bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
__sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/8e53780732ee88139… | |
| https://git.kernel.org/stable/c/3be945abdd228fd00… | |
| https://git.kernel.org/stable/c/f4faaa1297ecf3255… | |
| https://git.kernel.org/stable/c/0efee0b992f28bd5e… | |
| https://git.kernel.org/stable/c/bc3c8d2493c6f4d20… | |
| https://git.kernel.org/stable/c/de97735a40a144974… | |
| https://git.kernel.org/stable/c/5f9b329096596b7e5… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
58deb77cc52da9360d20676e68dd215742cbe473 , < 8e53780732ee881394406f79da5263b81eb48f7e
(git)
Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 3be945abdd228fd00f6afcf8d137002867a4651b (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < f4faaa1297ecf3255a8591fff2633df05bd5ec84 (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 0efee0b992f28bd5ee01c7a86ef6a307c42eb907 (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < de97735a40a144974bf3896ee4cc0270db2e47db (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 5f9b329096596b7e53e07d041d7fca4cbe1be752 (git) |
|
| Linux | Linux |
Affected:
5.5
Unaffected: 0 , < 5.5 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.68 , ≤ 6.12.* (semver) Unaffected: 6.18.8 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:46.406465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:05.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e53780732ee881394406f79da5263b81eb48f7e",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "3be945abdd228fd00f6afcf8d137002867a4651b",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "f4faaa1297ecf3255a8591fff2633df05bd5ec84",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "0efee0b992f28bd5ee01c7a86ef6a307c42eb907",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "de97735a40a144974bf3896ee4cc0270db2e47db",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "5f9b329096596b7e53e07d041d7fca4cbe1be752",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: provide a net pointer to __skb_flow_dissect()\n\nAfter 3cbf4ffba5ee (\"net: plumb network namespace into __skb_flow_dissect\")\nwe have to provide a net pointer to __skb_flow_dissect(),\neither via skb-\u003edev, skb-\u003esk, or a user provided pointer.\n\nIn the following case, syzbot was able to cook a bare skb.\n\nWARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053\nCall Trace:\n \u003cTASK\u003e\n bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]\n __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157\n bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]\n bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]\n bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515\n xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388\n bpf_prog_run_xdp include/net/xdp.h:700 [inline]\n bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421\n bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390\n bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703\n __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182\n __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:29.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e53780732ee881394406f79da5263b81eb48f7e"
},
{
"url": "https://git.kernel.org/stable/c/3be945abdd228fd00f6afcf8d137002867a4651b"
},
{
"url": "https://git.kernel.org/stable/c/f4faaa1297ecf3255a8591fff2633df05bd5ec84"
},
{
"url": "https://git.kernel.org/stable/c/0efee0b992f28bd5ee01c7a86ef6a307c42eb907"
},
{
"url": "https://git.kernel.org/stable/c/bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa"
},
{
"url": "https://git.kernel.org/stable/c/de97735a40a144974bf3896ee4cc0270db2e47db"
},
{
"url": "https://git.kernel.org/stable/c/5f9b329096596b7e53e07d041d7fca4cbe1be752"
}
],
"title": "bonding: provide a net pointer to __skb_flow_dissect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23119",
"datePublished": "2026-02-14T15:09:50.517Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-06-11T18:44:05.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23121 (GCVE-0-2026-23121)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-06-11 17:53
VLAI
EPSS
Title
mISDN: annotate data-race around dev->work
Summary
In the Linux kernel, the following vulnerability has been resolved:
mISDN: annotate data-race around dev->work
dev->work can re read locklessly in mISDN_read()
and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.
BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read
write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:
misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]
mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xce/0x140 fs/ioctl.c:583
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:
mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112
do_loop_readv_writev fs/read_write.c:847 [inline]
vfs_readv+0x3fb/0x690 fs/read_write.c:1020
do_readv+0xe7/0x210 fs/read_write.c:1080
__do_sys_readv fs/read_write.c:1165 [inline]
__se_sys_readv fs/read_write.c:1162 [inline]
__x64_sys_readv+0x45/0x50 fs/read_write.c:1162
x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000000 -> 0x00000001
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/d5d99cb9e0839093c… | |
| https://git.kernel.org/stable/c/13f3b3b8706889805… | |
| https://git.kernel.org/stable/c/accc3f8266d2a4988… | |
| https://git.kernel.org/stable/c/fc8ba17fd3337bd8b… | |
| https://git.kernel.org/stable/c/aa6e33cd74ca4965f… | |
| https://git.kernel.org/stable/c/7ac345a93af31358e… | |
| https://git.kernel.org/stable/c/8175dbf174d487afa… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1b2b03f8e514e4f68e293846ba511a948b80243c , < d5d99cb9e0839093cd53aa3b28176fce2f820ca0
(git)
Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 13f3b3b87068898056db4c79ee67052fbde11d43 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < accc3f8266d2a49881dbcf78c459477f4efa0ff3 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < aa6e33cd74ca4965f2bbcb025e0b672fb0168a69 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 7ac345a93af31358e18e9606eb7b354691bf6757 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 8175dbf174d487afab81e936a862a8d9b8a1ccb6 (git) |
|
| Linux | Linux |
Affected:
2.6.27
Unaffected: 0 , < 2.6.27 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.68 , ≤ 6.12.* (semver) Unaffected: 6.18.8 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:15.361866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:36.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5d99cb9e0839093cd53aa3b28176fce2f820ca0",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "13f3b3b87068898056db4c79ee67052fbde11d43",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "accc3f8266d2a49881dbcf78c459477f4efa0ff3",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "aa6e33cd74ca4965f2bbcb025e0b672fb0168a69",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "7ac345a93af31358e18e9606eb7b354691bf6757",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "8175dbf174d487afab81e936a862a8d9b8a1ccb6",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: annotate data-race around dev-\u003ework\n\ndev-\u003ework can re read locklessly in mISDN_read()\nand mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.\n\nBUG: KCSAN: data-race in mISDN_ioctl / mISDN_read\n\nwrite to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:\n misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]\n mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583\n __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583\n x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:\n mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112\n do_loop_readv_writev fs/read_write.c:847 [inline]\n vfs_readv+0x3fb/0x690 fs/read_write.c:1020\n do_readv+0xe7/0x210 fs/read_write.c:1080\n __do_sys_readv fs/read_write.c:1165 [inline]\n __se_sys_readv fs/read_write.c:1162 [inline]\n __x64_sys_readv+0x45/0x50 fs/read_write.c:1162\n x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000 -\u003e 0x00000001"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:32.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5d99cb9e0839093cd53aa3b28176fce2f820ca0"
},
{
"url": "https://git.kernel.org/stable/c/13f3b3b87068898056db4c79ee67052fbde11d43"
},
{
"url": "https://git.kernel.org/stable/c/accc3f8266d2a49881dbcf78c459477f4efa0ff3"
},
{
"url": "https://git.kernel.org/stable/c/fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7"
},
{
"url": "https://git.kernel.org/stable/c/aa6e33cd74ca4965f2bbcb025e0b672fb0168a69"
},
{
"url": "https://git.kernel.org/stable/c/7ac345a93af31358e18e9606eb7b354691bf6757"
},
{
"url": "https://git.kernel.org/stable/c/8175dbf174d487afab81e936a862a8d9b8a1ccb6"
}
],
"title": "mISDN: annotate data-race around dev-\u003ework",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23121",
"datePublished": "2026-02-14T15:09:51.912Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-06-11T17:53:36.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23129 (GCVE-0-2026-23129)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-05-11 22:00
VLAI
EPSS
Title
dpll: Prevent duplicate registrations
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpll: Prevent duplicate registrations
Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()
to reject duplicate registration attempts.
Previously, if a caller attempted to register the same pin multiple
times (with the same ops, priv, and cookie) on the same device, the core
silently increments the reference count and return success. This behavior
is incorrect because if the caller makes these duplicate registrations
then for the first one dpll_pin_registration is allocated and for others
the associated dpll_pin_ref.refcount is incremented. During the first
unregistration the associated dpll_pin_registration is freed and for
others WARN is fired.
Fix this by updating the logic to return `-EEXIST` if a matching
registration is found to enforce a strict "register once" policy.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9431063ad323ac864750aeba4d304389bc42ca4e , < dfec0501dba8f4711ef142a6a890e4812b7af88c
(git)
Affected: 9431063ad323ac864750aeba4d304389bc42ca4e , < 236a657422a564859dcd0db7bdb486abb21a721a (git) Affected: 9431063ad323ac864750aeba4d304389bc42ca4e , < f3ddbaaaaf4d0633b40482f471753f9c71294a4a (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.68 , ≤ 6.12.* (semver) Unaffected: 6.18.8 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dpll/dpll_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfec0501dba8f4711ef142a6a890e4812b7af88c",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
},
{
"lessThan": "236a657422a564859dcd0db7bdb486abb21a721a",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
},
{
"lessThan": "f3ddbaaaaf4d0633b40482f471753f9c71294a4a",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dpll/dpll_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: Prevent duplicate registrations\n\nModify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()\nto reject duplicate registration attempts.\n\nPreviously, if a caller attempted to register the same pin multiple\ntimes (with the same ops, priv, and cookie) on the same device, the core\nsilently increments the reference count and return success. This behavior\nis incorrect because if the caller makes these duplicate registrations\nthen for the first one dpll_pin_registration is allocated and for others\nthe associated dpll_pin_ref.refcount is incremented. During the first\nunregistration the associated dpll_pin_registration is freed and for\nothers WARN is fired.\n\nFix this by updating the logic to return `-EEXIST` if a matching\nregistration is found to enforce a strict \"register once\" policy."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:41.442Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfec0501dba8f4711ef142a6a890e4812b7af88c"
},
{
"url": "https://git.kernel.org/stable/c/236a657422a564859dcd0db7bdb486abb21a721a"
},
{
"url": "https://git.kernel.org/stable/c/f3ddbaaaaf4d0633b40482f471753f9c71294a4a"
}
],
"title": "dpll: Prevent duplicate registrations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23129",
"datePublished": "2026-02-14T15:09:57.574Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-05-11T22:00:41.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23133 (GCVE-0-2026-23133)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-06-11 18:44
VLAI
EPSS
Title
wifi: ath10k: fix dma_free_coherent() pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e2dda298ef809aa20… | |
| https://git.kernel.org/stable/c/fc8da65f9fe1bc680… | |
| https://git.kernel.org/stable/c/b0ad924332a96550a… | |
| https://git.kernel.org/stable/c/1928851334ecfd6e0… | |
| https://git.kernel.org/stable/c/5d6fa4d2c9799c093… | |
| https://git.kernel.org/stable/c/07f363f305793baec… | |
| https://git.kernel.org/stable/c/9282a1e171ad8d220… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < e2dda298ef809aa201ea7c0904c4d064f6c497cb
(git)
Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < fc8da65f9fe1bc6802f8240b342cfff4f5c7e841 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < b0ad924332a96550a84b8c0ae5483e7042d65fa9 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 1928851334ecfd6e0d663121ab69ac639d4217a6 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 5d6fa4d2c9799c09389588da5118a72d97d87e92 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 07f363f305793baecad41816f73056252f3df61e (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f (git) |
|
| Linux | Linux |
Affected:
4.16
Unaffected: 0 , < 4.16 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.68 , ≤ 6.12.* (semver) Unaffected: 6.18.8 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:17.367538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:10.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2dda298ef809aa201ea7c0904c4d064f6c497cb",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "fc8da65f9fe1bc6802f8240b342cfff4f5c7e841",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "b0ad924332a96550a84b8c0ae5483e7042d65fa9",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "1928851334ecfd6e0d663121ab69ac639d4217a6",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "5d6fa4d2c9799c09389588da5118a72d97d87e92",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "07f363f305793baecad41816f73056252f3df61e",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:46.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2dda298ef809aa201ea7c0904c4d064f6c497cb"
},
{
"url": "https://git.kernel.org/stable/c/fc8da65f9fe1bc6802f8240b342cfff4f5c7e841"
},
{
"url": "https://git.kernel.org/stable/c/b0ad924332a96550a84b8c0ae5483e7042d65fa9"
},
{
"url": "https://git.kernel.org/stable/c/1928851334ecfd6e0d663121ab69ac639d4217a6"
},
{
"url": "https://git.kernel.org/stable/c/5d6fa4d2c9799c09389588da5118a72d97d87e92"
},
{
"url": "https://git.kernel.org/stable/c/07f363f305793baecad41816f73056252f3df61e"
},
{
"url": "https://git.kernel.org/stable/c/9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f"
}
],
"title": "wifi: ath10k: fix dma_free_coherent() pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23133",
"datePublished": "2026-02-14T15:14:33.102Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-06-11T18:44:10.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23135 (GCVE-0-2026-23135)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-05-11 22:00
VLAI
EPSS
Title
wifi: ath12k: fix dma_free_coherent() pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 36e0bc5e8b282564906fca636c4ebc99814de4e7
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 24585a13c41ea7253ee59aac74441fb570f5824a (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 4846b32be324f4dd3653f38a3f69c049543d52ae (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < bb97131fbf9b708dd9616ac2bdc793ad102b5c48 (git) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.68 , ≤ 6.12.* (semver) Unaffected: 6.18.8 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36e0bc5e8b282564906fca636c4ebc99814de4e7",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "24585a13c41ea7253ee59aac74441fb570f5824a",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "4846b32be324f4dd3653f38a3f69c049543d52ae",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "bb97131fbf9b708dd9616ac2bdc793ad102b5c48",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:48.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36e0bc5e8b282564906fca636c4ebc99814de4e7"
},
{
"url": "https://git.kernel.org/stable/c/24585a13c41ea7253ee59aac74441fb570f5824a"
},
{
"url": "https://git.kernel.org/stable/c/4846b32be324f4dd3653f38a3f69c049543d52ae"
},
{
"url": "https://git.kernel.org/stable/c/bb97131fbf9b708dd9616ac2bdc793ad102b5c48"
}
],
"title": "wifi: ath12k: fix dma_free_coherent() pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23135",
"datePublished": "2026-02-14T15:14:34.473Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-05-11T22:00:48.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23139 (GCVE-0-2026-23139)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-05-11 22:00
VLAI
EPSS
Title
netfilter: nf_conncount: update last_gc only when GC has been performed
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: update last_gc only when GC has been performed
Currently last_gc is being updated everytime a new connection is
tracked, that means that it is updated even if a GC wasn't performed.
With a sufficiently high packet rate, it is possible to always bypass
the GC, causing the list to grow infinitely.
Update the last_gc value only when a GC has been actually performed.
Severity
7.5 (High)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/2c7c71113ed6d3e2f… | |
| https://git.kernel.org/stable/c/c4cde57c8affdcca5… | |
| https://git.kernel.org/stable/c/9f45588993d7f1152… | |
| https://git.kernel.org/stable/c/3cd717359e56f82f0… | |
| https://git.kernel.org/stable/c/26a82dce2beee39c4… | |
| https://git.kernel.org/stable/c/8bdafdf4900040a81… | |
| https://git.kernel.org/stable/c/7811ba452402d5862… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f106694733c66a48740c25bc4e212e9b2ea364ce , < 2c7c71113ed6d3e2f3aca4c088f22283016ff34f
(git)
Affected: be69850b461e7b491d87a22e33ab76fdd04b725e , < c4cde57c8affdcca5bcff53a1047e15d268bdca1 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 9f45588993d7f115280fc726119ca86fba32a811 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 3cd717359e56f82f06cbf8279b47a7d79880c6f3 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 26a82dce2beee39c43c109d9647e16f49cb02a35 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 8bdafdf4900040a81422056cabe5e00a37bd101a (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 7811ba452402d58628e68faedf38745b3d485e3c (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.161 , ≤ 6.1.* (semver) Unaffected: 6.6.121 , ≤ 6.6.* (semver) Unaffected: 6.12.66 , ≤ 6.12.* (semver) Unaffected: 6.18.6 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c7c71113ed6d3e2f3aca4c088f22283016ff34f",
"status": "affected",
"version": "f106694733c66a48740c25bc4e212e9b2ea364ce",
"versionType": "git"
},
{
"lessThan": "c4cde57c8affdcca5bcff53a1047e15d268bdca1",
"status": "affected",
"version": "be69850b461e7b491d87a22e33ab76fdd04b725e",
"versionType": "git"
},
{
"lessThan": "9f45588993d7f115280fc726119ca86fba32a811",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "3cd717359e56f82f06cbf8279b47a7d79880c6f3",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "26a82dce2beee39c43c109d9647e16f49cb02a35",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "8bdafdf4900040a81422056cabe5e00a37bd101a",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "7811ba452402d58628e68faedf38745b3d485e3c",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: update last_gc only when GC has been performed\n\nCurrently last_gc is being updated everytime a new connection is\ntracked, that means that it is updated even if a GC wasn\u0027t performed.\nWith a sufficiently high packet rate, it is possible to always bypass\nthe GC, causing the list to grow infinitely.\n\nUpdate the last_gc value only when a GC has been actually performed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:53.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c7c71113ed6d3e2f3aca4c088f22283016ff34f"
},
{
"url": "https://git.kernel.org/stable/c/c4cde57c8affdcca5bcff53a1047e15d268bdca1"
},
{
"url": "https://git.kernel.org/stable/c/9f45588993d7f115280fc726119ca86fba32a811"
},
{
"url": "https://git.kernel.org/stable/c/3cd717359e56f82f06cbf8279b47a7d79880c6f3"
},
{
"url": "https://git.kernel.org/stable/c/26a82dce2beee39c43c109d9647e16f49cb02a35"
},
{
"url": "https://git.kernel.org/stable/c/8bdafdf4900040a81422056cabe5e00a37bd101a"
},
{
"url": "https://git.kernel.org/stable/c/7811ba452402d58628e68faedf38745b3d485e3c"
}
],
"title": "netfilter: nf_conncount: update last_gc only when GC has been performed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23139",
"datePublished": "2026-02-14T15:22:24.059Z",
"dateReserved": "2026-01-13T15:37:45.972Z",
"dateUpdated": "2026-05-11T22:00:53.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23141 (GCVE-0-2026-23141)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-06-01 16:10
VLAI
EPSS
Title
btrfs: send: check for inline extents in range_is_hole_in_parent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: send: check for inline extents in range_is_hole_in_parent()
Before accessing the disk_bytenr field of a file extent item we need
to check if we are dealing with an inline extent.
This is because for inline extents their data starts at the offset of
the disk_bytenr field. So accessing the disk_bytenr
means we are accessing inline data or in case the inline data is less
than 8 bytes we can actually cause an invalid
memory access if this inline extent item is the first item in the leaf
or access metadata from other items.
Severity
No CVSS data available.
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/901e581bfc44d181f… | |
| https://git.kernel.org/stable/c/d948055bd46a9c14d… | |
| https://git.kernel.org/stable/c/f2dc6ab3a14c2d2eb… | |
| https://git.kernel.org/stable/c/db00636643e66898d… | |
| https://git.kernel.org/stable/c/39f83f10772310ba4… | |
| https://git.kernel.org/stable/c/08b096c1372cd6962… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 901e581bfc44d181f7d9c3f11880dac3e89deb2e
(git)
Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < d948055bd46a9c14d1d4217aed65c5c258c32903 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < db00636643e66898d79f2530ac9c56ebd5eca369 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 39f83f10772310ba4a77f2b5256aaf36994ef7e8 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 08b096c1372cd69627f4f559fb47c9fb67a52b39 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.67 , ≤ 6.12.* (semver) Unaffected: 6.18.7 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "901e581bfc44d181f7d9c3f11880dac3e89deb2e",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "d948055bd46a9c14d1d4217aed65c5c258c32903",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "db00636643e66898d79f2530ac9c56ebd5eca369",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "39f83f10772310ba4a77f2b5256aaf36994ef7e8",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "08b096c1372cd69627f4f559fb47c9fb67a52b39",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: check for inline extents in range_is_hole_in_parent()\n\nBefore accessing the disk_bytenr field of a file extent item we need\nto check if we are dealing with an inline extent.\nThis is because for inline extents their data starts at the offset of\nthe disk_bytenr field. So accessing the disk_bytenr\nmeans we are accessing inline data or in case the inline data is less\nthan 8 bytes we can actually cause an invalid\nmemory access if this inline extent item is the first item in the leaf\nor access metadata from other items."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:10:51.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/901e581bfc44d181f7d9c3f11880dac3e89deb2e"
},
{
"url": "https://git.kernel.org/stable/c/d948055bd46a9c14d1d4217aed65c5c258c32903"
},
{
"url": "https://git.kernel.org/stable/c/f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9"
},
{
"url": "https://git.kernel.org/stable/c/db00636643e66898d79f2530ac9c56ebd5eca369"
},
{
"url": "https://git.kernel.org/stable/c/39f83f10772310ba4a77f2b5256aaf36994ef7e8"
},
{
"url": "https://git.kernel.org/stable/c/08b096c1372cd69627f4f559fb47c9fb67a52b39"
}
],
"title": "btrfs: send: check for inline extents in range_is_hole_in_parent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23141",
"datePublished": "2026-02-14T15:36:07.417Z",
"dateReserved": "2026-01-13T15:37:45.973Z",
"dateUpdated": "2026-06-01T16:10:51.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23145 (GCVE-0-2026-23145)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-06-11 18:44
VLAI
EPSS
Title
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
The error branch for ext4_xattr_inode_update_ref forget to release the
refcount for iloc.bh. Find this when review code.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/7c9f059c3d531a12d… | |
| https://git.kernel.org/stable/c/6241cd1d0acc23630… | |
| https://git.kernel.org/stable/c/3b00c16e42428a1ec… | |
| https://git.kernel.org/stable/c/0b06cde92f2f960f4… | |
| https://git.kernel.org/stable/c/8e8542c539927ae38… | |
| https://git.kernel.org/stable/c/06e26287f2e349a28… | |
| https://git.kernel.org/stable/c/d250bdf531d9cd409… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 , < 7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f
(git)
Affected: 505e69f76ac497e788f4ea0267826ec7266b40c8 , < 6241cd1d0acc2363016ac55b8773ba1332dd59d7 (git) Affected: 3d6269028246f4484bfed403c947a114bb583631 , < 3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626 (git) Affected: 79ea7f3e11effe1bd9e753172981d9029133a278 , < 0b06cde92f2f960f4ebe3c988c69f2711f2a24dc (git) Affected: 6b879c4c6bbaab03c0ad2a983953bd1410bb165e , < 8e8542c539927ae3898a4d02941f84e252e2dea1 (git) Affected: 57295e835408d8d425bef58da5253465db3d6888 , < 06e26287f2e349a28ad363941ffd9076bfed8b2e (git) Affected: 57295e835408d8d425bef58da5253465db3d6888 , < d250bdf531d9cd4096fedbb9f172bb2ca660c868 (git) Affected: ea39e712c2f5ae148ee5515798ae03523673e002 (git) Affected: 440b003f449a4ff2a00b08c8eab9ba5cd28f3943 (git) Affected: 5.10.246 , < 5.10.249 (semver) Affected: 5.15.195 , < 5.15.199 (semver) Affected: 6.1.157 , < 6.1.162 (semver) Affected: 6.6.113 , < 6.6.122 (semver) Affected: 6.12.54 , < 6.12.67 (semver) Affected: 5.4.301 , < 5.5 (semver) Affected: 6.17.4 , < 6.18 (semver) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.67 , ≤ 6.12.* (semver) Unaffected: 6.18.7 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:26.723393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:01.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f",
"status": "affected",
"version": "1cfb3e4ddbdc8e02e637b8852540bd4718bf4814",
"versionType": "git"
},
{
"lessThan": "6241cd1d0acc2363016ac55b8773ba1332dd59d7",
"status": "affected",
"version": "505e69f76ac497e788f4ea0267826ec7266b40c8",
"versionType": "git"
},
{
"lessThan": "3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626",
"status": "affected",
"version": "3d6269028246f4484bfed403c947a114bb583631",
"versionType": "git"
},
{
"lessThan": "0b06cde92f2f960f4ebe3c988c69f2711f2a24dc",
"status": "affected",
"version": "79ea7f3e11effe1bd9e753172981d9029133a278",
"versionType": "git"
},
{
"lessThan": "8e8542c539927ae3898a4d02941f84e252e2dea1",
"status": "affected",
"version": "6b879c4c6bbaab03c0ad2a983953bd1410bb165e",
"versionType": "git"
},
{
"lessThan": "06e26287f2e349a28ad363941ffd9076bfed8b2e",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"lessThan": "d250bdf531d9cd4096fedbb9f172bb2ca660c868",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"status": "affected",
"version": "ea39e712c2f5ae148ee5515798ae03523673e002",
"versionType": "git"
},
{
"status": "affected",
"version": "440b003f449a4ff2a00b08c8eab9ba5cd28f3943",
"versionType": "git"
},
{
"lessThan": "5.10.249",
"status": "affected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThan": "5.15.199",
"status": "affected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThan": "6.6.122",
"status": "affected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThan": "6.12.67",
"status": "affected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_xattr_inode_update_ref\n\nThe error branch for ext4_xattr_inode_update_ref forget to release the\nrefcount for iloc.bh. Find this when review code."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:56.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f"
},
{
"url": "https://git.kernel.org/stable/c/6241cd1d0acc2363016ac55b8773ba1332dd59d7"
},
{
"url": "https://git.kernel.org/stable/c/3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626"
},
{
"url": "https://git.kernel.org/stable/c/0b06cde92f2f960f4ebe3c988c69f2711f2a24dc"
},
{
"url": "https://git.kernel.org/stable/c/8e8542c539927ae3898a4d02941f84e252e2dea1"
},
{
"url": "https://git.kernel.org/stable/c/06e26287f2e349a28ad363941ffd9076bfed8b2e"
},
{
"url": "https://git.kernel.org/stable/c/d250bdf531d9cd4096fedbb9f172bb2ca660c868"
}
],
"title": "ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23145",
"datePublished": "2026-02-14T15:36:10.207Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-06-11T18:44:01.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23146 (GCVE-0-2026-23146)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-06-11 18:44
VLAI
EPSS
Title
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.
The race condition is:
CPU0 CPU1
---- ----
hci_uart_set_proto()
set_bit(HCI_UART_PROTO_INIT)
hci_uart_register_dev()
tty write wakeup
hci_uart_tty_wakeup()
hci_uart_tx_wakeup()
schedule_work(&hu->write_work)
proto->open(hu)
// initializes hu->priv
hci_uart_write_work()
hci_uart_dequeue()
proto->dequeue(hu)
// accesses hu->priv (NULL!)
Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/b0a900939e7e4866d… | |
| https://git.kernel.org/stable/c/ccc683f597ceb28de… | |
| https://git.kernel.org/stable/c/937a573423ce5a96f… | |
| https://git.kernel.org/stable/c/186d147cf7689ba1f… | |
| https://git.kernel.org/stable/c/53e54cb31e667fca0… | |
| https://git.kernel.org/stable/c/03e8c90c622333820… | |
| https://git.kernel.org/stable/c/0c3cd7a0b862c37ac… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a40f94f7caa8d3421b64f63ac31bc0f24c890f39 , < b0a900939e7e4866d9b90e9112514b72c451e873
(git)
Affected: 9e5a0f5777162e503400c70c6ed25fbbe2d38799 , < ccc683f597ceb28deb966427ae948e5ac739a909 (git) Affected: 80f14e9de6a43a0bd8194cad1003a3e6dcbc3984 , < 937a573423ce5a96fdb1fd425dc6b8d8d4ab5779 (git) Affected: 02e1bcdfdf769974e7e9fa285e295cd9852e2a38 , < 186d147cf7689ba1f9b3ddb753ab634a84940cc9 (git) Affected: 281782d2c6730241e300d630bb9f200d831ede71 , < 53e54cb31e667fca05b1808b990eac0807d1dab0 (git) Affected: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 , < 03e8c90c62233382042b7bd0fa8b8900552fdb62 (git) Affected: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 , < 0c3cd7a0b862c37acbee6d9502107146cc944398 (git) Affected: 1dcf08fcff5ca529de6dc0395091f28854f4e54a (git) Affected: 8e5aff600539e5faea294d9612cca50220e602b8 (git) Affected: db7509fa110dd9b11134b75894677f30353b2c51 (git) Affected: 5.10.237 , < 5.10.249 (semver) Affected: 5.15.181 , < 5.15.199 (semver) Affected: 6.1.135 , < 6.1.162 (semver) Affected: 6.6.88 , < 6.6.123 (semver) Affected: 6.12.24 , < 6.12.69 (semver) Affected: 5.4.293 , < 5.5 (semver) Affected: 6.13.12 , < 6.14 (semver) Affected: 6.14.3 , < 6.15 (semver) |
|
| Linux | Linux |
Affected:
6.15
Unaffected: 0 , < 6.15 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.123 , ≤ 6.6.* (semver) Unaffected: 6.12.69 , ≤ 6.12.* (semver) Unaffected: 6.18.9 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:53.104941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:17.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0a900939e7e4866d9b90e9112514b72c451e873",
"status": "affected",
"version": "a40f94f7caa8d3421b64f63ac31bc0f24c890f39",
"versionType": "git"
},
{
"lessThan": "ccc683f597ceb28deb966427ae948e5ac739a909",
"status": "affected",
"version": "9e5a0f5777162e503400c70c6ed25fbbe2d38799",
"versionType": "git"
},
{
"lessThan": "937a573423ce5a96fdb1fd425dc6b8d8d4ab5779",
"status": "affected",
"version": "80f14e9de6a43a0bd8194cad1003a3e6dcbc3984",
"versionType": "git"
},
{
"lessThan": "186d147cf7689ba1f9b3ddb753ab634a84940cc9",
"status": "affected",
"version": "02e1bcdfdf769974e7e9fa285e295cd9852e2a38",
"versionType": "git"
},
{
"lessThan": "53e54cb31e667fca05b1808b990eac0807d1dab0",
"status": "affected",
"version": "281782d2c6730241e300d630bb9f200d831ede71",
"versionType": "git"
},
{
"lessThan": "03e8c90c62233382042b7bd0fa8b8900552fdb62",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"lessThan": "0c3cd7a0b862c37acbee6d9502107146cc944398",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"status": "affected",
"version": "1dcf08fcff5ca529de6dc0395091f28854f4e54a",
"versionType": "git"
},
{
"status": "affected",
"version": "8e5aff600539e5faea294d9612cca50220e602b8",
"versionType": "git"
},
{
"status": "affected",
"version": "db7509fa110dd9b11134b75894677f30353b2c51",
"versionType": "git"
},
{
"lessThan": "5.10.249",
"status": "affected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThan": "5.15.199",
"status": "affected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThan": "6.1.162",
"status": "affected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThan": "6.6.123",
"status": "affected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThan": "6.12.69",
"status": "affected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThan": "6.15",
"status": "affected",
"version": "6.14.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\n\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto-\u003eopen() to initialize\nhu-\u003epriv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu-\u003epriv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto-\u003edequeue() accesses hu-\u003epriv.\n\nThe race condition is:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n tty write wakeup\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(\u0026hu-\u003ewrite_work)\n proto-\u003eopen(hu)\n // initializes hu-\u003epriv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto-\u003edequeue(hu)\n // accesses hu-\u003epriv (NULL!)\n\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto-\u003eopen()\nsucceeds, ensuring hu-\u003epriv is initialized before any work can be\nscheduled."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:57.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873"
},
{
"url": "https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909"
},
{
"url": "https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779"
},
{
"url": "https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9"
},
{
"url": "https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0"
},
{
"url": "https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62"
},
{
"url": "https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398"
}
],
"title": "Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23146",
"datePublished": "2026-02-14T16:01:16.169Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-06-11T18:44:17.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23150 (GCVE-0-2026-23150)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-11 22:01
VLAI
EPSS
Title
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
syzbot reported various memory leaks related to NFC, struct
nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
The leading log hinted that nfc_llcp_send_ui_frame() failed
to allocate skb due to sock_error(sk) being -ENXIO.
ENXIO is set by nfc_llcp_socket_release() when struct
nfc_llcp_local is destroyed by local_cleanup().
The problem is that there is no synchronisation between
nfc_llcp_send_ui_frame() and local_cleanup(), and skb
could be put into local->tx_queue after it was purged in
local_cleanup():
CPU1 CPU2
---- ----
nfc_llcp_send_ui_frame() local_cleanup()
|- do { '
|- pdu = nfc_alloc_send_skb(..., &err)
| .
| |- nfc_llcp_socket_release(local, false, ENXIO);
| |- skb_queue_purge(&local->tx_queue); |
| ' |
|- skb_queue_tail(&local->tx_queue, pdu); |
... |
|- pdu = nfc_alloc_send_skb(..., &err) |
^._________________________________.'
local_cleanup() is called for struct nfc_llcp_local only
after nfc_llcp_remove_local() unlinks it from llcp_devices.
If we hold local->tx_queue.lock then, we can synchronise
the thread and nfc_llcp_send_ui_frame().
Let's do that and check list_empty(&local->list) before
queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
[0]:
[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff8881272f6800 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942766
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc da58d84d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810fbd9800 (size 240):
comm "syz.0.17", pid 6096, jiffies 4294942850
hex dump (first 32 bytes):
68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
backtrace (crc 6cc652b1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/sk
---truncated---
Severity
No CVSS data available.
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/ab660cb8e17aa9342… | |
| https://git.kernel.org/stable/c/65e976e1f474ae3bf… | |
| https://git.kernel.org/stable/c/6734ff1ac6beba1d0… | |
| https://git.kernel.org/stable/c/f8d002626d434f5fe… | |
| https://git.kernel.org/stable/c/3098e5c8af0f4c8f7… | |
| https://git.kernel.org/stable/c/61858cbce6ca4bef9… | |
| https://git.kernel.org/stable/c/165c34fb6068ff153… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
94f418a206648c9be6fd84d6681d6956b8f8b106 , < ab660cb8e17aa93426d1e821c2cce60e4b9bc56a
(git)
Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 6734ff1ac6beba1d0c22dc9a3dc1849b773b511f (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < f8d002626d434f5fea9085e2557711c16a15cec6 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 61858cbce6ca4bef9ed116c689a4be9520841339 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 165c34fb6068ff153e3fc99a932a80a9d5755709 (git) |
|
| Linux | Linux |
Affected:
3.8
Unaffected: 0 , < 3.8 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.123 , ≤ 6.6.* (semver) Unaffected: 6.12.69 , ≤ 6.12.* (semver) Unaffected: 6.18.9 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab660cb8e17aa93426d1e821c2cce60e4b9bc56a",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "6734ff1ac6beba1d0c22dc9a3dc1849b773b511f",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "f8d002626d434f5fea9085e2557711c16a15cec6",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "61858cbce6ca4bef9ed116c689a4be9520841339",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "165c34fb6068ff153e3fc99a932a80a9d5755709",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local-\u003etx_queue after it was purged in\nlocal_cleanup():\n\n CPU1 CPU2\n ---- ----\n nfc_llcp_send_ui_frame() local_cleanup()\n |- do { \u0027\n |- pdu = nfc_alloc_send_skb(..., \u0026err)\n | .\n | |- nfc_llcp_socket_release(local, false, ENXIO);\n | |- skb_queue_purge(\u0026local-\u003etx_queue); |\n | \u0027 |\n |- skb_queue_tail(\u0026local-\u003etx_queue, pdu); |\n ... |\n |- pdu = nfc_alloc_send_skb(..., \u0026err) |\n ^._________________________________.\u0027\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local-\u003etx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet\u0027s do that and check list_empty(\u0026local-\u003elist) before\nqueuing skb to local-\u003etx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n comm \"syz.0.17\", pid 6096, jiffies 4294942766\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 \u0027..@............\n backtrace (crc da58d84d):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n kmalloc_noprof include/linux/slab.h:961 [inline]\n sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n sk_alloc+0x36/0x360 net/core/sock.c:2295\n nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n __sock_create+0x1a9/0x340 net/socket.c:1605\n sock_create net/socket.c:1663 [inline]\n __sys_socket_create net/socket.c:1700 [inline]\n __sys_socket+0xb9/0x1a0 net/socket.c:1747\n __do_sys_socket net/socket.c:1761 [inline]\n __se_sys_socket net/socket.c:1759 [inline]\n __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n comm \"syz.0.17\", pid 6096, jiffies 4294942850\n hex dump (first 32 bytes):\n 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......\n 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/\u0027....\n backtrace (crc 6cc652b1):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:01:10.727Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a"
},
{
"url": "https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc"
},
{
"url": "https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f"
},
{
"url": "https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6"
},
{
"url": "https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5"
},
{
"url": "https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339"
},
{
"url": "https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709"
}
],
"title": "nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23150",
"datePublished": "2026-02-14T16:01:18.968Z",
"dateReserved": "2026-01-13T15:37:45.976Z",
"dateUpdated": "2026-05-11T22:01:10.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…